What Are GitHub Actions?
GitHub Actions is a CI/CD platform built directly into GitHub. It runs automated workflows when events occur in your repository — code pushes, pull requests, issue creation, or scheduled cron jobs. Unlike external CI services (Jenkins, CircleCI), Actions is zero-config for GitHub repos, deeply integrated with PRs, and offers 2,000 free minutes/month for public repos.
Your First Workflow
Create .github/workflows/ci.yml in your repo:
name: CI
on: push: branches: [main] pull_request: branches: [main] jobs: test: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 with: node-version: 20 cache: 'npm' - run: npm ci - run: npm test - run: npm run buildThis workflow runs on every push and PR to main, installs dependencies with caching, runs tests, and builds the project.
Matrix Builds: Test Across Versions
Test your code on multiple Node.js versions and operating systems simultaneously:
jobs: test: strategy: matrix: node-version: [18, 20, 22] os: [ubuntu-latest, macos-latest] runs-on: ${{ matrix.os }} steps: - uses: actions/setup-node@v4 with: node-version: ${{ matrix.node-version }}Caching for Faster Builds
Dependency installation is often the slowest CI step. Use actions/cache or built-in cache options in setup actions. For Node.js, actions/setup-node with cache: 'npm' automatically caches node_modules. For Docker builds, cache layers with docker/build-push-action's cache options.
Deployment Workflows
Deploy to production on merge to main. Use GitHub Environments for approval gates and secrets:
jobs: deploy: runs-on: ubuntu-latest environment: production if: github.ref == 'refs/heads/main' steps: - run: npx vercel deploy --prod --token=${{ secrets.VERCEL_TOKEN }}This integrates naturally with branching strategies — feature branches get CI checks, main gets auto-deploy.
Reusable Workflows and Custom Actions
Avoid duplicating workflow code across repos with reusable workflows (workflow_call trigger) and composite actions. Create a shared .github repo in your organization with common CI steps. For complex logic, build custom JavaScript or Docker actions that others can reference.
Security Best Practices
Never hardcode secrets in workflow files — use GitHub Secrets. Pin third-party actions to specific commit SHAs (uses: actions/checkout@abc123) to prevent supply chain attacks. Use permissions to restrict the GITHUB_TOKEN scope. Review third-party action source code before trusting it with your deployment credentials.
Conclusion
GitHub Actions eliminates the excuses for not having CI/CD. Start with a simple test-and-build workflow, add matrix builds for coverage, implement caching for speed, and graduate to deployment pipelines with environments and approval gates. Your code review process improves immediately when every PR runs automated checks.