This Python script checks for outdated GitHub Actions in your GitHub Enterprise or organization using Actions reports generated by stoe/action-reporting-cli.

• Python 3
• requests library (install with pip3 install requests)
• JSON reports generated by stoe/action-reporting-cli

# Generate Actions reports containing all Actions used in your GitHub Enterprise or organization
npx @stoe/action-reporting-cli -e <myEnterprise> -t <token> --uses --unique=true --json report.json
# OR
npx @stoe/action-reporting-cli -o <myOrg> -t <token> --uses --unique=true --json report.json

# Process reports generated by action-reporting-cli
python3 actions-version-check.py -e <myEnterprise>
# OR
python3 actions-version-check.py -o <myOrg>

# Read generated CSV file
cat actions-version-check_<timestamp>.csv

# Read generated JSON file
cat actions-version-check_<timestamp>.json | jq

# Read generated text file with unused allowed actions patterns, if `-o` or `-e` is used
# Note that if you have allowed actions patterns defined on Enterprise level, all orgs will have the same patterns
cat unused-allowed-actions-patterns_myEnterprise_<timestamp>.txt
# OR
cat unused-allowed-actions-patterns_myOrg_<timestamp>.txt

• -r, --report: Path to report.json generated by stoe/action-reporting-cli. Default is report.json.
• -ru, --report-unique: Path to report-unique.json generated by stoe/action-reporting-cli. Default is report-unique.json.
• -c, --csv: Path to CSV file to write the results to. Default is actions-version-check_<timestamp>.csv.
• -j, --json: Path to JSON file to write the results to. Default is actions-version-check_<timestamp>.json.
• -ar, --allowed-actions-report: Path to text file containing allowed actions patterns that appear to not match any action usage. Default is unused-allowed-actions-patterns_<timestamp>.txt.
• -u, --include-up-to-date: Include actions that are not used anywhere in outdated versions in the report.
• -e, --enterprise: Compare used actions to actions allowed in GitHub Enterprise <enterprise slug> to identify unused allowed actions patterns, requires token with admin:enterprise scope in env var ACTIONS_VERSION_CHECK_TOKEN.
• -o, --org: Compare used actions to actions allowed in GitHub organization <org name> to identify unused allowed actions patterns, requires token with admin:org scope in env var ACTIONS_VERSION_CHECK_TOKEN.

• ACTIONS_VERSION_CHECK_TOKEN: Token with admin:enterprise or admin:org scope for comparing allowed actions. (Required if -e or -o is used.)