Claude-skill-registry actions-cicd-practices
GitHub Actions and CI/CD best practices for automated testing, building, and deployment.
install
source · Clone the upstream repo
git clone https://github.com/majiayu000/claude-skill-registry
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/actions-cicd-practices" ~/.claude/skills/majiayu000-claude-skill-registry-actions-cicd-practices && rm -rf "$T"
manifest:
skills/data/actions-cicd-practices/SKILL.mdsafety · automated scan (medium risk)
This is a pattern-based risk scan, not a security review. Our crawler flagged:
- pip install
- references API keys
Always read a skill's source content before installing. Patterns alone don't mean the skill is malicious — but they warrant attention.
source content
GitHub Actions CI/CD practices
Purpose
Guide for GitHub Actions and CI/CD workflows covering testing, building, caching, and deployment automation.
When to use
This skill activates when:
- Creating GitHub Actions workflows
- Setting up CI/CD pipelines
- Configuring automated testing
- Optimizing workflow performance
- Managing secrets and environments
Core structure
Basic workflow
name: CI on: push: branches: [main] pull_request: branches: [main] jobs: test: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Set up Python uses: actions/setup-python@v5 with: python-version: '3.14' - name: Install dependencies run: pip install -e ".[dev]" - name: Run tests run: pytest
Python workflows
With uv
jobs: test: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Install uv uses: astral-sh/setup-uv@v4 with: enable-cache: true - name: Set up Python run: uv python install 3.14 - name: Install dependencies run: uv sync - name: Run tests run: uv run pytest
Matrix testing
jobs: test: runs-on: ${{ matrix.os }} strategy: fail-fast: false matrix: os: [ubuntu-latest, macos-latest, windows-latest] python-version: ['3.14'] steps: - uses: actions/checkout@v4 - name: Install uv uses: astral-sh/setup-uv@v4 - name: Set up Python ${{ matrix.python-version }} run: uv python install ${{ matrix.python-version }} - name: Install dependencies run: uv sync - name: Run tests run: uv run pytest
Caching
uv cache
- name: Install uv uses: astral-sh/setup-uv@v4 with: enable-cache: true cache-dependency-glob: "uv.lock"
Manual caching
- name: Cache dependencies uses: actions/cache@v4 with: path: ~/.cache/pip key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }} restore-keys: | ${{ runner.os }}-pip-
Linting and type checking
jobs: lint: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Install uv uses: astral-sh/setup-uv@v4 with: enable-cache: true - name: Set up Python run: uv python install 3.14 - name: Install dependencies run: uv sync - name: Lint with ruff run: uv run ruff check . - name: Type check with basedpyright run: uv run basedpyright
Code coverage
- name: Run tests with coverage run: uv run pytest --cov=src --cov-report=xml - name: Upload coverage uses: codecov/codecov-action@v4 with: files: ./coverage.xml fail_ci_if_error: true
Workflow optimization
Concurrency
concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true
Path filters
on: push: paths: - 'src/**' - 'tests/**' - 'pyproject.toml' - '.github/workflows/ci.yml'
Job dependencies
jobs: lint: runs-on: ubuntu-latest steps: ... test: needs: lint runs-on: ubuntu-latest steps: ... build: needs: [lint, test] runs-on: ubuntu-latest steps: ...
Secrets and environments
Using secrets
- name: Deploy env: API_KEY: ${{ secrets.API_KEY }} run: ./deploy.sh
Environment protection
jobs: deploy: runs-on: ubuntu-latest environment: production steps: - name: Deploy to production run: ./deploy.sh
Release workflow
name: Release on: release: types: [published] jobs: publish: runs-on: ubuntu-latest permissions: id-token: write # For PyPI trusted publishing steps: - uses: actions/checkout@v4 - name: Install uv uses: astral-sh/setup-uv@v4 - name: Build package run: uv build - name: Publish to PyPI uses: pypa/gh-action-pypi-publish@release/v1
Reusable workflows
Define reusable workflow
# .github/workflows/test-reusable.yml name: Reusable Test on: workflow_call: inputs: python-version: required: true type: string jobs: test: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Set up Python ${{ inputs.python-version }} uses: actions/setup-python@v5 with: python-version: ${{ inputs.python-version }}
Use reusable workflow
jobs: test-3-11: uses: ./.github/workflows/test-reusable.yml with: python-version: '3.14'
Security
Minimal permissions
permissions: contents: read pull-requests: write
Pin action versions
# Good: Pinned to specific version - uses: actions/checkout@v4 # Better: Pinned to commit SHA - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
Checklist
- Workflow triggers appropriate
- Matrix covers required platforms/versions
- Caching configured for performance
- Secrets not exposed in logs
- Permissions minimized
- Action versions pinned
- Concurrency configured
- Path filters for efficiency
Additional resources: