GitHub Actions

What is GitHub Actions

GitHub Actions is a continuous integration and continuous delivery (CI/CD) platform that allows you to automate your build, test and deployment pipeline. It also provides a useful way to automate other tasks you may want to perform in GitHub such as automatically adding labels when someone creates a new issue.

If you want to learn more about GitHub Actions, you can view the GitHub Actions documentation or checkout their training courses on Microsoft Learn. The rest of the information on this page will cover Imperial’s best practices and tips for using GitHub Actions.

Best practices

Avoid consuming unnecessary GitHub Actions minutes

Imperial has a limited quota of how many minutes can be consumed each month. This quota is shared among all repositories. If this quota is reached, it’s possible all GitHub Actions will cease to run. To reduce the number of minutes consumed:

Use public repositories if possible - GitHub Action minutes are free for public repositories. GitHub-hosted runners for public repositories also have increased CPU and memory compared to private and internal repositories. For more information on hardware resources for GitHub hosted runners, see Supported runners and hardware resources.
Don’t use MacOS runners - MacOs runners consume 10x as many minutes as Ubuntu runners. If you do need to use MacOS runners, consider creating your own self-hosted runner.
Set a custom timeout - The default timeout for jobs in a workflow is 360 minutes. This is far larger than it needs to be and in the event of a hung job can be very expensive. Unfortunately a custom timeout needs to be set for each job using the following syntax:

jobs:
  test-job:
    runs-on: ubuntu-latest
    timeout-minutes: 30

Keep your workflows as efficient as possible

Keeping your workflows as efficient as possible won’t just save time when building, testing and deploying your code but will also save on costs and reduce the environmental impact from compute resources. To keep your workflows efficient, consider the following:

Use caching - Jobs on GitHub-hosted runners always start in a clean runner image and must download dependencies each time. To get around this, you can cache your dependencies to reuse them across workflow runs.
Run steps only when necessary - You can use expressions to only run jobs / steps if required.

Be cautious of using third-party actions

If you do want to use a third-party action, consider the following:

How popular is the action - Does the action have many stars? Is there a large community behind it? How many contributors does the repository have?
How well maintained is it - Has the action been updated recently? Does the repository have frequent commits?
Was the action created by an individual or organisation - If the action was created by an organisation, it’s more likely to be supported in the future. Organisations typically have multiple developers maintaining projects so you’re not relying on one individual. Organisations also want to avoid reputational risk so if they’ve put their name to a piece of software, it’s likely they’ll maintain it.

Secure your workflows

When using GitHub Actions features, it’s important you stay secure. GitHub already has extensive documentation on how to do this at Security hardening for GitHub Actions. In summary:

Never store sensitive values as plaintext - Create environment / repository level secrets for them instead.
Use a CODEOWNERS file to control who can make changes to your workflow files - You can add any workflow files to the code owners list so that any proposed changes will first require approval from a designated review. For more information, see About code owners.
Use OpenID Connect to access cloud resources - If you need to access resources from cloud providers, you can configure your workflows to authenticate directly with the cloud providers using OpenID connect rather than long-lived secrets. For more information, see About security hardening with OpenID Connect.
Use Dependabot to keep dependencies up to date - GitHub’s Dependabot can be used to automatically keep your dependencies up to date. This includes actions as well.