Github Actions Templates

1---2name: github-actions-templates3description: Create production-ready GitHub Actions workflows for automated testing, building, and deploying applications. Use when setting up CI/CD with GitHub Actions, automating development workflows, or creating reusable workflow templates.4---5 6# GitHub Actions Templates7 8Production-ready GitHub Actions workflow patterns for testing, building, and deploying applications.9 10## Purpose11 12Create efficient, secure GitHub Actions workflows for continuous integration and deployment across various tech stacks.13 14## When to Use15 16- Automate testing and deployment17- Build Docker images and push to registries18- Deploy to Kubernetes clusters19- Run security scans20- Implement matrix builds for multiple environments21 22## Common Workflow Patterns23 24### Pattern 1: Test Workflow25 26```yaml27name: Test28 29on:30  push:31    branches: [main, develop]32  pull_request:33    branches: [main]34 35jobs:36  test:37    runs-on: ubuntu-latest38 39    strategy:40      matrix:41        node-version: [18.x, 20.x]42 43    steps:44      - uses: actions/checkout@v445 46      - name: Use Node.js ${{ matrix.node-version }}47        uses: actions/setup-node@v448        with:49          node-version: ${{ matrix.node-version }}50          cache: "npm"51 52      - name: Install dependencies53        run: npm ci54 55      - name: Run linter56        run: npm run lint57 58      - name: Run tests59        run: npm test60 61      - name: Upload coverage62        uses: codecov/codecov-action@v363        with:64          files: ./coverage/lcov.info65```66 67**Reference:** See `assets/test-workflow.yml`68 69### Pattern 2: Build and Push Docker Image70 71```yaml72name: Build and Push73 74on:75  push:76    branches: [main]77    tags: ["v*"]78 79env:80  REGISTRY: ghcr.io81  IMAGE_NAME: ${{ github.repository }}82 83jobs:84  build:85    runs-on: ubuntu-latest86    permissions:87      contents: read88      packages: write89 90    steps:91      - uses: actions/checkout@v492 93      - name: Log in to Container Registry94        uses: docker/login-action@v395        with:96          registry: ${{ env.REGISTRY }}97          username: ${{ github.actor }}98          password: ${{ secrets.GITHUB_TOKEN }}99 100      - name: Extract metadata101        id: meta102        uses: docker/metadata-action@v5103        with:104          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}105          tags: |106            type=ref,event=branch107            type=ref,event=pr108            type=semver,pattern={{version}}109            type=semver,pattern={{major}}.{{minor}}110 111      - name: Build and push112        uses: docker/build-push-action@v5113        with:114          context: .115          push: true116          tags: ${{ steps.meta.outputs.tags }}117          labels: ${{ steps.meta.outputs.labels }}118          cache-from: type=gha119          cache-to: type=gha,mode=max120```121 122**Reference:** See `assets/deploy-workflow.yml`123 124### Pattern 3: Deploy to Kubernetes125 126```yaml127name: Deploy to Kubernetes128 129on:130  push:131    branches: [main]132 133jobs:134  deploy:135    runs-on: ubuntu-latest136 137    steps:138      - uses: actions/checkout@v4139 140      - name: Configure AWS credentials141        uses: aws-actions/configure-aws-credentials@v4142        with:143          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}144          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}145          aws-region: us-west-2146 147      - name: Update kubeconfig148        run: |149          aws eks update-kubeconfig --name production-cluster --region us-west-2150 151      - name: Deploy to Kubernetes152        run: |153          kubectl apply -f k8s/154          kubectl rollout status deployment/my-app -n production155          kubectl get services -n production156 157      - name: Verify deployment158        run: |159          kubectl get pods -n production160          kubectl describe deployment my-app -n production161```162 163### Pattern 4: Matrix Build164 165```yaml166name: Matrix Build167 168on: [push, pull_request]169 170jobs:171  build:172    runs-on: ${{ matrix.os }}173 174    strategy:175      matrix:176        os: [ubuntu-latest, macos-latest, windows-latest]177        python-version: ["3.9", "3.10", "3.11", "3.12"]178 179    steps:180      - uses: actions/checkout@v4181 182      - name: Set up Python183        uses: actions/setup-python@v5184        with:185          python-version: ${{ matrix.python-version }}186 187      - name: Install dependencies188        run: |189          python -m pip install --upgrade pip190          pip install -r requirements.txt191 192      - name: Run tests193        run: pytest194```195 196**Reference:** See `assets/matrix-build.yml`197 198## Workflow Best Practices199 2001. **Use specific action versions** (@v4, not @latest)2012. **Cache dependencies** to speed up builds2023. **Use secrets** for sensitive data2034. **Implement status checks** on PRs2045. **Use matrix builds** for multi-version testing2056. **Set appropriate permissions**2067. **Use reusable workflows** for common patterns2078. **Implement approval gates** for production2089. **Add notification steps** for failures20910. **Use self-hosted runners** for sensitive workloads210 211## Reusable Workflows212 213```yaml214# .github/workflows/reusable-test.yml215name: Reusable Test Workflow216 217on:218  workflow_call:219    inputs:220      node-version:221        required: true222        type: string223    secrets:224      NPM_TOKEN:225        required: true226 227jobs:228  test:229    runs-on: ubuntu-latest230    steps:231      - uses: actions/checkout@v4232      - uses: actions/setup-node@v4233        with:234          node-version: ${{ inputs.node-version }}235      - run: npm ci236      - run: npm test237```238 239**Use reusable workflow:**240 241```yaml242jobs:243  call-test:244    uses: ./.github/workflows/reusable-test.yml245    with:246      node-version: "20.x"247    secrets:248      NPM_TOKEN: ${{ secrets.NPM_TOKEN }}249```250 251## Security Scanning252 253```yaml254name: Security Scan255 256on:257  push:258    branches: [main]259  pull_request:260    branches: [main]261 262jobs:263  security:264    runs-on: ubuntu-latest265 266    steps:267      - uses: actions/checkout@v4268 269      - name: Run Trivy vulnerability scanner270        uses: aquasecurity/trivy-action@master271        with:272          scan-type: "fs"273          scan-ref: "."274          format: "sarif"275          output: "trivy-results.sarif"276 277      - name: Upload Trivy results to GitHub Security278        uses: github/codeql-action/upload-sarif@v2279        with:280          sarif_file: "trivy-results.sarif"281 282      - name: Run Snyk Security Scan283        uses: snyk/actions/node@master284        env:285          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}286```287 288## Deployment with Approvals289 290```yaml291name: Deploy to Production292 293on:294  push:295    tags: ["v*"]296 297jobs:298  deploy:299    runs-on: ubuntu-latest300    environment:301      name: production302      url: https://app.example.com303 304    steps:305      - uses: actions/checkout@v4306 307      - name: Deploy application308        run: |309          echo "Deploying to production..."310          # Deployment commands here311 312      - name: Notify Slack313        if: success()314        uses: slackapi/slack-github-action@v1315        with:316          webhook-url: ${{ secrets.SLACK_WEBHOOK }}317          payload: |318            {319              "text": "Deployment to production completed successfully!"320            }321```322 323 324## Related Skills325 326- `gitlab-ci-patterns` - For GitLab CI workflows327- `deployment-pipeline-design` - For pipeline architecture328- `secrets-management` - For secrets handling