CLI to report on GitHub Actions usage across enterprises, organizations, users, and repositories
action-reporting-cli helps you audit GitHub Actions usage across your entire GitHub environment. It collects comprehensive data about workflows, actions, secrets, variables, permissions, and dependencies, giving you valuable insights into your Actions usage. The tool works with GitHub.com, GitHub Enterprise Cloud, and GitHub Enterprise Server.
- Quick Start
- Installation
- Authentication
- Usage
- Options
- Report Files
- Examples
- Performance Tips
- Contributing
- License
Get a full enterprise report (all report types) in three formats:
npx @stoe/action-reporting-cli \
--token YOUR_TOKEN \
--enterprise my-enterprise \
--all \
--json ./reports/actions.json \
--csv ./reports/actions.csv \
--md ./reports/actions.mdList unique third‑party actions for one repository:
npx @stoe/action-reporting-cli \
--token YOUR_TOKEN \
--repository my-org/my-repo \
--uses --exclude --unique both \
--csv ./reports/actions.csvMinimal org scan (just actions used):
export GITHUB_TOKEN=YOUR_TOKEN
npx @stoe/action-reporting-cli --owner my-org --uses --json ./report.jsonRun without installing:
$ npx @stoe/action-reporting-cli [--options]$ npm install -g @stoe/action-reporting-cli
$ action-reporting-cli [--options]$ npm install @stoe/action-reporting-cli
$ npx action-reporting-cli [--options]You'll need a GitHub Personal Access Token (PAT) with these permissions:
-
For GitHub.com, GitHub Enterprise Cloud, and GitHub Enterprise Cloud with Data Residency:
reposcope to access private repositoriesworkflowscope to read GitHub Actions dataadmin:orgscope when using--ownerwith organizations
-
For GitHub Enterprise Server:
- Same permissions as above
- Make sure you have network access to your GitHub Enterprise Server instance
You can provide your token using the --token parameter or by setting the GITHUB_TOKEN environment variable.
You must specify exactly one target scope (enterprise OR owner OR repository). Then add the report flags you want and at least one output format.
Pattern:
action-reporting-cli --<scope> <name> [report flags] [output flags] [utility flags]--enterprise,-e <slug>: Enterprise account slug (GitHub Enterprise Cloud or Server)--owner,-o <login>: Organization or user login (user returns authenticated user’s repos)--repository,-r <owner/name>: Single repository
--token,-t <token>: Personal Access Token (defaults toGITHUB_TOKENenv var)--hostname <host>: Custom host.- GHES example:
github.example.com→https://github.example.com/api/v3 - GHEC+DR regional:
example.ghe.com→https://api.example.ghe.com - Already API host:
api.example.ghe.com(unchanged) - Omit for public:
https://api.github.com
- GHES example:
Pick any combination (or just --all):
--all: Shorthand for all report types below (also sets--unique bothfor actions when combined with--useslogic)--listeners: Workflowonevent triggers--permissions:permissionsblocks for the defaultGITHUB_TOKEN--runs-on: Runner labels / environments used--secrets: Referenced secrets in workflows--uses:uses:action references--exclude: Skip first‑party actions (actions/*andgithub/*) — only meaningful with--uses--unique <true|false|both>: Reduce duplicates for third‑party actions.false(default)true: Adds an extra.uniqueoutput containing only unique third‑party actionsboth: Keep full list plus.uniquefile (implied when--allincludes actions)
--vars: Referencedvarsin workflows
--archived: Skip archived repositories--forked: Skip forked repositories
--csv <path>: Write CSV report--json <path>: Write JSON report--md <path>: Write Markdown report
You can specify multiple output formats in one run.
--debug,-d: Verbose progress + diagnostic logging--skipCache: Force fresh API calls (only works when--debugis enabled)--help,-h: Show inline usage help--version,-v: Show version
The tool generates reports in your specified format(s):
- CSV: Comma-separated values that you can easily import into spreadsheets
- JSON: Structured data format for programmatic access or further processing
- Markdown: Human-readable format that's perfect for documentation or sharing
When you use --unique both with --uses, you'll get an additional file with the .unique suffix containing only unique third-party actions.
The CLI normalizes the API base URL from --hostname:
- (omitted):
https://api.github.com github.example.com: → append/api/v3example.ghe.com: → prefix withapi.(no/api/v3)api.example.ghe.com: → used as provided- Extra protocol, case, paths, or trailing slashes are stripped
Rule of thumb:
- Ends with
.ghe.com? Ensure it starts withapi.(do NOT add/api/v3). - Anything else custom? Treat as GHES → add
/api/v3. - Nothing passed? Use public API.
Tip: Always pass --hostname in scripts so moves between public / GHES / GHEC+DR need no code changes.
Here are some common usage scenarios to help you get started:
Get a complete report on all GitHub Actions usage across your enterprise:
# Analyze everything in your GitHub Enterprise Cloud account
$ npx @stoe/action-reporting-cli \
--token ghp_000000000000000000000000000000000000 \
--enterprise my-enterprise \
--all \
--csv ./reports/actions.csv \
--json ./reports/actions.json \
--md ./reports/actions.mdFocus on specific aspects of GitHub Actions in an organization:
# Check permissions, runners, secrets, actions, and variables in your org
$ npx @stoe/action-reporting-cli \
--token ghp_000000000000000000000000000000000000 \
--owner my-org \
--permissions \
--runs-on \
--secrets \
--uses \
--vars \
--json ./reports/actions.jsonFind unique third-party actions used in a specific repository:
# Identify third-party actions in your repository
$ npx @stoe/action-reporting-cli \
--token ghp_000000000000000000000000000000000000 \
--repository my-org/my-repo \
--uses \
--exclude \
--unique both \
--csv ./reports/actions.csvRun the tool against your GitHub Enterprise Server instance:
# Analyze an organization on GitHub Enterprise Server
$ npx @stoe/action-reporting-cli \
--hostname github.example.com \
--token ghp_000000000000000000000000000000000000 \
--owner my-org \
--all \
--json ./reports/actions.jsonUse environment variables for authentication:
# Set your token as an environment variable
$ export GITHUB_TOKEN=ghp_000000000000000000000000000000000000
# Run without including token in the command
$ npx @stoe/action-reporting-cli \
--owner my-org \
--uses \
--csv ./reports/actions.csvSkip archived or forked repositories in your enterprise-wide scan:
$ npx @stoe/action-reporting-cli \
--enterprise my-enterprise \
--all \
--archived \
--forked \
--json ./reports/actions.jsonEnable debug mode when you need more information:
$ npx @stoe/action-reporting-cli \
--repository my-org/my-repo \
--all \
--debug \
--md ./reports/actions.mdSkip the cache to get the most up-to-date information (uses more API calls, only works with --debug):
$ npx @stoe/action-reporting-cli \
--owner my-org \
--all \
--skipCache \
--json ./reports/actions.jsonWhen working with large GitHub environments:
- Use the
--debugflag to monitor progress and identify any issues - For very large enterprises, consider running separate scans for specific organizations
- Use repository filtering options (
--archivedand--forked) to reduce API calls or exclude unnecessary data
We welcome and appreciate your contributions! Whether you're reporting bugs, suggesting features, or submitting code changes, your help makes this project better.
Please check out our contributing guidelines for information on:
- How to submit bug reports and feature requests
- Development workflow and coding standards
- Pull request process
- Project structure
Thank you to everyone who's contributed!