Learn how to use GitHub Shared Workflows effectively and securely.
# ❌ Bad - Uses latest code which may change
uses: clouddrove/github-shared-workflows/.github/workflows/tf-checks.yml@master
# ✅ Good - Uses specific version
uses: clouddrove/github-shared-workflows/.github/workflows/tf-checks.yml@v1.2.0# ❌ Bad - Secrets in workflow file
secrets:
AWS_ACCESS_KEY_ID: "AKIAIOSFODNN7EXAMPLE"
# ✅ Good - Use GitHub Secrets
secrets:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}# ✅ Good - Only grant necessary permissions
permissions:
contents: read
pull-requests: write- Always review workflow code before using
- Understand what actions are being executed
- Check for security vulnerabilities
# ✅ Good - Parallel execution
strategy:
matrix:
terraform-version: [1.0, 1.1, 1.2]
fail-fast: false# ✅ Good - Cache Terraform providers
- uses: actions/cache@v3
with:
path: .terraform
key: ${{ runner.os }}-terraform-${{ hashFiles('**/*.tf') }}# ✅ Good - Skip unnecessary steps
- name: Deploy
if: github.ref == 'refs/heads/main'jobs:
validate:
# Validation jobs
test:
# Testing jobs
deploy:
needs: [validate, test]
# Deployment jobs# ✅ Good
- name: 🏗️ Build Docker Image for Production
# ❌ Bad
- name: build# ✅ Good - Add comments for complex steps
- name: Calculate version
# Uses semantic versioning based on PR labels
# Major: breaking changes
# Minor: new features
# Patch: bug fixesinputs:
environment:
description: 'Deployment environment'
required: true
type: choice
options:
- staging
- productioninputs:
timeout:
description: 'Workflow timeout in minutes'
required: false
default: '30'
type: number# ✅ Good - Can be used independently or together
jobs:
validate:
uses: ./workflows/tf-checks.yml
deploy:
needs: validate
uses: ./workflows/tf-workflow.yml- name: Job Summary
if: always()
run: |
echo "## Workflow Results" >> $GITHUB_STEP_SUMMARY
echo "- Status: ${{ job.status }}" >> $GITHUB_STEP_SUMMARY- name: Upload logs
if: failure()
uses: actions/upload-artifact@v3
with:
name: debug-logs
path: logs/jobs:
deploy:
timeout-minutes: 30- Use kebab-case for workflow files
- Use descriptive prefixes (tf-, cf-, pr-)
- Use emojis consistently for visual clarity
- name: Validate inputs
run: |
if [ -z "${{ inputs.required_field }}" ]; then
echo "Error: required_field is missing"
exit 1
fi- name: Deploy
continue-on-error: true
run: |
# Deployment logic- Clear description
- Input parameters table
- Secrets table
- At least 2-3 examples
- Common use cases
- AWS example
- Azure example
- GCP example (if applicable)
- Multi-cloud example (if applicable)
- Use CHANGELOG.md
- Tag releases appropriately
- Provide migration guides
- Parallel Jobs - Run independent jobs in parallel
- Conditional Execution - Skip steps when not needed
- Caching - Cache dependencies and build artifacts
- Matrix Optimization - Use fail-fast: false for independent tests
- Resource Limits - Set appropriate timeouts and resource limits
-
Workflow Not Found
- Check workflow path is correct
- Verify branch/tag exists
- Ensure workflow file exists
-
Permission Denied
- Check workflow permissions
- Verify secrets are set
- Check repository settings
-
Timeout Errors
- Increase timeout values
- Optimize workflow steps
- Check for hanging processes