GitHub Actions — Reusable Workflows & Matrices
Also Known As
GitHub Actions matrix
reusable workflow
composite action
Actions secrets
TL;DR
Advanced GitHub Actions patterns — reusable workflow files, matrix strategies for parallel testing, composite actions, and environment protection rules.
Explanation
Advanced GitHub Actions: Reusable workflows (workflow_call trigger) — define once, call from multiple repos; matrix strategy — test across multiple PHP versions, OS, and dependency versions in parallel; composite actions — bundle multiple steps into a single reusable action; environments with protection rules — require approvals before deploying to production; concurrency groups — cancel superseded runs on the same branch; job dependencies (needs:) — sequential or conditional pipelines; OIDC authentication — exchange GitHub token for cloud provider credentials without storing secrets.
Common Misconception
✗ GitHub Actions is only for simple CI pipelines — Actions supports sophisticated patterns including cross-repository reusable workflows, dynamic matrix generation, and OIDC-based cloud authentication without static secrets.
Why It Matters
Duplicated CI configuration across 20 repositories means updating a security scan step 20 times — reusable workflows centralise CI logic so changes propagate everywhere automatically.
Common Mistakes
- Storing cloud credentials as repository secrets instead of using OIDC — static credentials that never expire.
- No concurrency groups — every push triggers a new run, queue piles up.
- Matrix without fail-fast: false — one matrix failure cancels all siblings.
- Pinning Actions to a mutable tag (v3) instead of a commit SHA — supply chain risk.
Code Examples
✗ Vulnerable
# Duplicated across 20 repos — maintenance nightmare:
# .github/workflows/ci.yml (same in every repo):
name: CI
on: [push]
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: composer install
- run: vendor/bin/phpunit
# Security scan added? Update all 20 repos manually.
✓ Fixed
# Reusable workflow — org/.github/workflows/php-ci.yml:
on:
workflow_call:
inputs:
php-version: {type: string, default: '8.3'}
jobs:
test:
strategy:
matrix:
php: ['8.1', '8.2', '8.3']
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # SHA pin
- uses: shivammathur/setup-php@v2
with: {php-version: ${{ matrix.php }}}
- run: composer install
- run: composer audit # Security in shared workflow
- run: vendor/bin/phpunit
# Each repo just calls it:
# .github/workflows/ci.yml:
jobs:
ci:
uses: org/.github/workflows/php-ci.yml@mainTags
🤝 Adopt this term
£79/year · your link shown here
Added
16 Mar 2026
Edited
22 Mar 2026
Views
31
🤖 AI Guestbook educational data only
|
|
Last 30 days
Agents 0
No pings yet today
No pings yesterday
Amazonbot 14
Perplexity 9
Ahrefs 2
Majestic 1
ChatGPT 1
Google 1
Also referenced
How they use it
crawler 28
⚡
DEV INTEL
Tools & Severity
🟡 Medium
⚙ Fix effort: Medium
⚡ Quick Fix
Use composite actions to DRY up repeated steps across workflows; cache Composer dependencies with the composer-lock hash as the cache key; use matrix builds to test PHP 8.1/8.2/8.3 in parallel
📦 Applies To
any
web
cli
🔗 Prerequisites
🔍 Detection Hints
Duplicate steps across multiple workflow files; no dependency caching; sequential PHP version testing that could be parallel matrix
Auto-detectable:
✗ No
github-actions
act
⚠ Related Problems
🤖 AI Agent
Confidence: Medium
False Positives: Medium
✗ Manual fix
Fix: Medium
Context: File
Tests: Update