Top-20 Marketplace actions compatibility
Most Marketplace actions work on fremforge without modification because fremforge runners resolve action code through fremverk-operated Forgejo pull-mirrors of upstream GitHub publishers. The relevant Forgejo setting is [actions] DEFAULT_ACTIONS_URL = https://frem.sh, so a workflow’s uses: actions/checkout@v4 resolves to https://frem.sh/actions/checkout — a Forgejo pull-mirror of github.com/actions/checkout with an 8-hour upstream sync interval. No fremforge runtime path resolves DNS to github.com directly at customer-workflow execution time (the Forgejo control-plane fetches upstream on its sync schedule via the platform’s outbound proxy; runners see the mirrored copy only), satisfying the DPA Annex A.6 commitment. The Forgejo Actions runtime exposes the same environment variables as GitHub Actions (GITHUB_TOKEN, GITHUB_SHA, GITHUB_REF, GITHUB_API_URL, etc.) so a workflow’s uses: actions/checkout@v4 directive resolves through the mirror transparently.
Mirrored upstream publishers (as of 2026-06-02)
These GitHub publishers are mirrored as Forgejo pull-mirrors on frem.sh and resolve cleanly from any customer workflow:
actions/— checkout, setup-node, setup-python, setup-go, setup-java, setup-dotnet, upload-artifact, download-artifact, cachedocker/— login-action, setup-buildx-action (build-push-action declined intentionally — no Docker daemon)pnpm/— action-setupstep-security/— harden-runneraws-actions/— configure-aws-credentialsazure/— logingoogle-github-actions/— authpeter-evans/— create-pull-requestdorny/— paths-filter, test-reportersoftprops/— action-gh-releasesonarsource/— sonarcloud-github-action
If you need an action from a publisher not listed above, file a mirror request. The operator side spawns a new pull-mirror of github.com/<publisher>/<repo> and your workflow runs cleanly on the next dispatch. Mirror requests typically complete within one business day. Reserved publisher names (aws-actions, azure, microsoft, sigstore, etc.) are pre-locked at the Forgejo identity layer so no customer tenant can squat them and inject malicious code through your workflows.
This matrix covers the top-20 most-downloaded actions. Entries are marked with their verification tier:
- Code-reviewed, assessed from the action’s source code and Forgejo community reports; not yet run on a live fremforge CCI runner.
- Runner-verified, run against a real fremforge-hosted CCI runner; outcome confirmed empirically.
Runner-verified entries land as the Phase 1 launch-blocker checklist is worked through.
Status legend
- ✅ Works as-is, runs unchanged; workflows port without modification.
- ⚠️ Works with note, runs, but a specific behaviour differs or a prerequisite must be met. Note describes what to do.
- 🔧 Needs wrapper, a small wrapper or composite action restores compatibility. Wrapper code provided.
- ❌ No equivalent, depends on GitHub-only infrastructure and cannot run against fremforge. Alternative recommended.
Coverage promise
The top 20 most-used actions on the GitHub Marketplace as of launch. The list is reviewed quarterly; an action that drops out of the top-20 stays on the matrix until a usage signal removes it.
Compatibility matrix
| Action | Status | Tier | Notes |
|---|---|---|---|
actions/checkout | ✅ | Code-reviewed | Uses GITHUB_TOKEN + Forgejo Git endpoint. No GitHub-specific API calls. Works unchanged. |
actions/setup-node | ✅ | Code-reviewed | Pure tool-cache action. Downloads Node.js from nodejs.org or the runner’s tool cache; no GitHub API calls. |
actions/setup-python | ✅ | Code-reviewed | Same tool-cache pattern as setup-node. Works unchanged. |
actions/setup-go | ✅ | Code-reviewed | Same tool-cache pattern. Works unchanged. |
actions/setup-java | ✅ | Code-reviewed | Same tool-cache pattern. Works unchanged. |
actions/setup-dotnet | ✅ | Code-reviewed | Same tool-cache pattern. Works unchanged. |
actions/cache | ✅ | Code-reviewed | Reads ACTIONS_CACHE_URL from the runner environment; fremforge runners set this via the Forgejo 1.21+ cache API. Works unchanged. |
actions/upload-artifact | ✅ | Code-reviewed | Uses ACTIONS_RUNTIME_URL / artifact API. Forgejo 1.22+ implements this endpoint; fremforge runners are on a compatible version. Works unchanged. |
actions/download-artifact | ✅ | Code-reviewed | Same artifact API as upload-artifact. Works unchanged. |
docker/login-action | ✅ | Code-reviewed | Calls the target registry directly (Docker Hub, GHCR, custom registry). No GitHub-specific API. Works unchanged. |
docker/build-push-action | ❌ | Code-reviewed | Requires Docker daemon access. fremforge runners run on T Cloud CCI v2 which doesn’t permit privileged containers, Docker-in-Docker is not available. Use the pre-installed kaniko instead in a run: step (see Runner image / Container builds for an example). |
docker/setup-buildx-action | ❌ | Code-reviewed | Same Docker-daemon prerequisite as build-push-action, not available. Use kaniko directly. |
