GitHub Actions brings CI/CD directly into your repository. Every push, PR, or scheduled event can trigger automated build/test/deploy workflows. Its marketplace of 20,000+ pre-built actions means you rarely write complex scripts from scratch.
Complete CI/CD Pipeline
name: CI/CD Pipeline
on:
push: { branches: [main, develop] }
pull_request: { branches: [main] }
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
test:
runs-on: ubuntu-latest
strategy:
fail-fast: true
matrix: { node-version: [18, 20, 22] }
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with: { node-version: "${{ matrix.node-version }}", cache: 'npm' }
- run: npm ci
- run: npm run lint
- run: npm test -- --coverage --ci
- name: Upload coverage
if: matrix.node-version == 20
uses: codecov/codecov-action@v4
build:
needs: test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with: { node-version: 20, cache: 'npm' }
- run: npm ci && npm run build
- uses: actions/upload-artifact@v4
with: { name: build-output, path: dist/, retention-days: 7 }
deploy:
needs: build
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
environment: production
steps:
- uses: actions/checkout@v4
- uses: actions/download-artifact@v4
with: { name: build-output, path: dist/ }
- name: Deploy
env: { DEPLOY_KEY: "${{ secrets.DEPLOY_KEY }}" }
run: echo "Deploying to production..."Key Features
Matrix builds: Test across Node versions, OSes, database versions in parallel. Caching: Reuse node_modules between runs — 90s builds drop to 20s. Environments & secrets: Gate deployments with approvals, inject encrypted credentials. Reusable workflows: Define CI patterns once, reference across repos. Composite actions: Package multiple steps into one reusable action.
Security Best Practices
Pin action versions to prevent supply chain attacks (use @v4 or commit SHA, never @main). Use fail-fast: true on matrices. Use concurrency groups to cancel redundant runs. Minimize secret exposure — least-privilege permissions, never echo secrets. GitHub Actions is powerful enough for enterprise CI/CD while simple enough for side projects.
Further reading: GitHub Actions Docs | Actions Marketplace