메뉴
GitHub Actions CI/CD best practices — workflow structure, jobs, steps, security, caching, matrix strategies, testing, deployment strategies, rollback, and troubleshooting. Use when creating or reviewing GitHub Actions workflows.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
| name | github-actions |
| description | GitHub Actions CI/CD best practices — workflow structure, jobs, steps, security, caching, matrix strategies, testing, deployment strategies, rollback, and troubleshooting. Use when creating or reviewing GitHub Actions workflows. |
Build robust, secure, and efficient CI/CD pipelines using GitHub Actions.
| Topic | Reference |
|---|---|
| Security | Secrets, OIDC, least privilege, SAST, SCA, secret scanning |
| Optimization | Caching, matrix strategies, self-hosted runners, artifacts |
| Testing | Unit, integration, E2E, performance, test reporting |
| Deployment | Staging, production, blue/green, canary, rollback |
| Review Checklist | Comprehensive workflow review checklist |
| Troubleshooting | Common issues and fixes |
Naming: Use descriptive file names (build-and-test.yml, deploy-prod.yml).
Triggers (on): push, pull_request, workflow_dispatch (manual), schedule (cron), repository_dispatch (external), workflow_call (reusable).
Concurrency: Prevent simultaneous runs for specific branches/groups:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
Permissions: Define at workflow level, override at job level. Default to least privilege:
permissions:
contents: read
Reusable workflows: Use workflow_call to abstract common CI/CD patterns across projects.
needs for dependencies between jobsoutputs to pass data between jobsif for conditional executionjobs:
build:
runs-on: ubuntu-latest
outputs:
artifact_path: ${{ steps.package.outputs.path }}
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v3
with:
node-version: 18
- run: npm ci && npm run build
- id: package
run: |
zip -r dist.zip dist
echo "path=dist.zip" >> "$GITHUB_OUTPUT"
- uses: actions/upload-artifact@v3
with:
name: app-build
path: dist.zip
deploy-staging:
needs: build
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
environment: staging
steps:
- uses: actions/download-artifact@v3
with:
name: app-build
- run: echo "Deploying ${{ needs.build.outputs.artifact_path }}"
@v4). Never use main or latest.name for log readability.| for complex commands, combine with && for efficiency.actions/ org. Use Dependabot for version updates.env:
API_KEY: ${{ secrets.API_KEY }}
Never hardcode secrets. Use environment-specific secrets for deployment.
Use short-lived credentials instead of stored access keys:
- uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::role/deploy
aws-region: us-east-1
- uses: actions/cache@v3
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: ${{ runner.os }}-node-
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, windows-latest]
node-version: [18.x, 20.x]
- uses: actions/checkout@v4
with:
fetch-depth: 1 # Shallow clone for speed
| Strategy | When to use |
|---|---|
| Rolling | Default, stateless apps. Configure maxSurge/maxUnavailable |
| Blue/Green | Zero-downtime, instant rollback. Two identical environments |
| Canary | Controlled blast radius. Route 5-10% traffic to new version |
| Dark Launch | Decouple deploy from release. Feature flags control exposure |
Common issues: workflow not triggering (check on triggers, if conditions, concurrency), permission errors (check permissions block, secret access), cache misses (validate keys with hashFiles), long runtimes (profile steps, add caching, parallelize with matrix).
See Troubleshooting for detailed fixes.
Guide for working with AGENTS.md — the open standard for AI coding agent configuration. Use when creating, updating, or optimizing AGENTS.md files, or when onboarding a project to multi-agent workflows.
Better Auth integration expert for TypeScript authentication — server config, client setup, database adapters, OAuth providers, plugins (2FA, organizations), session management, and security hardening. Use when adding auth to a project, configuring Better Auth, implementing login/signup flows, setting up OAuth, enabling 2FA, or securing auth endpoints.
Domain-Driven Design with Clean Architecture — framework-agnostic patterns for entities, value objects, aggregates, use cases, and the dependency rule. Use PROACTIVELY when designing domain models, implementing bounded contexts, structuring layered architectures, separating business logic from infrastructure, or applying DDD tactical patterns in any language or framework.
Workflow orchestration for backend projects (API routes, services, models). Structured phases — Plan, Code, Review, Test — with memory-bank integration for session continuity.
Workflow orchestration for CLI projects (commander, yargs, oclif). Structured phases — Plan, Code, Review, Test — with memory-bank integration for session continuity.
Workflow orchestration for frontend projects (React, Vue, Svelte, components, CSS). Structured phases — Plan, Design, Code, Review, Test — with memory-bank integration for session continuity.