| name | actions-cicd-practices |
| description | GitHub Actions and CI/CD best practices for automated testing, building, and deployment. |
GitHub Actions CI/CD practices
Purpose
Guide for GitHub Actions and CI/CD workflows covering testing, building, caching, and deployment automation.
When to use
This skill activates when:
- Creating GitHub Actions workflows
- Setting up CI/CD pipelines
- Configuring automated testing
- Optimizing workflow performance
- Managing secrets and environments
Core structure
Basic workflow
name: CI
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.14'
- name: Install dependencies
run: pip install -e ".[dev]"
- name: Run tests
run: pytest
Python workflows
With uv
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install uv
uses: astral-sh/setup-uv@v4
with:
enable-cache: true
- name: Set up Python
run: uv python install 3.14
- name: Install dependencies
run: uv sync
- name: Run tests
run: uv run pytest
Matrix testing
jobs:
test:
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
python-version: ['3.14']
steps:
- uses: actions/checkout@v4
- name: Install uv
uses: astral-sh/setup-uv@v4
- name: Set up Python ${{ matrix.python-version }}
run: uv python install ${{ matrix.python-version }}
- name: Install dependencies
run: uv sync
- name: Run tests
run: uv run pytest
Caching
uv cache
- name: Install uv
uses: astral-sh/setup-uv@v4
with:
enable-cache: true
cache-dependency-glob: "uv.lock"
Manual caching
- name: Cache dependencies
uses: actions/cache@v4
with:
path: ~/.cache/pip
key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }}
restore-keys: |
${{ runner.os }}-pip-
Linting and type checking
jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install uv
uses: astral-sh/setup-uv@v4
with:
enable-cache: true
- name: Set up Python
run: uv python install 3.14
- name: Install dependencies
run: uv sync
- name: Lint with ruff
run: uv run ruff check .
- name: Type check with basedpyright
run: uv run basedpyright
Code coverage
- name: Run tests with coverage
run: uv run pytest --cov=src --cov-report=xml
- name: Upload coverage
uses: codecov/codecov-action@v4
with:
files: ./coverage.xml
fail_ci_if_error: true
Workflow optimization
Concurrency
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
Path filters
on:
push:
paths:
- 'src/**'
- 'tests/**'
- 'pyproject.toml'
- '.github/workflows/ci.yml'
Job dependencies
jobs:
lint:
runs-on: ubuntu-latest
steps: ...
test:
needs: lint
runs-on: ubuntu-latest
steps: ...
build:
needs: [lint, test]
runs-on: ubuntu-latest
steps: ...
Secrets and environments
Using secrets
- name: Deploy
env:
API_KEY: ${{ secrets.API_KEY }}
run: ./deploy.sh
Environment protection
jobs:
deploy:
runs-on: ubuntu-latest
environment: production
steps:
- name: Deploy to production
run: ./deploy.sh
Release workflow
name: Release
on:
release:
types: [published]
jobs:
publish:
runs-on: ubuntu-latest
permissions:
id-token: write
steps:
- uses: actions/checkout@v4
- name: Install uv
uses: astral-sh/setup-uv@v4
- name: Build package
run: uv build
- name: Publish to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
Reusable workflows
Define reusable workflow
name: Reusable Test
on:
workflow_call:
inputs:
python-version:
required: true
type: string
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python ${{ inputs.python-version }}
uses: actions/setup-python@v5
with:
python-version: ${{ inputs.python-version }}
Use reusable workflow
jobs:
test-3-11:
uses: ./.github/workflows/test-reusable.yml
with:
python-version: '3.14'
Security
Minimal permissions
permissions:
contents: read
pull-requests: write
Pin action versions
- uses: actions/checkout@v4
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
Checklist
Additional resources:
