Actions Insights

What is Actions Insights?

Actions Insights gives you organization-wide visibility into every GitHub Action and reusable workflow referenced across your repositories. It surfaces usage patterns, version pinning practices, and dependency relationships so you can track supply-chain hygiene and standardize on approved actions.

The feature is accessible from the organization sidebar under Actions Insights and has three tabs: Overview, Actions Explorer, and Workflows Explorer.

Overview

The Overview tab provides a high-level summary of actions and workflow usage across your organization.

Summary Statistics

Four stat cards at the top show:

Unique Actions — distinct external GitHub Actions referenced
Unique Workflows — distinct reusable workflows referenced
Repositories — number of repositories with action or workflow references
SHA-Pinned — percentage of all references that are pinned to a commit SHA

Top Actions & Workflows

A horizontal bar chart shows the most-used actions and workflows ranked by total usage count across all repositories.

Version Pinning Strategy

A donut chart breaks down how references are pinned:

Category	Description
SHA-pinned	Pinned to a specific commit SHA — the most secure pinning strategy
Versioned	Pinned to a tag or version (e.g., `v4`, `v2.1.0`)
Unversioned	No version specified — uses the default branch, which can change

Version Distribution

A table lists actions and workflows that have multiple versions in use across your repositories (version sprawl). This helps identify targets that should be consolidated to a single version. Columns include the target name, versions in use (shown as badges), number of repos, and total usages.

Actions Explorer

The Actions Explorer tab lets you browse and inspect every external GitHub Action referenced in your organization's repositories.

View Modes

Toggle between two layouts using the buttons at the top:

Split — a table on the left with a dependency graph on the right
Table — a full-width data table with expandable rows

A search bar filters the list by action name.

Split View

In split view, clicking a row in the table loads an interactive dependency graph for that action:

Root node — the action itself, showing its name, version count, and total usages, with a link to GitHub
Version nodes — one node per version in use, color-coded by pinning type (green for SHA, blue for versioned, amber for unversioned)
Repository nodes — the repositories and workflow files that reference each version

Hovering over a version node highlights all connected edges and repository nodes to show exactly which repos use that version.

The graph supports fullscreen mode for detailed inspection.

Interactive Graph Features

The dependency graph supports expand/collapse functionality to manage large numbers of references:

Version nodes start collapsed and show a chevron indicator
Expand a version to reveal its repository usage:
- ≤8 repositories: Individual repository nodes appear
- >8 repositories: An aggregation node appears with usage statistics
Aggregation nodes provide:
- Usage summary with repository count and file count
- Version migration tags when applicable
- Searchable repository list with "N of M repos" footer
- Scrollable content that doesn't interfere with graph zoom
Smooth animations when expanding/collapsing nodes
Viewport preservation — if you're zoomed in, expanding nodes won't disrupt your current view

The graph uses a four-column layout: root → version → usage summary → repository, making it easy to trace dependencies even with complex version distributions.

Deep Linking

Expanded graph states are preserved in the URL, so you can bookmark or share links to specific expanded views of an action's dependency graph.

Workflow entries in both the split view graph and table view provide direct navigation to their dependencies pages in CodeCargo:

Repository file entries in the dependency graph display a popover when clicked, offering quick access to workflow code and dependencies
Root nodes link to /workflows/{id}/dependencies for regular workflows
Building block workflows link to /building-block/workflow/{id}/dependencies
Workflow code links navigate to the workflow's source code view when you have appropriate permissions

This provides seamless navigation from Actions Insights to detailed workflow dependency analysis without leaving the CodeCargo platform.

Table View

In table view, each row shows an action with its versions (as badges), repository count, and usage count. Expanding a row reveals a detail table with:

Column	Description
Repository	Source repository name and git ref, with building block badge if applicable
File	The workflow file path that references this action
Job	The job ID or name within the workflow
Step	The step that uses the action
Version	The version badge for this specific reference

Each expanded row includes links to view the workflow in CodeCargo or the action on GitHub.

Workflows Explorer

The Workflows Explorer tab has the same layout and functionality as the Actions Explorer, but filters to reusable workflows instead of actions.

Key differences:

Workflow entries display the filename (e.g., build.yml) as the primary label with the org/repo shown as a subtitle
The expanded detail table does not include a Step column, since reusable workflows are called at the job level
Links point to the workflow file rather than an action repository

Workflow entries in both the split view graph and table view link directly to their dependencies pages in CodeCargo:

Root nodes in the dependency graph link to /workflows/{id}/dependencies for regular workflows
Building block workflows link to /building-block/workflow/{id}/dependencies
Repository file entries in expanded table rows also link to the appropriate dependencies page

This provides seamless navigation from Actions Insights to detailed workflow dependency analysis.

Untracked Workflow Indicators

Workflows that cannot be resolved to a tracked CodeCargo workflow display a question mark (?) icon with a tooltip explaining "This workflow is not tracked by CodeCargo." This helps you identify:

External workflows that aren't imported as building blocks
Workflows on non-default branches that may be stale
References to workflows that may have been moved or deleted

These indicators appear in both the dependency graph root nodes and repository file lists.

Building Block Source Filtering

The Workflows Explorer intelligently filters workflows from building block source repositories:

Default branch sources: All workflows are shown since they overlap with normal workflow scanning
Non-default branch sources (tags, feature branches): Only activated building blocks are shown to reduce noise
Building block indicators: Individual workflows that are building blocks display a building block icon, making it easy to distinguish them from regular workflows even when the entire repository is a building block source

This filtering ensures you see all relevant workflows while avoiding clutter from building block source artifacts that aren't actively used as building blocks.

Version Pinning

Actions Insights uses color-coded badges to indicate how each reference is pinned:

Badge Color	Pinning Type	Example	Security Level
Green	SHA-pinned	`actions/checkout@a5ac7e5...`	Highest
Blue	Versioned	`actions/checkout@v4`	Moderate
Amber	Unversioned	`actions/checkout` (default branch)	Lowest

SHA-pinning is the recommended practice because it ensures the exact code that runs cannot change without a deliberate update. The SHA-Pinned percentage on the Overview tab tracks your organization's progress toward this goal.

Key Terminology

Term	Meaning
Action	A GitHub Action referenced with `uses:` in a workflow step
Reusable Workflow	A workflow called with `uses:` at the job level
SHA-pinned	A reference pinned to a full commit SHA
Version sprawl	Multiple different versions of the same action in use across an organization
Building block	A CodeCargo-managed action or workflow template