GitHub's native CI/CD platform. Declarative YAML workflows that automate build, test, deploy, and any development lifecycle task — directly from the repository.
GitHub Actions is the automation platform integrated into GitHub. Every repository can define YAML workflows that execute in response to events — push, PR, schedule, release, or any webhook.
# .github/workflows/ci.yml
name: CI # Workflow name
on: # Triggers
push:
branches: [main]
pull_request:
branches: [main]
permissions: # GITHUB_TOKEN permissions
contents: read
env: # Global variables
NODE_VERSION: 20
jobs: # One or more jobs
build:
runs-on: ubuntu-latest # Runner
steps:
- uses: actions/checkout@v4 # Reusable action
- uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
cache: 'pnpm'
- run: pnpm install # Shell command
- run: pnpm test
- run: pnpm buildon:
# Push and PRs
push:
branches: [main, 'release/**']
paths: ['src/**', 'package.json'] # only if these files change
pull_request:
types: [opened, synchronize, reopened]
# Scheduled (cron UTC)
schedule:
- cron: '0 6 * * 1' # Monday at 6:00 UTC
# Manual from UI or API
workflow_dispatch:
inputs:
environment:
description: 'Deploy target'
required: true
type: choice
options: [staging, production]
# When a release is published
release:
types: [published]
# When another workflow completes
workflow_run:
workflows: [CI]
types: [completed]jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: pnpm lint
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: pnpm test
# Deploy only if lint and test pass
deploy:
needs: [lint, test]
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
steps:
- run: ./deploy.shTest on multiple combinations:
jobs:
test:
strategy:
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
node: [18, 20, 22]
fail-fast: false # don't cancel others if one fails
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node }}
- run: npm testjobs:
deploy:
runs-on: ubuntu-latest
environment: production # environment with protections
steps:
- run: ./deploy.sh
env:
API_KEY: ${{ secrets.API_KEY }}
DEPLOY_URL: ${{ vars.DEPLOY_URL }}Secret levels:
- uses: actions/cache@v4
with:
path: |
~/.pnpm-store
node_modules
key: ${{ runner.os }}-pnpm-${{ hashFiles('pnpm-lock.yaml') }}
restore-keys: |
${{ runner.os }}-pnpm-Share files between jobs or download later:
- uses: actions/upload-artifact@v4
with:
name: build-output
path: dist/
retention-days: 7
# In another job:
- uses: actions/download-artifact@v4
with:
name: build-outputDefine workflows other repos can call:
# .github/workflows/reusable-deploy.yml
on:
workflow_call:
inputs:
environment:
required: true
type: string
secrets:
deploy_key:
required: true
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- run: echo "Deploying to ${{ inputs.environment }}"# Call from another workflow
jobs:
deploy:
uses: org/repo/.github/workflows/reusable-deploy.yml@main
with:
environment: production
secrets:
deploy_key: ${{ secrets.DEPLOY_KEY }}Create custom actions combining steps:
# .github/actions/setup-project/action.yml
name: Setup Project
description: Install dependencies and build
runs:
using: composite
steps:
- uses: actions/setup-node@v4
with:
node-version: 20
cache: 'pnpm'
- run: pnpm install --frozen-lockfile
shell: bash
- run: pnpm build
shell: bash# Principle of least privilege
permissions:
contents: read
pull-requests: write
# Pin actions by SHA (not by tag)
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
# Limit default GITHUB_TOKEN permissions
# Settings → Actions → General → Workflow permissions → Read repository contents| Plan | Minutes/month | Storage |
|---|---|---|
| Free | 2,000 | 500 MB |
| Team | 3,000 | 2 GB |
| Enterprise | 50,000 | 50 GB |
Public repos: unlimited minutes on Linux runners.
echo $SECRET exposes them. GitHub masks but don't trust blindly.@v4 can change. Pin by SHA for security.timeout-minutes.GitHub Actions eliminated the need to maintain a separate CI server for most projects. By living alongside the code, workflows are versioned, reviewed in PRs, and executed without external configuration. For open source projects, the free minutes make it the default choice.
Collaborative development platform built on Git. More than repository hosting — it's the central hub for code review, CI/CD, project management, and open source collaboration.
Continuous Integration and Continuous Delivery/Deployment — practices that automate code integration, testing, and delivery to production. Foundation of modern software engineering.
Culture and set of practices that unify development (Dev) and operations (Ops) to deliver software with greater speed, quality, and reliability. It's not a role — it's a way of working.
Serverless GitHub App that auto-approves pull requests after CI passes, with optional AI code review via Amazon Bedrock. Five repositories: TypeScript/Probot app, AWS Terraform module (Lambda + API Gateway + Secrets Manager + SQS DLQ), GitHub Terraform module (webhooks), deployment infra, and test repo.
Three-agent system that automates the bilingual MDX content lifecycle: deterministic QA auditing, surgical fixes, and full upgrades — all orchestrated with Strands Agents, Claude Sonnet 4 on Amazon Bedrock, and GitHub Actions with a diamond workflow pattern.
Set of technical and cultural practices that implement DevOps principles — from Infrastructure as Code to blameless post-mortems. The "how" behind the philosophy.