# GitHub Actions

GitHub Actions discipline for CI/CD workflows.

## Rules

1. **Workflows are code — review them.** `.github/workflows/` changes go through PR review like application code. A malicious or careless workflow has repo access.

2. **Pin action versions to SHAs or tags.** `@v4` is better than `@main`. Untagged actions can change behavior under you without notice.

3. **Least privilege on tokens.** `GITHUB_TOKEN` permissions are scoped per workflow. Don't grant `contents: write` when `contents: read` suffices.

4. **Secrets in GitHub Secrets, not env files.** `${{ secrets.MY_KEY }}` in workflows. Never echo secrets, never log them, never commit them.

5. **Cache dependencies, not secrets.** `actions/cache` for npm, pip, and cargo dependencies. Cache keys include lockfile hashes for invalidation.

6. **Reusable workflows for shared patterns.** DRY up lint, test, and deploy steps across repos. Copy-pasted workflows drift apart.

## What This Replaces

Unreviewed workflow changes, over-permissioned tokens, unpinned actions, and CI configuration that diverges across repos in the same org.

## Official Source

Distilled from CallStack's GitHub workflow skills.
Full upstream: https://officialskills.sh/callstackincubator/skills/github