Actions configuration best practices

When working with GitHub Actions workflows, follow these configuration best practices: 1. **Boolean inputs comparison**: GitHub Actions boolean inputs are actually strings. Always use string comparison with quotes:

copy reviewer prompt

Prompt

Reviewer Prompt
Deploy Agent

When working with GitHub Actions workflows, follow these configuration best practices:

  1. Boolean inputs comparison: GitHub Actions boolean inputs are actually strings. Always use string comparison with quotes:
# ❌ Incorrect - may never evaluate as expected
if: $

# ✅ Correct - properly compares string values
if: $
  1. Version pinning: Always pin external GitHub Actions to specific commit SHAs rather than using major version tags:
# ❌ Insecure - may pull unexpected updates
uses: actions/checkout@v4

# ✅ Secure - pins to specific commit
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

  1. Input naming consistency: Maintain consistent input naming across workflow triggers. Ensure variables referenced in workflows match the input names defined in workflow_call and workflow_dispatch events to avoid undefined values.

  2. Dynamic identifiers: Include both run ID and attempt ID in dynamically generated values like branch names to ensure uniqueness across workflow reruns:

# ✅ Better uniqueness for branches created in workflows
branch: 'chore/openapi-sync-$-$'

These practices improve security, reliability, and maintainability of workflow configurations.

Source discussions