GitHub Actions — Reusable Workflows & Matrices
debt(d7/e5/b5/t5)
Closest to 'only careful code review or runtime testing' (d7). The detection_hints note automated=no and tools listed (github-actions, act) don't statically catch misconfigurations like missing concurrency groups, mutable tag pinning, or absent fail-fast flags — these surface only through code review or when a run actually misbehaves in production queues.
Closest to 'touches multiple files / significant refactor in one component' (e5). The quick_fix mentions composite actions to DRY repeated steps across workflows, but centralising CI logic into reusable workflows and switching from static secrets to OIDC touches multiple workflow files across potentially many repositories — beyond a single-line patch but short of a full architectural rework.
Closest to 'persistent productivity tax' (b5). Applies to both web and cli contexts, and the misconception highlights that duplicated CI config across 20 repos means every security update requires 20 edits. The choice of whether to adopt reusable workflows shapes ongoing CI maintenance work across many streams, but doesn't fully define the system's shape.
Closest to 'notable trap (a documented gotcha most devs eventually learn)' (t5). The misconception explicitly states developers underestimate GitHub Actions' sophistication, defaulting to simple patterns. Common mistakes — static secrets instead of OIDC, mutable tag pinning (v3 vs SHA), missing fail-fast:false — are documented gotchas that experienced CI engineers learn but are non-obvious to intermediate users.
Also Known As
TL;DR
Explanation
Advanced GitHub Actions: Reusable workflows (workflow_call trigger) — define once, call from multiple repos; matrix strategy — test across multiple PHP versions, OS, and dependency versions in parallel; composite actions — bundle multiple steps into a single reusable action; environments with protection rules — require approvals before deploying to production; concurrency groups — cancel superseded runs on the same branch; job dependencies (needs:) — sequential or conditional pipelines; OIDC authentication — exchange GitHub token for cloud provider credentials without storing secrets.
Common Misconception
Why It Matters
Common Mistakes
- Storing cloud credentials as repository secrets instead of using OIDC — static credentials that never expire.
- No concurrency groups — every push triggers a new run, queue piles up.
- Matrix without fail-fast: false — one matrix failure cancels all siblings.
- Pinning Actions to a mutable tag (v3) instead of a commit SHA — supply chain risk.
Code Examples
# Duplicated across 20 repos — maintenance nightmare:
# .github/workflows/ci.yml (same in every repo):
name: CI
on: [push]
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: composer install
- run: vendor/bin/phpunit
# Security scan added? Update all 20 repos manually.# Reusable workflow — org/.github/workflows/php-ci.yml:
on:
workflow_call:
inputs:
php-version: {type: string, default: '8.3'}
jobs:
test:
strategy:
matrix:
php: ['8.1', '8.2', '8.3']
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # SHA pin
- uses: shivammathur/setup-php@v2
with: {php-version: ${{ matrix.php }}}
- run: composer install
- run: composer audit # Security in shared workflow
- run: vendor/bin/phpunit
# Each repo just calls it:
# .github/workflows/ci.yml:
jobs:
ci:
uses: org/.github/workflows/php-ci.yml@main