Using Actions From the Marketplace
You rarely script everything by hand - the Marketplace gives you thousands of ready-made steps you drop in with uses:.
Actions are packaged, reusable steps you can pull into any workflow. Instead of writing shell to clone your repo or install a language, you reuse a battle-tested action. This lesson covers the essentials and how to use them safely.
How uses: works
A step with uses: references a published action by owner/repo@version. GitHub fetches and runs that action as a step. The most common one is actions/checkout, which clones your repository onto the runner - without it, your code is not even present, so almost every workflow starts with it.
steps:
- uses: actions/checkout@v4The setup-* family
The actions/setup-* actions install and configure a language toolchain on the runner: setup-node, setup-python, setup-go, setup-java, and more. They let you pick an exact version and often add built-in dependency caching, which speeds up runs considerably.
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 20
cache: npm
- run: npm ciPassing inputs with with:
Actions accept inputs through the with: block, as you saw above with node-version. Each action documents its own inputs on its Marketplace page. Treat that page as the source of truth - input names and defaults vary from action to action.
Pinning versions safely
- Pin to a major tag like
@v4for a balance of stability and bug fixes. - For maximum security, pin to a full commit SHA so the code cannot change underneath you.
- Avoid
@mainor@latestin production workflows - they can change without warning. - Prefer well-maintained, verified-creator actions for anything that touches secrets.
Key takeaways
- Actions are reusable steps invoked with
uses: owner/repo@version. actions/checkoutclones your repo; thesetup-*family installs toolchains.- Pin versions (major tag or commit SHA) and prefer trusted, maintained actions.