Advanced GitHub Actions Workflows

Introduction

GitHub Actions has evolved beyond simple CI/CD into a full-featured automation platform. Teams managing monorepos, multi-service architectures, or compliance-sensitive deployments need advanced workflows that are maintainable, fast, and secure. This article explores production-ready patterns for GitHub Actions at scale.

Reusable Workflows

Reusable workflows eliminate duplication across repositories. Define a workflow in .github/workflows/deploy-shared.yml with workflow_call:

.github/workflows/deploy-shared.yml

on:

workflow_call:

inputs:

environment:

required: true

type: string

image-tag:

required: true

type: string

secrets:

CLOUD_PROVIDER_KEY:

required: true

jobs:

deploy:

runs-on: ubuntu-latest

environment: ${{ inputs.environment }}

steps:

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- uses: actions/checkout@v4

run: |

echo "Deploying ${{ inputs.image-tag }} to ${{ inputs.environment }}"

Actual deployment logic here

Consume it from any repository:

.github/workflows/release.yml

on:

push:

branches: [main]

jobs:

call-deploy:

uses: org/shared-workflows/.github/workflows/deploy-shared.yml@v1

with:

environment: staging

image-tag: ${{ github.sha }}

secrets:

CLOUD_PROVIDER_KEY: ${{ secrets.CLOUD_PROVIDER_KEY }}

Matrix Builds

Matrix strategies test across multiple dimensions without duplicating workflow YAML:

jobs:

test:

runs-on: ubuntu-latest

strategy:

matrix:

node: [18, 20, 22]

os: [ubuntu-latest, windows-latest]

include:

os: ubuntu-latest

coverage: true

exclude:

os: windows-latest

steps:

with:

node-version: ${{ matrix.node }}

uses: codecov/codecov-action@v3

The include key adds jobs to the matrix, while exclude removes specific combinations. For large matrices, use max-parallel: 3 to avoid saturating runner capacity.

Composite Actions

Composite actions bundle multiple steps into a reusable unit, ideal for organization-wide standards:

.github/actions/setup-node-env/action.yml

description: "Configures Node with pnpm, cache, and dependency audit"

inputs:

node-version:

description: "Node.js version"

required: false

default: "20"

working-directory:

description: "Directory containing package.json"

required: false

default: "."

runs:

using: "composite"

steps:

with:

node-version: ${{ inputs.node-version }}

with:

version: 8

id: pnpm-cache

shell: bash

run: |

echo "STORE_PATH=$(pnpm store path)" >> $GITHUB_OUTPUT

with:

path: ${{ steps.pnpm-cache.outputs.STORE_PATH }}

key: ${{ runner.os }}-pnpm-${{ hashFiles('pnpm-lock.yaml') }}

restore-keys: |

${{ runner.os }}-pnpm-

shell: bash

working-directory: ${{ inputs.working-directory }}

run: pnpm install --frozen-lockfile

shell: bash

run: pnpm audit --audit-level=high

Usage in any workflow:

jobs:

build:

runs-on: ubuntu-latest

steps:

with:

node-version: "22"

OIDC and Cloud Authentication

OpenID Connect eliminates static credentials by exchanging GitHub's JWT tokens for cloud provider credentials:

jobs:

deploy:

runs-on: ubuntu-latest

permissions:

id-token: write # Required for OIDC

contents: read

steps:

with:

role-to-assume: arn:aws:iam::123456789012:role/github-actions-role

aws-region: us-east-1

Configure the AWS IAM role with a trust policy scoped to specific repositories and branches:

{

"Version": "2012-10-17",

"Statement": [{

"Effect": "Allow",

"Principal": { "Federated": "arn:aws:iam::ACCOUNT:oidc-provider/token.actions.githubusercontent.com" },

"Action": "sts:AssumeRoleWithWebIdentity",

"Condition": {

"StringLike": {

"token.actions.githubusercontent.com:sub": "repo:org/my-repo:ref:refs/heads/main"

}

}]

}

Environment Protection Rules

Protect production deployments with required reviewers, wait gates, and custom deployment branch policies:

on:

workflow_dispatch:

inputs:

environment:

description: "Target environment"

required: true

default: "production"

type: choice

options:

jobs:

deploy:

runs-on: ubuntu-latest

environment:

url: https://${{ github.event.inputs.environment }}.myapp.com

concurrency:

group: ${{ github.event.inputs.environment }}

cancel-in-progress: false

steps:

Configure required reviewers in the repository's environment settings to enforce manual approval gates.

Self-Hosted Runners

Self-hosted runners provide custom hardware, internal network access, and reduced costs:

jobs:

build:

runs-on: [self-hosted, linux, x64, gpu]

steps:

Scale self-hosted runners with the actions-runner-controller on Kubernetes, which auto-provisions and auto-scales runner pods based on workflow demand.

Caching Strategies

Effective caching reduces workflow runtime significantly:

with:

path: |

~/.cache/go-build

~/go/pkg/mod

key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}

restore-keys: |

${{ runner.os }}-go-

For monorepos, cache per workspace directory:

with:

path: packages/*/node_modules/.cache

key: ${{ runner.os }}-${{ github.workflow }}-${{ hashFiles('packages/*/package-lock.json') }}

These patterns form the foundation of scalable, secure GitHub Actions usage in enterprise environments. Start with reusable workflows and matrix builds, then layer on OIDC and self-hosted runners as your infrastructure grows.

Advanced GitHub Actions Workflows

Introduction

Reusable Workflows

.github/workflows/deploy-shared.yml

Actual deployment logic here

.github/workflows/release.yml

Matrix Builds

Composite Actions

.github/actions/setup-node-env/action.yml

OIDC and Cloud Authentication

Environment Protection Rules

Self-Hosted Runners

Caching Strategies

Related Articles