Create a nice list of github action usage across your organisations repos

github-actions-scan.sh

#!/bin/bash
# Creates a nice list of github action usage across your organisations repos
# Useful for making sure you are using pinned dependencies
# Idea from this blog post: https://alexwlchan.net/2025/github-actions-audit/

ORG="" # github org name to only search their repos, case sensitive

temp_file=$(mktemp)

for dir in */; do
  # Check if it's a Git repo
  if [ -d "$dir/.git" ]; then
    remote_url=$(git -C "$dir" remote get-url origin 2>/dev/null)

    if [[ $remote_url == *github.com* ]]; then
      org=$(echo "$remote_url" | sed -E 's|.*github.com[:/](.+)/.*|\1|')

      # Filter out any non-org repos
      if [ "$org" = "$ORG" ]; then
        find "$dir" -path '*/.github/workflows/*' -type f \( -name '*.yml' -o -name '*.yaml' \) -print0 \
          | xargs -0 grep --no-filename "uses:" \
          | sed 's/\- uses:/uses:/g' \
          | tr '"' ' ' \
          | awk '{print $2}' \
          | grep -v '^./.github/' \
          | sed 's/\r//g' >> "$temp_file"
      fi
    fi
  fi
done

sort "$temp_file" | uniq -c | sort -n

rm "$temp_file"