GitHub Actions zaawansowane
Reusable workflows, Changesets, semantic-release, OIDC (keyless auth) i optymalizacja CI/CD.
6 narzędzi i technik CI/CD — typ i opis
semantic-release, Changesets, release-please, reusable workflows, composite actions i OIDC — zastosowanie i kiedy.
| Narzędzie | Typ | Opis |
|---|---|---|
| semantic-release | Auto versioning | Conventional Commits -> wersja, changelog, npm publish |
| Changesets | Manual versioning | Developer wybiera bump, idealny dla monorepo |
| release-please | PR-based release | Google, PR z wersjami, merge = release |
| Reusable Workflows | DRY CI | Wywołuj workflows z innych repos/workflows |
| Composite Actions | DRY Steps | Groupuj kroki jako custom action |
| OIDC + AWS/GCP | Keyless auth | Bez przechowywania credentials, identity federacja |
Często zadawane pytania
GitHub Actions zaawansowane — reusable workflows i composite actions?
Reusable Workflows: wywołaj workflow z innego. DRY dla CI. Definicja: .github/workflows/deploy.yml. on: workflow_call: inputs: environment: required: true, type: string. secrets: API_KEY: required: true. Wywołanie: jobs: deploy: uses: ./.github/workflows/deploy.yml@main. with: environment: production. secrets: API_KEY: ${{ secrets.API_KEY }}. Cross-repo: uses: myorg/shared-workflows/.github/workflows/test.yml@v1. Composite Actions: .github/actions/setup-node/action.yml. name: Setup Node. inputs: node-version: required: false, default: '20'. runs: using: composite. steps: - uses: actions/setup-node@v4, with: {node-version: ${{ inputs.node-version }}}. - run: npm ci, shell: bash. Wywołanie: uses: ./.github/actions/setup-node. with: {node-version: '20'}. Job matrix: strategy: matrix: os: [ubuntu-latest, windows-latest]. node: [18, 20, 22]. Testuj wszystkie kombinacje. matrix.os, matrix.node dostępne. Artifacts: actions/upload-artifact@v4. actions/download-artifact@v4. Między jobs. Cache: actions/cache@v4. Klucz cache. Restore keys fallback. npm cache: key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}. Concurrency: concurrency: group: ${{ github.workflow }}-${{ github.ref }}. cancel-in-progress: true. Anuluj stare runy.
Changesets — wersjonowanie pakietów w monorepo?
Changesets: Atlassian. Wersjonowanie pakietów. Monorepo management. Changelog generation. Instalacja: npm install -D @changesets/cli. npx changeset init. Tworzy .changeset/. Dodaj changeset: npx changeset. Wybierz pakiety. Wybierz typ: patch|minor|major. Dodaj opis. Plik w .changeset/nazwa-hash.md. Aktualizuj wersje: npx changeset version. Czyta changesets. Aktualizuje package.json. Generuje CHANGELOG.md. Publikuj: npx changeset publish. Publishes do npm. GitHub Actions z Changesets: .github/workflows/release.yml. changeset-bot na PR: komentuje czy PR ma changeset. Changesets Release Action: - uses: changesets/action@v1. secrets: GITHUB_TOKEN, NPM_TOKEN. Tworzy PR z wersjami. Merge PR = publikacja. Snapshot releases: npx changeset version --snapshot. Testowe wersje. 1.0.0-snapshot-20240101. Pre-release: npx changeset pre enter alpha. npx changeset. npx changeset version. Wychodzi z: npx changeset pre exit. Linked packages: powiązane wersje razem. fixed: [[pkg-a, pkg-b]] — zawsze ta sama wersja. Ignore packages: ignoredPatterns w changeset config. Wewnętrzne pakiety. Monorepository tip: workspace protokół w package.json. Changesets + pnpm workspaces idealnie. Alternatives: release-please (Google). semantic-release. np (dla single packages).
semantic-release i release-please — automatyczne wersjonowanie?
