github-actions-cicd
GitHub Actions CI/CD Skill
Purpose
Defines CI/CD pipeline best practices using GitHub Actions for automated testing, security scanning, and deployment.
Rules
Workflow Structure
MUST INCLUDE:
- Code quality checks (linting, formatting)
- Security scanning (CodeQL, Dependabot, ZAP)
- Performance audits (Lighthouse)
- Build and minification
- Deployment (with approval for production)
Example Workflow:
name: CI/CD Pipeline
on:
push:
branches: [main]
pull_request:
branches: [main]
permissions:
contents: read
security-events: write
jobs:
validate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Validate HTML
run: npm run validate:html
- name: Lint CSS
run: npm run lint:css
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
- name: ZAP Baseline Scan
uses: zaproxy/action-baseline@v0.10.0
with:
target: 'https://www.hack23.com'
lighthouse:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Lighthouse
uses: treosh/lighthouse-ci-action@v10
with:
urls: |
https://www.hack23.com/
https://www.hack23.com/services.html
budgetPath: ./budget.json
uploadArtifacts: true
deploy:
needs: [validate, security-scan, lighthouse]
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main'
steps:
- uses: actions/checkout@v4
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
aws-region: us-east-1
- name: Sync to S3
run: aws s3 sync . s3://${{ secrets.S3_BUCKET }} --delete
- name: Invalidate CloudFront
run: aws cloudfront create-invalidation --distribution-id ${{ secrets.CF_DIST_ID }} --paths "/*"
Security Best Practices
MUST:
- Use OIDC for AWS authentication (no long-lived keys)
- Store secrets in GitHub Secrets
- Use least-privilege IAM roles
- Pin action versions with full commit SHA
- Enable Dependabot for action updates
- Use
permissionskey to minimize token scope
MUST NOT:
- Commit secrets to repository
- Use personal access tokens in workflows
- Grant overly broad permissions
Related Documentation
More from hack23/homepage
html-css-best-practices
Semantic HTML5, CSS custom properties, responsive design, and performance optimization for web development
85agentic-workflow-orchestration
Multi-agent coordination, orchestrator-worker patterns, /plan decomposition, and project coordination for GitHub Agentic Workflows
58product-documentation
Product documentation standards covering user guides, feature documentation, release notes, and end-user communication
49c4-modeling
C4 model (Context, Container, Component, Code) diagram patterns with Mermaid syntax for architecture documentation
30aws-s3-cloudfront
AWS S3 bucket configuration, CloudFront distribution setup, security headers (CSP, HSTS), cache policies, and SSL/TLS configuration
29cryptography
Approved cryptographic algorithms, TLS enforcement, key management, and certificate handling per Hack23 Cryptographic Controls Policy
29