GitHub Actions — Overview

OWNER: alex, tjitte
ALSO_USED_BY: leon, marta, iwona
LAST_VERIFIED: 2026-03-26
GE_STACK_VERSION: GitHub Actions (github-hosted runners, ubuntu-latest)

---

Overview

GitHub Actions is GE's CI/CD platform. All build, test, lint, and deployment
workflows run as GitHub Actions. GE uses GitHub-hosted runners exclusively
(no self-hosted runners). Workflows are defined in .github/workflows/.

---

GE Runner Configuration

Setting	Value	Notes
Runner OS	ubuntu-latest	Default for all workflows
Runner size	Standard (2 vCPU, 7 GB)	Larger runners not needed yet
Concurrency	Per-branch	Prevent duplicate runs
Timeout	30 minutes default	Adjusted per workflow

CHECK: all workflows use ubuntu-latest unless platform-specific
CHECK: all workflows have a timeout-minutes set
CHECK: concurrency groups prevent duplicate runs on same branch

---

Workflow Conventions

File Naming

.github/workflows/  
├── ci.yml                    # Main CI: lint, type-check, test, build  
├── deploy-staging.yml        # Zone 2 deployment  
├── deploy-production.yml     # Zone 3 deployment  
├── pr-checks.yml             # PR-specific checks (preview, size)  
├── scheduled-drift.yml       # Terraform drift detection  
└── reusable-docker-build.yml # Reusable workflow (prefixed)  

CHECK: workflow files are lowercase with hyphens
CHECK: reusable workflows prefixed with reusable-
CHECK: deployment workflows named deploy-{zone}.yml

Trigger Conventions

on:  
  push:  
    branches: [main]  
  pull_request:  
    branches: [main]  
    types: [opened, synchronize, reopened]  

CHECK: use pull_request not pull_request_target for fork PRs
CHECK: push triggers only on main (not all branches)
CHECK: PR triggers include synchronize for re-runs on new commits

---

Concurrency Control

concurrency:  
  group: ${{ github.workflow }}-${{ github.ref }}  
  cancel-in-progress: true  

CHECK: every workflow has a concurrency group
CHECK: cancel-in-progress: true for CI workflows (save runner minutes)
CHECK: cancel-in-progress: false for deployment workflows (never cancel mid-deploy)

---

GE-Specific Conventions

1. All third-party actions pinned to commit SHA (not tag)
2. OIDC for cloud provider authentication — no long-lived secrets
3. Reusable workflows for shared logic across repositories
4. Matrix builds for multi-project monorepo testing
5. Docker layer caching for fast image builds
6. Environment protection rules for staging/production deploys
7. All workflow runs auditable — logs retained for 90 days

---

Workflow Limits (GitHub)

Limit	Value
Nested reusable workflows	10 levels
Total workflow calls per run	50
Workflow dispatch inputs	25
Cache size per repository	10+ GB
Job matrix combinations	256
Concurrent jobs (Free)	20
Concurrent jobs (Team)	60

---

Cross-References

READ_ALSO: wiki/docs/stack/github-actions/patterns.md
READ_ALSO: wiki/docs/stack/github-actions/security.md
READ_ALSO: wiki/docs/stack/github-actions/pitfalls.md
READ_ALSO: wiki/docs/stack/github-actions/checklist.md
READ_ALSO: wiki/docs/stack/kubernetes/index.md
READ_ALSO: wiki/docs/stack/terraform-upcloud/index.md