GitHub Actions Templates
When to Use
- CI/CD pipeline setup for any stack
- Automated testing with matrix builds
- Docker image builds and registry pushes
- Security vulnerability scanning
- Reusable workflow patterns for monorepos
- Deployment pipelines with approval gates
When NOT to Use
- GitLab CI, CircleCI, or Jenkins pipelines (different syntax and runners)
- Simple scripts that run locally without CI benefit
- One-off manual deployments (use
ghCLI instead) - Infrastructure provisioning (use Terraform/Pulumi, not GHA)
Quick Decision Tree
| Need | Pattern | Reference |
|---|---|---|
| Run tests on push/PR | Test workflow | references/test-workflow.yml |
| Build and push Docker image | Docker build | references/deploy-workflow.yml |
| Test across OS/versions | Matrix build | references/matrix-build.yml |
| Scan for vulnerabilities | Security scan | references/security-scan.yml |
| Share logic across repos | Reusable workflows | references/common-workflows.md |
| Deploy with approval gates | Deployment pipeline | references/common-workflows.md |
| Notify team on success/failure | Slack notifications | references/common-workflows.md |
| Selective monorepo builds | Path filters + Turbo | references/common-workflows.md |
| Adapt templates to your stack | Stack-specific changes | references/adaptation-guide.md |
| Avoid common mistakes | Anti-patterns | references/anti-patterns.md |
Read the matching reference file, then adapt it using references/adaptation-guide.md for the user's stack.
Core Patterns
1. Test Workflow
Runs lint, tests, and coverage on push and PR. Default: Node.js with npm.
Full template with adaptation comments: references/test-workflow.yml
2. Docker Build and Push
Builds a Docker image, tags with semver metadata, pushes to GHCR. Uses layer caching.
Full template with registry switching comments: references/deploy-workflow.yml
3. Matrix Build
Tests across multiple OS and language versions. Default: Python cross-platform.
Full template with Bun/Go/Rust/Node adaptation: references/matrix-build.yml
4. Security Scanning
Runs Trivy filesystem scan and Snyk dependency check. Uploads results to GitHub Security tab.
Full template with weekly schedule and Snyk: references/security-scan.yml
5. Reusable Workflows
Share workflow logic across repositories with workflow_call trigger.
Caller: .github/workflows/ci.yml
jobs: test: uses: ./.github/workflows/reusable-test.yml with: node-version: "22.x"
</example>
Full caller/callee examples: `references/common-workflows.md`
### 6. Monorepo Orchestration
Path filters trigger only affected packages. Turbo runs selective tasks.
<example>
```yaml
on:
push:
paths: ['packages/api/**', 'packages/shared/**']
jobs:
test:
steps:
- uses: oven-sh/setup-bun@v2
- run: bun install
- run: bun turbo test --filter=...[origin/main]
Full monorepo patterns with Bun + Turbo: references/common-workflows.md
Do / Don't / Why
| Do | Don't | Why |
|---|---|---|
Pin actions to @vN | Use @latest or @master | Supply chain risk and random breakage |
Set minimum permissions | Omit the permissions block | Default token has write-all access |
| Cache dependencies | Install fresh every run | 2-5x slower builds, wasted bandwidth |
Use secrets for credentials | Hardcode tokens in YAML | Exposed in git history forever |
| Scope triggers to main + PR | Trigger on push to all branches | Wastes CI minutes on feature branches |
| Use reusable workflows | Copy-paste between repos | Drift, inconsistency, maintenance burden |
Use vars for environment config | Hardcode regions and cluster names | Breaks portability between environments |
Set fail-fast: false in matrix | Leave default fail-fast: true | One failure hides others in the matrix |
See references/anti-patterns.md for detailed before/after examples of each mistake.
Feedback Loops
Deployment Verification
- Run health check after deploy:
curl -f $APP_URL/health - On failure: roll back (
kubectl rollout undoor SST rollback) - Notify team via Slack on success or failure
- Block next deploy until current one passes
Test Verification
- Fail the workflow if coverage drops below threshold
- Upload test artifacts on failure for debugging
- Require all matrix combinations to pass (set
fail-fast: false)
Version Currency
Action versions in reference files are current as of February 2026. Check for updates:
gh api repos/OWNER/REPO/releases/latest --jq '.tag_name'
Adaptation Workflow
When generating a workflow for the user:
- Read the matching reference file from the decision tree above
- Read
references/adaptation-guide.mdfor the user's tech stack - Apply the adaptation changes (package manager, test runner, registry)
- Remove unused
# ADAPT:comments from the final output - Verify all action versions match the reference files
References
references/test-workflow.yml— Test workflow with CI stepsreferences/deploy-workflow.yml— Docker build-and-push to GHCRreferences/matrix-build.yml— Cross-platform matrix buildreferences/security-scan.yml— Trivy + Snyk security scanningreferences/common-workflows.md— Reusable workflows, approvals, Slack, monoreporeferences/anti-patterns.md— 8 common mistakes with fixesreferences/adaptation-guide.md— Per-stack customisation (Bun, Node, Python, Go, Docker registries)