peter-evans/create-pull-request | ✅ | Code-reviewed | Uses the GitHub REST API (PR creation, branch push) via GITHUB_API_URL, which fremforge sets to the Forgejo API endpoint. Forgejo’s PR API is GitHub v3-compatible for this action’s call set. Works unchanged. |
azure/login | ⚠️ | Code-reviewed | OIDC federation path: the action requests an OIDC token from ACTIONS_ID_TOKEN_REQUEST_URL, which fremforge runners provide. You must configure an Azure AD federated credential using fremforge’s OIDC issuer (https://frem.sh/_app/runner/oidc — single global issuer for all tenants). See the Runner OIDC onboarding runbook for the setup steps. The username/password (creds) path works without any OIDC config. |
aws-actions/configure-aws-credentials | ⚠️ | Code-reviewed | Same OIDC prerequisite as azure/login. Configure an AWS IAM OIDC identity provider with the fremforge issuer URL. See the Runner OIDC onboarding runbook. The static access-key path works without OIDC config. |
google-github-actions/auth | ⚠️ | Code-reviewed | Same OIDC prerequisite. Configure a GCP Workload Identity Federation pool with the fremforge issuer. See the Runner OIDC onboarding runbook. Service-account-key auth works without OIDC config. |
sonarsource/sonarcloud-github-action | ⚠️ | Code-reviewed | Scan and quality-gate logic works unchanged (calls SonarCloud API directly). Inline PR decoration (posting review comments) uses the GitHub Checks API; Forgejo’s Checks API support is partial, decoration may appear as a commit status instead of inline annotations. Functional for pass/fail gate; annotation density differs. |
dorny/paths-filter | ✅ | Code-reviewed | Reads file diff via GITHUB_EVENT_PATH payload and Git commands. No GitHub-API-only calls. Works unchanged. |
softprops/action-gh-release | ✅ | Code-reviewed | Uses the GitHub Releases API via GITHUB_API_URL. Forgejo implements the Releases API. Works unchanged. |
dorny/test-reporter | ⚠️ | Code-reviewed | Parses test result files and posts a Check Run. Forgejo supports Check Runs but annotation limits differ from GitHub’s (GitHub allows 50 annotations per Check Run; Forgejo’s limit may vary by version). For large test suites, annotations may be truncated. Pass/fail status is always reported correctly. |
OIDC federation setup
Actions using OIDC (azure/login, aws-actions/configure-aws-credentials, google-github-actions/auth) require a one-time configuration step to register fremforge as a trusted OIDC issuer with the cloud provider.
fremforge’s OIDC discovery endpoint: https://frem.sh/_app/runner/oidc/.well-known/openid-configuration (single global endpoint serving all tenants; the iss claim on every runner-issued token is https://frem.sh/_app/runner/oidc). Per-tenant trust isolation is enforced by pinning cloud trust-policy conditions on the repository_owner JWT claim — the GitHub-Actions-compatible pattern.
Full step-by-step instructions for Azure AD, AWS IAM, and GCP Workload Identity are in the Runner OIDC onboarding runbook.
Container image builds
docker/build-push-action and docker/setup-buildx-action are NOT compatible with fremforge runners, Docker-in-Docker isn’t possible on CCI v2 (the underlying T Cloud runtime doesn’t permit privileged containers). Use the pre-installed kaniko instead:
- name: Build + push image
run: |
/usr/local/bin/kaniko \
--context=$GITHUB_WORKSPACE \
--dockerfile=Dockerfile \
--destination=registry.example.com/$GITHUB_REPOSITORY:$GITHUB_SHAFor pure image copy/retag/push between registries, install skopeo in the step: apk add skopeo. See Runner image for the full pattern.
When you find a gap
If you find a Marketplace action that should be in the top-20 and we have not flagged compatibility for it, or you find an action listed here that does not behave as documented, file an issue at support@frem.sh with subject line starting MARKETPLACE COMPAT -. We will verify and update the matrix.
Beyond the top-20
Most other Marketplace actions Just Work. The exceptions are actions that:
- Rely on GitHub-internal API endpoints (Codespaces API, Copilot API, GitHub Packages container registry API beyond standard OCI push/pull).
- Hardcode the GitHub OIDC issuer URL (
https://token.actions.githubusercontent.com) rather than readingACTIONS_ID_TOKEN_REQUEST_URL. - Require GitHub-specific authentication beyond
GITHUB_TOKEN.
For unverified actions outside the top-20: try it. Most work. The few that do not, document, and we either ship a wrapper or surface the gap in the migration guides.
See also
- Runner images, available runner labels and which image each maps to.
- Runner OIDC onboarding, configure cloud provider trust for OIDC-based auth actions.
- Migration guides, how Marketplace action references migrate during a platform migration.
- Public REST API, the fremforge API surface for actions that need to call back into the platform.