Actions workflow best practices

Use GitHub Actions native features and follow best practices to create maintainable, secure, and reliable CI workflows: 1. **Use working-directory instead of manual cd commands**

copy reviewer prompt

Prompt

Reviewer Prompt
Deploy Agent

Use GitHub Actions native features and follow best practices to create maintainable, secure, and reliable CI workflows:

  1. Use working-directory instead of manual cd commands ```yaml

    DO THIS

    • name: Run command in specific directory working-directory: $ run: | command1 command2

    INSTEAD OF THIS

    • name: Run command in specific directory run: | cd “$” command1 command2 ```
  2. Pin specific SHA commits for third-party actions ```yaml

    DO THIS

    • uses: codecov/test-results-action@9739113ad922ea0a9abb4b2c0f8bf6a4aa8ef820 # v1.0.1

    INSTEAD OF THIS

    • uses: codecov/test-results-action@v1 ```
  3. Handle all possible job states in conditional logic 
    update-existing: $
  4. Scope permissions to the minimum required level 
    # DO THIS - scope permissions per job
jobs:
  build:
    permissions:
      contents: read
      attestations: write
      id-token: write

# INSTEAD OF THIS - overly broad permissions
permissions:
  contents: read
  attestations: write
  id-token: write

These practices improve workflow reliability, security, and maintainability while making troubleshooting easier.

Source discussions