Jobs and Runners

• Runner Types: GitHub provides managed virtual machines for Ubuntu Linux, Windows, and macOS. You can also deploy self-hosted runners on your own infrastructure, which can be physical machines, virtual machines, or containers. Self-hosted runners allow you to use custom operating systems, hardware specifications (like GPU), and software, and are required to run workflows in private, on-premises, or air-gapped networks.
• Job Dependencies: Use the needs keyword to declare that a job must wait for the successful completion of other jobs before it begins. This creates explicit dependencies and allows you to model a directed acyclic graph (DAG) for your workflow, enabling sequences like build -> test -> deploy. A job with no needs clause runs in parallel with other independent jobs at the start.
• Matrix Strategy: Defined under strategy, a matrix lets you create multiple job runs by substituting variables. For example, you can test your code against different versions of a language ([node-14, node-16, node-18]) and operating systems ([ubuntu-latest, windows-latest]) in a single job definition. Each combination runs in a separate, parallel instance, and you can reference each variable in the job using ${{ matrix.variable-name }}.

Actions and Marketplace

• Pre-built Actions: Available in GitHub Marketplace

• Common Actions:

  • actions/checkout@v4: Check out your repository

  • actions/setup-node@v4: Setup Node.js environment

  • actions/setup-python@v5: Setup Python environment

  • actions/cache@v3: Cache dependencies and build outputs

  • actions/upload-artifact@v4: Upload workflow artifacts

  • actions/download-artifact@v4: Download workflow artifacts

Environment Variables and Secrets

• Default Variables:
  • GitHub automatically sets default environment variables (like GITHUB_REPOSITORY, GITHUB_SHA, GITHUB_REF) for every workflow run. These are part of the github context and provide immutable metadata about the run, such as the repository name, the exact commit hash that triggered it, and the branch or tag name.\
• Custom Variables:
  • You can define your own non-sensitive variables at the workflow, job, or step level using the env key. This is useful for static configuration values. Variables defined at a lower level override those defined at a higher level (step > job > workflow).
• Secrets:
  • These are encrypted variables you create in your repository, organization, or environment settings. They are used to store sensitive data like API tokens, passwords, or signing certificates. Secrets are not passed to workflows triggered by pull requests from forks for security, and they cannot be read or printed in plain text in workflow logs. Access them using the secrets context: ${{ secrets.AZURE_KEY }}.
• Contexts:
  • Contexts are objects containing information accessible during a workflow run. You use expression syntax (${{ }}) to access them. Key contexts include github (event payload, actor, SHA), job (status of the current job), steps (outputs from previous steps), and runner (OS, name of runner). For example, ${{ github.event.issue.title }} gets the title of an issue that triggered the workflow.
•  

Artifacts and Caching

• Artifacts:
  • Artifacts are files produced during a workflow run that you want to persist after the job ends. Use the upload-artifact action to save files from a job to cloud storage linked to that workflow run. You can then use the download-artifact action in a later job within the same workflow run to retrieve those files. This is essential for passing build outputs, logs, or test results between jobs (e.g., from a build job to a deployment job). Artifacts are also available for manual download from the workflow run’s summary page for a default retention period.
• Caching:
  • The cache action is used to save and restore directories containing dependency files (like node_modules, ~/.gradle/caches, ~/.nuget/packages). By creating a cache with a key (often based on a lockfile hash), subsequent workflow runs can restore these directories, avoiding the time-consuming process of re-downloading all dependencies. This dramatically reduces workflow execution time. Caches are scoped to the branch and have an upper storage limit, with least-recently-used (LRU) eviction.

Best Practices

• Use Specific Action Versions: For security, stability, and reproducibility, pin actions to a full length commit SHA. If using a version tag, prefer a major version (e.g., actions/checkout@v4) over a default branch (@main). Pinning to a SHA guarantees you are using an immutable action, protecting you from a bad actor pushing malicious code to a tag.
• Limit Permissions: The default GITHUB_TOKEN granted to workflows has broad permissions. Use the permissions key at the workflow or job level to explicitly set the minimum access required (e.g., contents: read, packages: write). This follows the principle of least privilege and is a critical security hardening step to limit the potential damage from a compromised workflow.
• Clean Up Resources: Use the if: always() conditional on a specific step within the main steps: block to ensure cleanup operations (like stopping services or removing containers) run even if previous steps have failed. This is the correct, documented approach for workflows.
• Optimize Workflow Speed: Implement dependency caching as described. Use the matrix strategy to run compatible tasks in parallel instead of sequentially. For monorepos, consider using paths filters on triggers to run workflows only when code in relevant directories changes.
• Secure Secrets: Never log, echo, or print secrets in workflow commands. Access them only through the ${{ secrets.NAME }} syntax. Regularly audit and rotate secrets. For self-hosted runners, be aware that secrets are passed to the runner machine; you must therefore fully trust the machine’s security and its administrators.
•  

Pricing and Limits

• Free Tier: 2,000 minutes/month for private repositories (500MB package storage)



• Public Repositories: Unlimited minutes and runners

• Self-hosted Runners: Unlimited and free

• Concurrent Jobs: Up to 20 jobs on free plans, more on paid plans