| name | github-actions |
| version | 1.0.0 |
| description | GitHub Actions workflow design, secure permissions, pnpm/Node CI, caching, matrix builds, OIDC deploys, artifacts, reusable workflows, and action hardening. |
| author | skillregistry |
| license | MIT |
| agents | ["cursor","copilot"] |
| categories | ["devops"] |
| tags | ["github-actions","ci","oidc"] |
GitHub Actions
Write workflows that are deterministic, least-privileged, and safe for pull requests. Treat workflow YAML as production code.
Workflow
- Choose events deliberately:
pull_request for validation, push to protected branches for publish/deploy.
- Set explicit
permissions at workflow or job level.
- Install with lockfile enforcement.
- Cache package manager store, not secrets or generated artifacts with sensitive content.
- Upload reports/artifacts with retention limits.
- Use environment protection and OIDC for deploys.
Node/pnpm CI
name: ci
on:
pull_request:
push:
branches: [main]
permissions:
contents: read
jobs:
test:
runs-on: ubuntu-latest
strategy:
matrix:
node-version: [20, 22]
steps:
- uses: actions/checkout@v4
- uses: pnpm/action-setup@v4
- uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
cache: pnpm
- run: pnpm install --frozen-lockfile
- run: pnpm typecheck
- run: pnpm test -- --run
- run: pnpm build
Deploy Rules
permissions:
contents: read
id-token: write
environment: production
- Use cloud OIDC federation instead of stored cloud credentials.
- Never expose secrets to
pull_request_target code from forks.
- Pin high-risk third-party actions to commit SHA when policy requires it.
- Restrict deploy jobs to protected branches and environments.
Verification
gh workflow run ci.yml
gh run list --workflow ci.yml
gh run view --log
Resources
Principles
- Default workflow permissions are too broad unless set explicitly.
- Fork PRs are untrusted.
- CI should be reproducible from the lockfile.
- Deploys need environment gates.
- Logs are public enough to treat secrets as compromised if printed.