Overview
GitHub Actions is GitHub’s built-in workflow automation platform for continuous integration, continuous deployment, scheduled jobs, and repository-driven operational tasks.
Within our engineering workflow, GitHub Actions is used to validate changes, run builds and tests, and automate deployments or supporting infrastructure tasks from the repository.
Purpose
Section titled “Purpose”Use GitHub Actions when a repository needs to:
- Run automated checks for pull requests and pushes
- Build and package application artifacts
- Deploy applications or infrastructure
- Execute scheduled maintenance or synchronization jobs
- Enforce repository automation such as labeling, notifications, or policy checks
Recommended Practices
Section titled “Recommended Practices”When creating or maintaining GitHub Actions workflows:
- Keep workflows focused on a clear responsibility
- Store reusable logic in shared actions or reusable workflows when repetition grows
- Use least-privilege permissions for the workflow and each job
- Avoid storing long-lived cloud credentials when OIDC federation is available
- Keep secrets and deployment configuration out of source control
- Ensure workflows fail clearly and produce logs that are useful during troubleshooting
Authentication and Cloud Access
Section titled “Authentication and Cloud Access”Workflows that need to access cloud resources should prefer short-lived identity federation over stored credentials wherever supported.
For Microsoft Azure, use OpenID Connect (OIDC) from GitHub Actions rather than long-lived client secrets. See Azure OIDC for the setup process.