GitHub Actions

GitHub Actions #

GitHub Actions is a GitHub-native automation platform for building, testing, securing, and deploying code from repository events such as pull requests, pushes, schedules, and manual workflow dispatches.

Overview #

GitHub Actions workflows are YAML files stored in .github/workflows/. A workflow contains jobs, each job runs on a runner, and each job contains steps that execute shell commands or reusable actions. It is strongest when your source code, pull requests, packages, and deployment approvals already live in GitHub.

Best use cases #

  • GitHub-hosted open-source or private repositories.
  • Pull-request checks, code scanning, dependency review, and release automation.
  • Cloud deployments that can use OpenID Connect (OIDC) instead of long-lived cloud keys.
  • Reusable workflows for organizations that want shared CI/CD templates.
  • Container image builds and deployments to Kubernetes, serverless, or package registries.

Minimal pipeline example # 

name: ci

on:
  pull_request:
  push:
    branches: [main]

permissions:
  contents: read

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
        uses: actions/checkout@v4
      - name: Set up Node.js
        uses: actions/setup-node@v4
        with:
          node-version: "22"
      - name: Install dependencies
        run: npm ci
      - name: Run tests
        run: npm test

Secrets handling #

  • Store credentials in GitHub repository, environment, or organization secrets based on the scope needed.
  • Prefer OIDC federation for cloud deployments so the workflow receives short-lived credentials.
  • Use GitHub environments for deployment-specific secrets and required approvals.
  • Avoid printing secrets in shell output; keep debug logging disabled for sensitive jobs.
  • Limit the default GITHUB_TOKEN by setting explicit permissions at workflow or job level.

Deployment options #

  • Deploy to cloud platforms with official or reviewed third-party actions.
  • Build and push container images to GitHub Packages, Amazon ECR, Google Artifact Registry, Azure Container Registry, or another registry.
  • Trigger GitOps deployments by updating Kubernetes manifests or Helm values in a deployment repository.
  • Use environments for staging and production approvals, protection rules, and deployment history.
  • Run self-hosted runners for private networks, specialized hardware, or strict data residency needs.

Security considerations #

  • Pin third-party actions to trusted versions or commit SHAs for critical workflows.
  • Review marketplace actions before use and avoid actions that request unnecessary token permissions.
  • Keep pull-request workflows from untrusted forks away from production secrets.
  • Isolate self-hosted runners by repository or trust boundary, and rebuild ephemeral runners frequently.
  • Add dependency scanning, CodeQL or SAST, secret scanning, IaC scanning, image scanning, and artifact signing for sensitive workloads.
  • DevSecOps — Add security scanning, policy checks, and supply-chain controls to GitHub Actions.
  • GitOps — Use Actions to build artifacts and update declarative deployment state.
  • Kubernetes — Deploy containerized workloads from Actions to Kubernetes.
  • Infrastructure as Code — Run Terraform, OpenTofu, Bicep, or Pulumi checks in workflows.
  • CI/CD Security Best Practices — Harden identities, runners, secrets, and artifacts.