GitHub Actions CI/CD Pipeline Template Pack

GitHub Actions CI/CD Pipeline Template Pack

Most GitHub Actions workflows I encounter in enterprise environments are copy-pasted from blog posts and never updated. They use actions/checkout@v2 when v4 has been out for a year, store AWS credentials as long-lived secrets, and have no security scanning whatsoever. When something breaks at 2 AM, the on-call engineer spends 30 minutes reading the YAML to understand what the pipeline is supposed to do because there are no comments, no documentation, and no error handling. This template is the opposite of that.

Built from production pipelines I have maintained for defense and healthcare systems, this workflow follows GitHub's recommended patterns for action pinning, secret management, and job dependency structure.

Pipeline Stages

• checkout — actions/checkout@v4 with fetch-depth: 0 for full history access. Required for changelog generation, blame annotations, and accurate coverage diffs.
• setup — Language-specific setup action (actions/setup-node@v4, actions/setup-python@v5, actions/setup-go@v5) pinned to exact versions. Dependency caching via actions/cache@v4 with lockfile hash keys.
• lint — Language-appropriate linters run in parallel. Fast feedback loop — fails in under 60 seconds. Blocks the more expensive test and build stages.
• test — Unit tests with coverage reporting. Matrix strategy for multiple runtime versions. JUnit XML output for GitHub's native test reporting. Coverage uploaded to Codecov.
• security — github/codeql-action@v3 for SAST. trufflesecurity/trufflehog@v3.63.0 for secret detection. actions/dependency-review-action@v4 for vulnerable dependencies.
• build — Application build with artifact upload. Docker image build if containerized. All artifacts tagged with ${github.sha} for traceability.
• deploy — Environment-gated deployment with manual approval for production. Uses OIDC federation for cloud authentication — no stored credentials.

Security Gates

• Action pinning — All third-party actions pinned to SHA, not version tag. Prevents supply chain attacks where a tag is reassigned to a malicious commit.
• Minimum permissions — permissions: block explicitly sets contents: read, packages: write as needed. No default write-all.
• Secret scanning — TruffleHog runs on every PR. Blocks merge if any credential pattern is detected in the diff or commit history.
• OIDC authentication — Cloud provider authentication via federated identity. No AWS_ACCESS_KEY_ID, no AZURE_CLIENT_SECRET, no GCP JSON key files.

Environment Promotion

Dev auto-deploys on merge to develop. Staging deploys on release candidate tags with one required approval. Production deploys on release tags with two required approvals and passing staging tests.

What Breaks First

• Runner disk space exhaustion — Large Docker builds on GitHub-hosted runners run out of the 14GB available disk. Fix: add docker system prune -af before the build or use runs-on: ubuntu-latest-large runners.
• Concurrent workflow cancellation — Multiple pushes to the same branch cancel each other via concurrency groups. The latest push might cancel a deploy that was in progress. Fix: use cancel-in-progress: false for deployment workflows.
• Cache eviction under storage limit — GitHub caches are limited to 10GB per repository. Frequent cache writes push older caches out. Fix: use specific cache keys that minimize churn and delete stale caches via the REST API in a scheduled cleanup workflow.