semantic-release: Stephan Bönnemann. Conventional Commits -> wersja automatycznie. Instalacja: npm install -D semantic-release. Pluginy: @semantic-release/git. @semantic-release/github. @semantic-release/npm. @semantic-release/changelog. .releaserc.json: {branches: ['main'], plugins: ['@semantic-release/commit-analyzer', '@semantic-release/release-notes-generator', '@semantic-release/changelog', '@semantic-release/npm', '@semantic-release/git', '@semantic-release/github']}. Conventional Commits: feat: -> minor version. fix: -> patch version. feat!: lub BREAKING CHANGE: -> major version. build:, chore:, ci:, docs:, style:, refactor:, perf:, test: -> brak release. GitHub Actions: name: Release. on: push: branches: [main]. jobs: release: runs-on: ubuntu-latest. steps: checkout, setup-node, npm ci. - name: Release, env: GITHUB_TOKEN, NPM_TOKEN. run: npx semantic-release. Release Please: Google. PR-based release. Działanie: PR z wersjami po każdym merge. Merge PR = release. release-please-action: - uses: googleapis/release-please-action@v4. with: release-type: node. token: ${{ secrets.GITHUB_TOKEN }}. Conventional Commits requirement. CHANGELOG automatyczny. Porównanie: semantic-release — push-based (automatyczny release). release-please — PR-based (review przed release). Changesets — manual (developer wybiera wersję). Wybór: single package npm -> semantic-release. monorepo npm -> changesets. Google cloud -> release-please.
GitHub Actions security — secrets, OIDC i permissions?
Secrets: Settings -> Secrets. GITHUB_TOKEN — automatyczny. Dostęp: ${{ secrets.MY_SECRET }}. Organization secrets: współdzielone. Environment secrets: per-environment. OIDC (OpenID Connect): bez przechowywania AWS/GCP credentials. GitHub jako identity provider. AWS assume-role z OIDC. permissions: id-token: write. contents: read. AWS: - uses: aws-actions/configure-aws-credentials@v4. with: role-to-assume: arn:aws:iam::...:role/github-actions. aws-region: eu-central-1. GCP: - uses: google-github-actions/auth@v2. with: workload_identity_provider: projects/.../workloadIdentityPools/.../providers/github. service_account: sa@project.iam.gserviceaccount.com. Permissions granularne: permissions: contents: read. pull-requests: write. issues: write. id-token: write. Default: write dla repo owner, read dla fork PRs. Least privilege: specify explicite. Pin actions: uses: actions/checkout@v4 (dobrze). uses: actions/checkout@sha256hash (najlepiej). Zapobiega supply chain attacks. Dependabot dla actions: .github/dependabot.yml. package-ecosystem: github-actions. schedule: weekly. Auto-update actions. Allow list: actions list dozwolonych. Allow specific orgs. Code scanning: CodeQL. Dependabot security. Secret scanning. Branch protection: require status checks. Require PR reviews. Dismiss stale reviews. Prevent force push.
GitHub Actions optymalizacja — cache, parallel jobs i speed tips?
Cache npm/pnpm: key: node-${{ hashFiles('**/package-lock.json') }}. restore-keys: node-. path: ~/.npm. pnpm: path: ~/.pnpm-store. key: pnpm-${{ hashFiles('**/pnpm-lock.yaml') }}. Turbo cache: npx turbo build --cache-dir=.turbo. Remote cache: Vercel Remote Cache. TURBO_TOKEN, TURBO_TEAM. Nx cache: nx affected --target=build. Nx Cloud dla remote cache. Parallel jobs: potrzebuje: poprzedni job. needs: [test, lint]. Fan-out: wiele jobs jednocześnie. Fan-in: czekaj na wszystkie. Conditional steps: if: github.ref == 'refs/heads/main'. if: github.event_name == 'pull_request'. if: contains(github.event.pull_request.labels.*.name, 'deploy'). if: failure() — gdy poprzedni failed. continue-on-error: true — ignoruj błąd. Job outputs: outputs: version: ${{ steps.version.outputs.version }}. steps: id: version, run: echo 'version=1.0.0' >> $GITHUB_OUTPUT. Job timeout: timeout-minutes: 30. Domyślnie 360 min. Avoid waiting. Faster containers: ubuntu-latest = ubuntu-22.04. Szybki. Caching Docker layers: buildx cache. Cache from: type=gha. GitHub-hosted runners: ubuntu, windows, macos. macos najdroższy. Self-hosted runners: własna maszyna. Szybsze. Bez limitu minut. Tańsze. Runner grupy: organizacja. Concurrency limit. Labels niestandardowe. Debugging: ACTIONS_STEP_DEBUG: true (secret). RUNNER_DEBUG logs. tmate action — SSH do runnera.
Powiązane artykuły
Skontaktuj się z nami
Porozmawiajmy o Twoim projekcie. Bezpłatna wycena w ciągu 24 godzin.
Wyślij zapytanie
Telefon
+48 790 814 814
Pon-Pt: 9:00 - 18:00
adam@fotz.pl
Odpowiadamy w ciągu 24h
Adres
Plac Wolności 16
61-739 Poznań
Godziny pracy
Wolisz porozmawiać?
Zadzwoń teraz i porozmawiaj z naszym specjalistą o Twoim projekcie.
Zadzwoń teraz