Github Actions

Last updated on January 23, 2026

GitHub Actions Cheat Sheet

GitHub Actions is a continuous integration and continuous delivery (CI/CD) platform that allows you to automate your build, test, and deployment pipeline. You can create workflows that build and test every pull request to your repository, or deploy merged pull requests to production.

Key Components

Workflow: An automated procedure that you add to your repository. Defined by a YAML file in .github/workflows/.
Event: A specific activity that triggers a workflow run (e.g., push, pull_request, release).
Job: A set of steps that execute on the same runner. Jobs run in parallel by default.
Step: An individual task that can run commands or actions. Steps are executed in order.
Action: A custom application that performs a complex task. Can be written in JavaScript or as a Docker container.

Runner: A server with the GitHub Actions runner application installed. Can be GitHub-hosted or self-hosted.
Artifact: Files created during a workflow that can be shared between jobs or downloaded.
Secret: An encrypted variable stored in your repository, organization, or environment.

Workflow File Structure

#yaml
name: Workflow Name # Name of the workflow
on: [push, pull_request]               # Events that trigger the workflow
env:                                   # Environment variables for all jobs
  NODE_VERSION: '20'
jobs:                                  # Jobs that make up the workflow
  build-job:                           # Unique job identifier
    runs-on: ubuntu-latest             # Runner environment
    steps:                             # Steps that define the job
      - name: Checkout code            # Step name
        uses: actions/checkout@v4      # Action to use
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:                          # Input parameters for the action
          node-version: ${{ env.NODE_VERSION }}
      - name: Run tests
        run: npm test                  # Command to execute


Common Events



Event
Description
Example Configuration


push
Triggered on push to branches/tags
on: push or on: push: branches: [main]


pull_request
Triggered on PR activity
on: pull_request: types: [opened, synchronize]


schedule
Cron-based scheduling
on: schedule: cron: '0 2 * * *'


workflow_dispatch
Manual trigger from UI
on: workflow_dispatch


release
Triggered on release activity
on: release: types: [published]



Jobs and Runners

Runner Types: GitHub provides Ubuntu Linux, Windows, and macOS runners. Self-hosted runners can be configured on custom hardware.
Job Dependencies: Use needs to create dependencies between jobs:
#yaml
jobs:
  build:
    runs-on: ubuntu-latest
  test:
    runs-on: ubuntu-latest
    needs: build  # Waits for build job to complete
  deploy:
    runs-on: ubuntu-latest
    needs: test   # Waits for test job to complete


Matrix Strategy: Run jobs with multiple configurations:



yaml



strategy:
  matrix:
    os: [ubuntu-latest, windows-latest]
    node-version: [18, 20]


Actions and Marketplace

Pre-built Actions: Available in GitHub Marketplace
Common Actions:

actions/checkout@v4: Check out your repository
actions/setup-node@v4: Setup Node.js environment
actions/setup-python@v5: Setup Python environment
actions/cache@v3: Cache dependencies and build outputs
actions/upload-artifact@v4: Upload workflow artifacts
actions/download-artifact@v4: Download workflow artifacts



Environment Variables and Secrets

Default Variables: Automatically available (e.g., GITHUB_REPOSITORY, GITHUB_SHA, GITHUB_REF)
Custom Variables: Define at workflow, job, or step level
Secrets: Store sensitive data; access with ${{ secrets.SECRET_NAME }}
Contexts: Access runtime information with expressions like ${{ github.event_name }}

Artifacts and Caching

Artifacts: Store files between jobs with upload-artifact and download-artifact
Caching: Speed up workflows by caching dependencies:




yaml



- name: Cache node modules
  uses: actions/cache@v3
  with:
    path: ~/.npm
    key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}



Best Practices

Use Specific Action Versions: Pin to full commit SHA or version tag
Limit Permissions: Use permissions key to restrict token scopes
Clean Up Resources: Use post job steps for cleanup operations
Optimize Workflow Speed: Cache dependencies, use matrix for parallel jobs
Secure Secrets: Never log secrets, use GitHub secrets store

Pricing and Limits

Free Tier: 2,000 minutes/month for private repositories (500MB package storage)
Public Repositories: Unlimited minutes and runners
Self-hosted Runners: Unlimited and free
Concurrent Jobs: Up to 20 jobs on free plans, more on paid plans

Useful Commands




bash



# List workflow runs
gh run list
# View workflow run logs
gh run view <run-id> --log
# Rerun a workflow
gh run rerun <run-id>
# Download workflow artifacts
gh run download <run-id>

References
https://docs.github.com/en/actions
https://github.com/marketplace?type=actions
https://github.com/actions/starter-workflows
https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions