ArcLibrary
L1入门L2进阶L3生态

GitHub Actions

Define CI/CD as `.github/workflows/*.yml` — the most-integrated free CI.

GitHub ActionsCICD
核心 · Key Idea

In one line: GitHub Actions binds CI/CD to repository events — push / PR / tag / schedule all trigger workflows. Define them in .github/workflows/. Free for public repos; private repos get a generous monthly quota. Marketplace ecosystem is huge.

A typical workflow#

# .github/workflows/ci.yml
name: CI
on:
  push: { branches: [main] }
  pull_request:
permissions:
  contents: read
  packages: write
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: pnpm/action-setup@v3
      - uses: actions/setup-node@v4
        with: { node-version: 20, cache: pnpm }
      - run: pnpm install --frozen-lockfile
      - run: pnpm lint && pnpm typecheck && pnpm test
  build-image:
    needs: test
    if: github.ref == 'refs/heads/main'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - uses: docker/build-push-action@v6
        with:
          push: true
          tags: ghcr.io/${{ github.repository }}:${{ github.sha }}

Analogy#

打个比方 · Analogy

GitHub Actions is the muscle of your git repo — push one line and it dispatches a swarm of robots doing QA + packaging + deploys.

Key concepts#

WorkflowWorkflow
One per file in .github/workflows/*.yml.
JobJob
Group of steps run on one runner. Multiple jobs run in parallel by default.
StepStep
A command or Action. Actions are reusable community bundles (`uses:`).
RunnerRunner
GitHub-hosted (`ubuntu-latest`) or self-hosted.
Secret / VariableSecret / Variable
Repo / org / environment-level, injected as `${{ secrets.X }}`.
EnvironmentEnvironment
Adds protection rules (required reviewers / wait timers) — common gate for prod deploys.
Reusable / composite ActionReusable
Extract shared steps into something callable from many workflows.

How it flows#

Practical notes#

  • concurrency block — subsequent pushes to the same ref auto-cancel the in-flight workflow, saving time and money.
  • Cache depsactions/setup-node@v4 has cache: pnpm/npm/yarn; other languages use actions/cache.
  • OIDC for cloud deploys — replaces long-lived keys. AWS / GCP / Azure all support OIDC trust; workflows mint short-lived credentials.
  • Tighten permissions: — defaults narrow over time; declare per-job least-privilege.
  • Be careful with pull_request_target — it has secret access and runs fork code = security landmine.
  • Matrix buildsstrategy.matrix runs across OSes / versions in one definition.
  • Tiered environment protection: environments/prod with required reviewers, wait timers, mandated reviewers.
  • Self-hosted runners — for big / private deps; never attach a self-hosted runner to a public-PR repo (code injection risk).

Easy confusions#

GitHub Actions
Deeply integrated with GitHub.
Generous free tier, free for public repos.
GitLab CI / CircleCI / Drone
GitLab-native / cross-platform SaaS / self-hosted.
Different ecosystems and pricing.

Further reading#