Back to Details

github-actions-workflow

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

GitHub Actions Workflow

GitHub Actions 工作流

Overview

概述

Create powerful GitHub Actions workflows to automate testing, building, security scanning, and deployment processes directly from your GitHub repository.
创建强大的GitHub Actions工作流,直接从你的GitHub仓库自动化测试、构建、安全扫描和部署流程。

When to Use

适用场景

  • Continuous integration and testing
  • Build automation
  • Security scanning and analysis
  • Dependency updates
  • Automated deployments
  • Release management
  • Code quality checks
  • 持续集成与测试
  • 构建自动化
  • 安全扫描与分析
  • 依赖更新
  • 自动化部署
  • 版本发布管理
  • 代码质量检查

Implementation Examples

实现示例

1. Complete CI/CD Workflow

1. 完整的CI/CD工作流

yaml
undefined
yaml
undefined

.github/workflows/ci.yml

.github/workflows/ci.yml

name: CI/CD Pipeline
on: push: branches: [main, develop] pull_request: branches: [main, develop]
env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }}
jobs: test: runs-on: ubuntu-latest strategy: matrix: node-version: [16.x, 18.x, 20.x] steps: - uses: actions/checkout@v3
  - name: Setup Node ${{ matrix.node-version }}
    uses: actions/setup-node@v3
    with:
      node-version: ${{ matrix.node-version }}
      cache: 'npm'

  - name: Install dependencies
    run: npm ci

  - name: Run linter
    run: npm run lint

  - name: Run tests
    run: npm run test:coverage

  - name: Upload coverage
    uses: codecov/codecov-action@v3
build: runs-on: ubuntu-latest needs: test permissions: contents: read packages: write steps: - uses: actions/checkout@v3
  - name: Set up Docker Buildx
    uses: docker/setup-buildx-action@v2

  - name: Log in to Registry
    uses: docker/login-action@v2
    with:
      registry: ${{ env.REGISTRY }}
      username: ${{ github.actor }}
      password: ${{ secrets.GITHUB_TOKEN }}

  - name: Extract metadata
    id: meta
    uses: docker/metadata-action@v4
    with:
      images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
      tags: |
        type=ref,event=branch
        type=semver,pattern={{version}}

  - name: Build and push image
    uses: docker/build-push-action@v4
    with:
      context: .
      push: ${{ github.event_name != 'pull_request' }}
      tags: ${{ steps.meta.outputs.tags }}
      labels: ${{ steps.meta.outputs.labels }}
security: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3
  - name: Run Trivy vulnerability scanner
    uses: aquasecurity/trivy-action@master
    with:
      scan-type: 'fs'
      scan-ref: '.'
      format: 'sarif'
      output: 'trivy-results.sarif'

  - name: Upload Trivy results to GitHub Security tab
    uses: github/codeql-action/upload-sarif@v2
    with:
      sarif_file: 'trivy-results.sarif'
deploy: runs-on: ubuntu-latest needs: [test, build] if: github.ref == 'refs/heads/main' && github.event_name == 'push' steps: - uses: actions/checkout@v3
  - name: Deploy to production
    run: |
      echo "Deploying to production..."
      # Add deployment script
undefined
name: CI/CD Pipeline
on: push: branches: [main, develop] pull_request: branches: [main, develop]
env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }}
jobs: test: runs-on: ubuntu-latest strategy: matrix: node-version: [16.x, 18.x, 20.x] steps: - uses: actions/checkout@v3
  - name: Setup Node ${{ matrix.node-version }}
    uses: actions/setup-node@v3
    with:
      node-version: ${{ matrix.node-version }}
      cache: 'npm'

  - name: Install dependencies
    run: npm ci

  - name: Run linter
    run: npm run lint

  - name: Run tests
    run: npm run test:coverage

  - name: Upload coverage
    uses: codecov/codecov-action@v3
build: runs-on: ubuntu-latest needs: test permissions: contents: read packages: write steps: - uses: actions/checkout@v3
  - name: Set up Docker Buildx
    uses: docker/setup-buildx-action@v2

  - name: Log in to Registry
    uses: docker/login-action@v2
    with:
      registry: ${{ env.REGISTRY }}
      username: ${{ github.actor }}
      password: ${{ secrets.GITHUB_TOKEN }}

  - name: Extract metadata
    id: meta
    uses: docker/metadata-action@v4
    with:
      images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
      tags: |
        type=ref,event=branch
        type=semver,pattern={{version}}

  - name: Build and push image
    uses: docker/build-push-action@v4
    with:
      context: .
      push: ${{ github.event_name != 'pull_request' }}
      tags: ${{ steps.meta.outputs.tags }}
      labels: ${{ steps.meta.outputs.labels }}
security: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3
  - name: Run Trivy vulnerability scanner
    uses: aquasecurity/trivy-action@master
    with:
      scan-type: 'fs'
      scan-ref: '.'
      format: 'sarif'
      output: 'trivy-results.sarif'

