334 lines
7.1 KiB
Markdown
334 lines
7.1 KiB
Markdown
---
|
|
name: github-actions-templates
|
|
description: Create production-ready GitHub Actions workflows for automated testing, building, and deploying applications. Use when setting up CI/CD with GitHub Actions, automating development workflows, or creating reusable workflow templates.
|
|
---
|
|
|
|
# GitHub Actions Templates
|
|
|
|
Production-ready GitHub Actions workflow patterns for testing, building, and deploying applications.
|
|
|
|
## Purpose
|
|
|
|
Create efficient, secure GitHub Actions workflows for continuous integration and deployment across various tech stacks.
|
|
|
|
## When to Use
|
|
|
|
- Automate testing and deployment
|
|
- Build Docker images and push to registries
|
|
- Deploy to Kubernetes clusters
|
|
- Run security scans
|
|
- Implement matrix builds for multiple environments
|
|
|
|
## Common Workflow Patterns
|
|
|
|
### Pattern 1: Test Workflow
|
|
|
|
```yaml
|
|
name: Test
|
|
|
|
on:
|
|
push:
|
|
branches: [ main, develop ]
|
|
pull_request:
|
|
branches: [ main ]
|
|
|
|
jobs:
|
|
test:
|
|
runs-on: ubuntu-latest
|
|
|
|
strategy:
|
|
matrix:
|
|
node-version: [18.x, 20.x]
|
|
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Use Node.js ${{ matrix.node-version }}
|
|
uses: actions/setup-node@v4
|
|
with:
|
|
node-version: ${{ matrix.node-version }}
|
|
cache: 'npm'
|
|
|
|
- name: Install dependencies
|
|
run: npm ci
|
|
|
|
- name: Run linter
|
|
run: npm run lint
|
|
|
|
- name: Run tests
|
|
run: npm test
|
|
|
|
- name: Upload coverage
|
|
uses: codecov/codecov-action@v3
|
|
with:
|
|
files: ./coverage/lcov.info
|
|
```
|
|
|
|
**Reference:** See `assets/test-workflow.yml`
|
|
|
|
### Pattern 2: Build and Push Docker Image
|
|
|
|
```yaml
|
|
name: Build and Push
|
|
|
|
on:
|
|
push:
|
|
branches: [ main ]
|
|
tags: [ 'v*' ]
|
|
|
|
env:
|
|
REGISTRY: ghcr.io
|
|
IMAGE_NAME: ${{ github.repository }}
|
|
|
|
jobs:
|
|
build:
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Log in to Container Registry
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: ${{ env.REGISTRY }}
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Extract metadata
|
|
id: meta
|
|
uses: docker/metadata-action@v5
|
|
with:
|
|
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
|
|
tags: |
|
|
type=ref,event=branch
|
|
type=ref,event=pr
|
|
type=semver,pattern={{version}}
|
|
type=semver,pattern={{major}}.{{minor}}
|
|
|
|
- name: Build and push
|
|
uses: docker/build-push-action@v5
|
|
with:
|
|
context: .
|
|
push: true
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
labels: ${{ steps.meta.outputs.labels }}
|
|
cache-from: type=gha
|
|
cache-to: type=gha,mode=max
|
|
```
|
|
|
|
**Reference:** See `assets/deploy-workflow.yml`
|
|
|
|
### Pattern 3: Deploy to Kubernetes
|
|
|
|
```yaml
|
|
name: Deploy to Kubernetes
|
|
|
|
on:
|
|
push:
|
|
branches: [ main ]
|
|
|
|
jobs:
|
|
deploy:
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Configure AWS credentials
|
|
uses: aws-actions/configure-aws-credentials@v4
|
|
with:
|
|
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
|
|
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
|
|
aws-region: us-west-2
|
|
|
|
- name: Update kubeconfig
|
|
run: |
|
|
aws eks update-kubeconfig --name production-cluster --region us-west-2
|
|
|
|
- name: Deploy to Kubernetes
|
|
run: |
|
|
kubectl apply -f k8s/
|
|
kubectl rollout status deployment/my-app -n production
|
|
kubectl get services -n production
|
|
|
|
- name: Verify deployment
|
|
run: |
|
|
kubectl get pods -n production
|
|
kubectl describe deployment my-app -n production
|
|
```
|
|
|
|
### Pattern 4: Matrix Build
|
|
|
|
```yaml
|
|
name: Matrix Build
|
|
|
|
on: [push, pull_request]
|
|
|
|
jobs:
|
|
build:
|
|
runs-on: ${{ matrix.os }}
|
|
|
|
strategy:
|
|
matrix:
|
|
os: [ubuntu-latest, macos-latest, windows-latest]
|
|
python-version: ['3.9', '3.10', '3.11', '3.12']
|
|
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Set up Python
|
|
uses: actions/setup-python@v5
|
|
with:
|
|
python-version: ${{ matrix.python-version }}
|
|
|
|
- name: Install dependencies
|
|
run: |
|
|
python -m pip install --upgrade pip
|
|
pip install -r requirements.txt
|
|
|
|
- name: Run tests
|
|
run: pytest
|
|
```
|
|
|
|
**Reference:** See `assets/matrix-build.yml`
|
|
|
|
## Workflow Best Practices
|
|
|
|
1. **Use specific action versions** (@v4, not @latest)
|
|
2. **Cache dependencies** to speed up builds
|
|
3. **Use secrets** for sensitive data
|
|
4. **Implement status checks** on PRs
|
|
5. **Use matrix builds** for multi-version testing
|
|
6. **Set appropriate permissions**
|
|
7. **Use reusable workflows** for common patterns
|
|
8. **Implement approval gates** for production
|
|
9. **Add notification steps** for failures
|
|
10. **Use self-hosted runners** for sensitive workloads
|
|
|
|
## Reusable Workflows
|
|
|
|
```yaml
|
|
# .github/workflows/reusable-test.yml
|
|
name: Reusable Test Workflow
|
|
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
node-version:
|
|
required: true
|
|
type: string
|
|
secrets:
|
|
NPM_TOKEN:
|
|
required: true
|
|
|
|
jobs:
|
|
test:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: actions/setup-node@v4
|
|
with:
|
|
node-version: ${{ inputs.node-version }}
|
|
- run: npm ci
|
|
- run: npm test
|
|
```
|
|
|
|
**Use reusable workflow:**
|
|
```yaml
|
|
jobs:
|
|
call-test:
|
|
uses: ./.github/workflows/reusable-test.yml
|
|
with:
|
|
node-version: '20.x'
|
|
secrets:
|
|
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
|
|
```
|
|
|
|
## Security Scanning
|
|
|
|
```yaml
|
|
name: Security Scan
|
|
|
|
on:
|
|
push:
|
|
branches: [ main ]
|
|
pull_request:
|
|
branches: [ main ]
|
|
|
|
jobs:
|
|
security:
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Run Trivy vulnerability scanner
|
|
uses: aquasecurity/trivy-action@master
|
|
with:
|
|
scan-type: 'fs'
|
|
scan-ref: '.'
|
|
format: 'sarif'
|
|
output: 'trivy-results.sarif'
|
|
|
|
- name: Upload Trivy results to GitHub Security
|
|
uses: github/codeql-action/upload-sarif@v2
|
|
with:
|
|
sarif_file: 'trivy-results.sarif'
|
|
|
|
- name: Run Snyk Security Scan
|
|
uses: snyk/actions/node@master
|
|
env:
|
|
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
|
|
```
|
|
|
|
## Deployment with Approvals
|
|
|
|
```yaml
|
|
name: Deploy to Production
|
|
|
|
on:
|
|
push:
|
|
tags: [ 'v*' ]
|
|
|
|
jobs:
|
|
deploy:
|
|
runs-on: ubuntu-latest
|
|
environment:
|
|
name: production
|
|
url: https://app.example.com
|
|
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Deploy application
|
|
run: |
|
|
echo "Deploying to production..."
|
|
# Deployment commands here
|
|
|
|
- name: Notify Slack
|
|
if: success()
|
|
uses: slackapi/slack-github-action@v1
|
|
with:
|
|
webhook-url: ${{ secrets.SLACK_WEBHOOK }}
|
|
payload: |
|
|
{
|
|
"text": "Deployment to production completed successfully!"
|
|
}
|
|
```
|
|
|
|
## Reference Files
|
|
|
|
- `assets/test-workflow.yml` - Testing workflow template
|
|
- `assets/deploy-workflow.yml` - Deployment workflow template
|
|
- `assets/matrix-build.yml` - Matrix build template
|
|
- `references/common-workflows.md` - Common workflow patterns
|
|
|
|
## Related Skills
|
|
|
|
- `gitlab-ci-patterns` - For GitLab CI workflows
|
|
- `deployment-pipeline-design` - For pipeline architecture
|
|
- `secrets-management` - For secrets handling
|