GitHub Actions is the built-in CI/CD and automation platform for GitHub repositories. With a YAML file in your repository, you can automatically run tests on every pull request, build and push Docker images on merge, deploy to production on a tag, or run any script on a schedule.
Key Concepts
| Concept | Description |
|---|---|
| Workflow | A YAML file in .github/workflows/. Defines what to run and when. |
| Event (trigger) | What causes the workflow to run: push, pull_request, schedule, workflow_dispatch. |
| Job | A set of steps that run on the same runner. Jobs run in parallel by default. |
| Step | An individual task within a job — either a shell command (run) or an Action (uses). |
| Action | A reusable unit of work. Published to the GitHub Marketplace. |
| Runner | The machine that executes the job. GitHub provides hosted runners (Ubuntu, Windows, macOS). |
Your First Workflow — CI for a Node.js Project
name: CI
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v4
- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: "20"
cache: "npm"
- name: Install dependencies
run: npm ci
- name: Run linter
run: npm run lint
- name: Run tests
run: npm testSave this as .github/workflows/ci.yml. Every push to main or PR targeting main will now automatically run your lint and test suite.
Triggers (on:)
# Run on push to main or any release/* branch
on:
push:
branches: [main, "release/*"]
# Run on any PR targeting main
on:
pull_request:
branches: [main]
# Run every day at 06:00 UTC
on:
schedule:
- cron: "0 6 * * *"
# Allow manual trigger from the GitHub UI
on:
workflow_dispatch:
inputs:
environment:
description: "Target environment"
required: true
default: "staging"Secrets and Environment Variables
Store sensitive values in GitHub repository secrets (Settings → Secrets and variables → Actions). Access them in workflows via the secrets context:
- name: Deploy to production
env:
API_KEY: ${{ secrets.DEPLOY_API_KEY }}
run: ./scripts/deploy.shSecrets are masked in logs — GitHub replaces them with ***. Never print secrets with echo or store them in environment variables that get logged.
Job Dependencies
By default jobs run in parallel. Use needs to create a dependency chain:
jobs:
test:
runs-on: ubuntu-latest
steps: [...]
build:
needs: test
runs-on: ubuntu-latest
steps: [...]
deploy:
needs: build
runs-on: ubuntu-latest
steps: [...]Popular Actions from the Marketplace
| Action | Purpose |
|---|---|
actions/checkout | Clone the repository into the runner |
actions/setup-node | Install a specific Node.js version with optional caching |
actions/setup-python | Install a Python version |
docker/build-push-action | Build and push Docker images to a registry |
aws-actions/configure-aws-credentials | Configure AWS credentials for deployment steps |
github/codeql-action | Run CodeQL static analysis for security scanning |
GitHub Actions is covered in more depth in the DevOps and SRE Fundamentals course — this lesson gives you the foundation to understand CI/CD pipelines in a GitHub context.