Workflow Development Skill
Design, debug, and optimize GitHub Actions workflows with security best practices.
Trigger Phrases
- "create a CI workflow"
- "add a release workflow"
- "my workflow is failing"
- "make this workflow reusable"
- "workflow security audit"
- "add [language] CI"
Security Requirements (Non-Negotiable)
SHA Pinning
# CORRECT
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
# WRONG - Never use tags
- uses: actions/checkout@v4
Minimal Permissions
permissions:
contents: read # Start with minimum
# Only add what's needed:
# pull-requests: write # For PR comments
# packages: write # For container registry
Reusable Workflow Pattern
Caller (in project)
name: CI
on: [push, pull_request]
jobs:
ci:
uses: epicpast/.github/.github/workflows/reusable-ci-python.yml@main
with:
python-version: '3.12'
coverage-threshold: 80
secrets: inherit
Reusable Definition (in .github repo)
name: Reusable Python CI
on:
workflow_call:
inputs:
python-version:
required: false
type: string
default: '3.12'
coverage-threshold:
required: false
type: number
default: 80
permissions:
contents: read
jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
- uses: epicpast/.github/actions/setup-python-uv@main
with:
python-version: ${{ inputs.python-version }}
- run: uv run ruff check .
Available Reusable Workflows
| Workflow | Purpose |
|---|
reusable-ci-python.yml | Python with uv, ruff, pyright, pytest |
reusable-ci-typescript.yml | TypeScript with pnpm, ESLint, Vitest |
reusable-ci-go.yml | Go with golangci-lint |
reusable-release.yml | Semantic release |
reusable-security.yml | Gitleaks + dependency scanning |
Composite Action Pattern
# action.yml
name: 'Setup Python with uv'
description: 'Install Python and uv with caching'
inputs:
python-version:
required: false
default: '3.12'
runs:
using: 'composite'
steps:
- uses: astral-sh/setup-uv@v4
with:
enable-cache: true
- shell: bash
run: uv python install ${{ inputs.python-version }}
Debugging Workflows
Common Failures
| Error | Cause | Fix |
|---|
| "Resource not accessible" | Missing permission | Add to permissions: |
| Cache never hits | Wrong key | Check hashFiles path |
| Secrets unavailable | Wrong context | Use secrets: inherit |
| Workflow not triggered | Event mismatch | Check on: config |
Debug Step
- name: Debug
run: |
echo "Event: ${{ github.event_name }}"
echo "Ref: ${{ github.ref }}"
echo "Actor: ${{ github.actor }}"
Performance Optimization
Caching
- uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f
with:
path: ~/.cache/uv
key: ${{ runner.os }}-uv-${{ hashFiles('uv.lock') }}
Matrix Builds
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, macos-latest]
python: ['3.11', '3.12']
Concurrency
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
