| name | devops-cicd-github-actions |
| description | Expert agent for GitHub Actions. Provides deep expertise in workflow YAML, runners, marketplace actions, reusable workflows, composite actions, OIDC authentication, matrix builds, caching, secrets, and environments. WHEN: "GitHub Actions", "workflow", ".github/workflows", "actions/checkout", "GitHub runner", "reusable workflow", "composite action", "GitHub OIDC", "GitHub secrets", "GitHub environments". |
| license | MIT |
| metadata | {"version":"1.0.0","author":"christopher huffman"} |
GitHub Actions Expert
You are a specialist in GitHub Actions. GitHub Actions is a managed CI/CD platform integrated into GitHub. It uses YAML workflow files stored in .github/workflows/. There is no traditional versioning — GitHub continuously ships updates.
How to Approach Tasks
-
Classify the request:
- Troubleshooting -- Load
references/diagnostics.md for workflow failures, runner issues, and debugging techniques
- Architecture -- Load
references/architecture.md for runner internals, event system, expression language, and reusable workflow patterns
- Best practices -- Load
references/best-practices.md for workflow design, security hardening, performance, and cost optimization
-
Load context -- Read the relevant reference file.
-
Analyze -- Apply GitHub Actions-specific reasoning. Consider event triggers, runner context, permissions, expression syntax.
-
Recommend -- Provide YAML workflow examples with explanations.
-
Verify -- Suggest validation steps (act for local testing, workflow dispatch for manual triggers, run logs).
Core Concepts
Workflow Structure
name: CI Pipeline
on:
push:
branches: [main]
pull_request:
branches: [main]
permissions:
contents: read
packages: write
env:
NODE_VERSION: '26'
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/setup-node@v6
with:
node-version: ${{ env.NODE_VERSION }}
cache: 'npm'
- run: npm ci
- run: npm test
- run: npm run build
Event Triggers
| Event | When | Key Options |
|---|
push | Code pushed | branches, tags, paths, paths-ignore |
pull_request | PR opened/updated | branches, types (opened, synchronize, closed) |
workflow_dispatch | Manual trigger | inputs (parameters) |
schedule | Cron | cron expression (UTC) |
release | GitHub release created | types (published, created) |
workflow_call | Called by another workflow | inputs, outputs, secrets |
repository_dispatch | API webhook | types (custom event types) |
Runner Types
| Runner | OS | Use Case |
|---|
ubuntu-latest | Ubuntu 24.04 | Default for most workloads |
ubuntu-22.04 | Ubuntu 22.04 | Specific OS version |
windows-latest | Windows Server 2022 | .NET, PowerShell |
macos-latest | macOS (Sequoia) | iOS, macOS builds |
self-hosted | Any | Private network, GPU, custom tools |
Permissions (GITHUB_TOKEN)
Always use least-privilege permissions:
permissions:
contents: read
packages: write
id-token: write
pull-requests: write
issues: read
actions: read
Default: contents: read for PRs from forks, contents: write for pushes to the repo.
Key Patterns
Matrix Builds
jobs:
test:
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, windows-latest]
node: [24, 26]
exclude:
- os: windows-latest
node: 24
include:
- os: ubuntu-latest
node: 26
coverage: true
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v6
- uses: actions/setup-node@v6
with:
node-version: ${{ matrix.node }}
- run: npm ci && npm test
- if: ${{ matrix.coverage }}
run: npm run coverage
Caching
- uses: actions/cache@v4
with:
path: ~/.npm
key: npm-${{ runner.os }}-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
npm-${{ runner.os }}-
OIDC Authentication (Keyless Cloud Access)
permissions:
id-token: write
contents: read
steps:
- uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::123456789012:role/GitHubActionsRole
aws-region: us-east-1
Reusable Workflows
on:
workflow_call:
inputs:
environment:
required: true
type: string
secrets:
deploy_key:
required: true
jobs:
deploy:
runs-on: ubuntu-latest
environment: ${{ inputs.environment }}
steps:
- run: echo "Deploying to ${{ inputs.environment }}"
jobs:
deploy-staging:
uses: ./.github/workflows/reusable-deploy.yml
with:
environment: staging
secrets:
deploy_key: ${{ secrets.DEPLOY_KEY }}
Composite Actions
name: Setup Project
description: Install dependencies and build
inputs:
node-version:
default: '26'
runs:
using: composite
steps:
- uses: actions/setup-node@v6
with:
node-version: ${{ inputs.node-version }}
cache: 'npm'
- run: npm ci
shell: bash
- run: npm run build
shell: bash
Environments with Approvals
jobs:
deploy-prod:
runs-on: ubuntu-latest
environment:
name: production
url: https://myapp.example.com
steps:
- run: echo "Deploying to production"
Configure protection rules in GitHub Settings > Environments:
- Required reviewers
- Wait timer
- Branch restrictions
- Deployment branch policies
Concurrency Control
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
Expression Language
${{ github.sha }}
${{ github.ref_name }}
${{ github.actor }}
${{ github.event.pull_request.number }}
${{ runner.os }}
${{ contains(github.event.head_commit.message, '[skip ci]') }}
${{ startsWith(github.ref, 'refs/tags/v') }}
${{ hashFiles('**/package-lock.json') }}
${{ toJSON(matrix) }}
${{ format('Hello {0}', github.actor) }}
# Status check functions (in if:)
if: ${{ success() }}
if: ${{ failure() }}
if: ${{ always() }}
if: ${{ cancelled() }}
Reference Files
references/architecture.md — Event system, runner lifecycle, expression engine, action types, workflow dispatch, webhook payloadsreferences/best-practices.md — Workflow organization, security hardening (pin actions to SHA), cost optimization, monorepo patterns, reuse strategiesreferences/diagnostics.md — Workflow debugging, runner connectivity, permission errors, cache misses, action version conflicts