  - name: Upload Trivy results to GitHub Security tab
    uses: github/codeql-action/upload-sarif@v2
    with:
      sarif_file: 'trivy-results.sarif'
deploy: runs-on: ubuntu-latest needs: [test, build] if: github.ref == 'refs/heads/main' && github.event_name == 'push' steps: - uses: actions/checkout@v3
  - name: Deploy to production
    run: |
      echo "Deploying to production..."
      # Add deployment script
undefined

3. Automated Release Workflow

3. 自动化版本发布工作流

yaml
undefined
yaml
undefined

.github/workflows/release.yml

.github/workflows/release.yml

name: Release
on: push: tags: - 'v*'
jobs: create-release: runs-on: ubuntu-latest permissions: contents: write steps: - uses: actions/checkout@v3 with: fetch-depth: 0
  - name: Generate changelog
    id: changelog
    uses: mikepenz/action-github-changelog-generator@v3
    with:
      token: ${{ secrets.GITHUB_TOKEN }}

  - name: Create Release
    uses: ncipollo/release-action@v1
    with:
      token: ${{ secrets.GITHUB_TOKEN }}
      tag: ${{ github.ref }}
      body: ${{ steps.changelog.outputs.changelog }}
      draft: false

  - name: Publish to npm
    uses: JS-DevTools/npm-publish@v1
    with:
      token: ${{ secrets.NPM_TOKEN }}
undefined
name: Release
on: push: tags: - 'v*'
jobs: create-release: runs-on: ubuntu-latest permissions: contents: write steps: - uses: actions/checkout@v3 with: fetch-depth: 0
  - name: Generate changelog
    id: changelog
    uses: mikepenz/action-github-changelog-generator@v3
    with:
      token: ${{ secrets.GITHUB_TOKEN }}

  - name: Create Release
    uses: ncipollo/release-action@v1
    with:
      token: ${{ secrets.GITHUB_TOKEN }}
      tag: ${{ github.ref }}
      body: ${{ steps.changelog.outputs.changelog }}
      draft: false

  - name: Publish to npm
    uses: JS-DevTools/npm-publish@v1
    with:
      token: ${{ secrets.NPM_TOKEN }}
undefined

5. Docker Build and Push

5. Docker构建与推送

yaml
name: Docker Build
on: [push]
jobs:
  docker:
    runs-on: ubuntu-latest
    permissions:
      packages: write
    steps:
      - uses: actions/checkout@v3
      - uses: docker/setup-buildx-action@v2
      - uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - uses: docker/build-push-action@v4
        with:
          context: .
          push: true
          tags: ghcr.io/${{ github.repository }}:latest
yaml
name: Docker Build
on: [push]
jobs:
  docker:
    runs-on: ubuntu-latest
    permissions:
      packages: write
    steps:
      - uses: actions/checkout@v3
      - uses: docker/setup-buildx-action@v2
      - uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - uses: docker/build-push-action@v4
        with:
          context: .
          push: true
          tags: ghcr.io/${{ github.repository }}:latest

Best Practices

最佳实践

✅ DO

✅ 建议

  • Use caching for dependencies (npm, pip, Maven)
  • Run tests in parallel with matrix strategy
  • Require status checks on protected branches
  • Use environment secrets and variables
  • Implement conditional jobs with 
    if:
  • Lint and format before testing
  • Set explicit permissions with permissions
  • Use runner labels for specific hardware
  • Cache Docker layers for faster builds
  • 对依赖项使用缓存(npm、pip、Maven)
  • 使用矩阵策略并行运行测试
  • 在受保护分支上要求状态检查
  • 使用环境密钥和变量
  • if:
    实现条件任务
  • 测试前先进行代码检查和格式化
  • 用permissions设置明确的权限
  • 对特定硬件使用运行器标签
  • 缓存Docker层以加快构建速度

❌ DON'T

❌ 不建议

  • Store secrets in workflow files
  • Run untrusted code in workflows
  • Use 
    secrets.*
    with pull requests from forks
  • Hardcode credentials or tokens
  • Miss error handling with 
    continue-on-error
  • Create overly complex workflows
  • Skip testing on pull requests
  • 在工作流文件中存储密钥
  • 在工作流中运行不受信任的代码
  • 在来自分支的拉取请求中使用
    secrets.*
  • 硬编码凭证或令牌
  • 遗漏
    continue-on-error
    的错误处理
  • 创建过于复杂的工作流
  • 跳过拉取请求的测试

Secrets and Variables

密钥与变量

bash
undefined
bash
undefined

Set secrets via CLI

Set secrets via CLI

gh secret set MY_SECRET --body "secret-value" gh secret list
gh secret set MY_SECRET --body "secret-value" gh secret list

Set organization variables

Set organization variables

gh variable set MY_VAR --body "value" --org myorg
undefined
gh variable set MY_VAR --body "value" --org myorg
undefined

Workflow Permissions

工作流权限

yaml
permissions:
  actions: read
  contents: read
  checks: write
  pull-requests: write
  security-events: write
  packages: write
yaml
permissions:
  actions: read
  contents: read
  checks: write
  pull-requests: write
  security-events: write
  packages: write

Resources

资源