GitHub Actions - DeveloPassion

# GitHub Actions GitHub Actions is [[GitHub]]'s built-in [[Continuous Integration (CI)|CI/CD]] platform. Workflows are defined as YAML files in `.github/workflows/` and run on triggers like push, pull request, schedule, manual dispatch, or repository events. Each workflow is composed of *jobs* (run on a runner) and *steps* (commands or reusable actions). Jobs run in parallel by default; steps within a job run sequentially. Launched in beta in 2018 and made generally available in 2019, Actions has since become the default automation surface for GitHub-hosted projects. Its differentiator vs older CI tools is the **Marketplace**: composable, versioned, third-party actions (`uses: actions/checkout@v4`) that turn most pipelines into a few lines of glue. ## Anatomy of a Workflow ```yaml name: CI on: [push, pull_request] jobs: test: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 with: { node-version: 22 } - run: pnpm install --frozen-lockfile - run: pnpm test ``` ## Runners - **GitHub-hosted**: Ubuntu, Windows, macOS images, refreshed regularly. Free for public repos; paid minutes for private repos - **Self-hosted**: register your own machines (bare metal, cloud, [[Kubernetes]]) ; useful for GPU jobs, internal network access, or cost - **Larger runners**: paid tier with more CPU/RAM/disk - **Reusable**: tools like [[Crabbox]] explicitly *reuse* repository Actions setup steps to hydrate ephemeral remote test boxes, so the local-or-remote run matches CI without going through CI ## Reusable Workflows and Composite Actions - **Reusable workflows**: call one workflow from another with `uses: org/repo/.github/workflows/x.yml@ref` ; share secrets/inputs cleanly - **Composite actions**: bundle a sequence of steps as a single `uses:` ; lighter than a reusable workflow - **Custom actions**: Docker-based, JavaScript, or composite ; published to the Marketplace ## Security Considerations - **Secret scoping**: `secrets:` inherited per workflow; use environment-scoped secrets for prod deploys - **OIDC**: short-lived federated credentials to AWS / GCP / Azure ; preferred over long-lived access keys - **Pin actions to a SHA**, not a tag, on security-sensitive repos - **`pull_request_target` is a foot-gun**: it runs with write secrets in the context of the *base* branch, dangerous for forks - **Dependabot** can auto-update action SHAs/tags ## When It Falls Short - **Long-running interactive sessions**: Actions is one-shot; for iterative agent loops use a remote testbox like [[Crabbox]] or a [[Cloud Development Environment (CDE)]] - **Highly parallel matrix builds with shared cache**: workable but the cache scoping is finicky - **Cross-job state**: pass via artifacts or external storage, not in-process ## References - Documentation: https://docs.github.com/actions - Marketplace: https://github.com/marketplace?type=actions - Workflow syntax: https://docs.github.com/actions/using-workflows/workflow-syntax-for-github-actions ## Related - [[GitHub]] - [[frizbee (CLI)]] - [[Continuous Integration (CI)]] - [[Crabbox]] - [[GitHub Codespaces]] - [[Cloud Development Environment (CDE)]]