Tools

Tools: 5 GitHub Actions mistakes that will slow down (or break) your CI/CD pipeline. (2026)

2026-04-18 0 views admin
Tools: 5 GitHub Actions mistakes that will slow down (or break) your CI/CD pipeline. (2026)

1. You're not caching dependencies and it's costing you minutes per run.

2. You're pushing to Docker Hub when GHCR is sitting right there.

3. Your production deploy is one accidental push away from triggering.

4. You're putting everything in secrets when half of it should be in vars.

5. You're pinning actions/checkout@v4 but running on ubuntu-latest. Most GitHub Actions tutorials get you to a green checkmark. Very few of them help you understand why your pipeline takes 8 minutes when it should take 2, or why your production deploy triggered from a feature branch PR at 11pm on a Friday. After working with a lot of engineering teams setting up CI/CD from scratch, these are the patterns that come up again and again. The single fastest win in any GitHub Actions pipeline is dependency caching. Most people skip it because the pipeline "works." It does work. It's just running npm install or pip install from scratch on every single run. The hashFiles key is the part that matters: the cache invalidates automatically when your lockfile changes, so you always get fresh deps when you actually update something. When it hits, you skip the install entirely. On a mid-size Node project, this typically cuts 2–4 minutes per run. GitHub Container Registry (GHCR) is built into GitHub and works with the GITHUB_TOKEN that already exists in every workflow. No extra secrets, no separate account, no rate limiting surprises. The catch that trips people up: you need to explicitly grant the packages: write permission in your job definition. Without it, the push will fail with a misleading auth error. Then authenticate like this: No secrets to rotate, no third-party dependency, and images are scoped to your repo automatically. If your workflow deploys to production on every push to main, that's fine until someone force-pushes a fix, a bot commits a version bump, or a merge goes sideways. The pattern that solves this is a separate deploy job with an if condition and needs chaining: The environment: production line is the one most people miss. If you've configured environment protection rules in GitHub (Settings → Environments), this gates the deploy behind required reviewers or a manual approval. It's free on public repos and included in Team plans for private ones. This means: automated deploys from main, but with a human checkpoint before anything touches production. GitHub has two distinct places for pipeline configuration: Secrets (encrypted, write-only, for credentials) and Variables (plaintext, readable in UI, for config values). Most teams put everything in secrets. That means your APP_ENV=production or LOG_LEVEL=info is encrypted and invisible in the GitHub UI, which makes debugging and auditing unnecessarily painful. Variables are accessed with the vars context: Practical rule: if the value isn't a credential, a token, or a key, it belongs in vars. This is a subtle one. Pinning action versions (e.g., actions/checkout@v4) is good practice, it prevents upstream changes from breaking your pipeline without warning. But then running runs-on: ubuntu-latest undoes some of that stability. ubuntu-latest is an alias that GitHub updates periodically (currently ubuntu-24.04, soon to rotate again), and those updates can change pre-installed tool versions, breaking pipelines that depend on system-level tools. If stability matters more than getting the latest runner features: You'll need to update it manually when the version reaches end-of-life, but you control when that happens, not GitHub's release schedule. These are the patterns that separate a "it works" pipeline from one that's actually reliable in production. The full step-by-step guide covering the complete pipeline structure, including Kubernetes deploy jobs, multi-environment promotion workflows, and secrets management at scale, is at thegoodshell.com. Happy to answer questions in the comments if you are working through any of these. Templates let you quickly answer FAQs or store snippets for re-use. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse

Code Block

Copy

- name: Cache node modules uses: actions/cache@v4 with: path: ~/.npm key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} restore-keys: | ${{ runner.os }}-node- - name: Cache node modules uses: actions/cache@v4 with: path: ~/.npm key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} restore-keys: | ${{ runner.os }}-node- - name: Cache node modules uses: actions/cache@v4 with: path: ~/.npm key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} restore-keys: | ${{ runner.os }}-node- jobs: build-and-push: runs-on: ubuntu-latest permissions: contents: read packages: write # ← this line is required, not optional jobs: build-and-push: runs-on: ubuntu-latest permissions: contents: read packages: write # ← this line is required, not optional jobs: build-and-push: runs-on: ubuntu-latest permissions: contents: read packages: write # ← this line is required, not optional - name: Log in to GHCR uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Log in to GHCR uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Log in to GHCR uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} deploy-production: runs-on: ubuntu-latest needs: [lint-and-test, build-and-push] if: github.ref == 'refs/heads/main' && github.event_name == 'push' environment: production deploy-production: runs-on: ubuntu-latest needs: [lint-and-test, build-and-push] if: github.ref == 'refs/heads/main' && github.event_name == 'push' environment: production deploy-production: runs-on: ubuntu-latest needs: [lint-and-test, build-and-push] if: github.ref == 'refs/heads/main' && github.event_name == 'push' environment: production env: APP_ENV: ${{ vars.APP_ENV }} LOG_LEVEL: ${{ vars.LOG_LEVEL }} DATABASE_URL: ${{ secrets.DATABASE_URL }} # this one actually needs to be a secret env: APP_ENV: ${{ vars.APP_ENV }} LOG_LEVEL: ${{ vars.LOG_LEVEL }} DATABASE_URL: ${{ secrets.DATABASE_URL }} # this one actually needs to be a secret env: APP_ENV: ${{ vars.APP_ENV }} LOG_LEVEL: ${{ vars.LOG_LEVEL }} DATABASE_URL: ${{ secrets.DATABASE_URL }} # this one actually needs to be a secret runs-on: ubuntu-22.04 # pinned, not latest runs-on: ubuntu-22.04 # pinned, not latest runs-on: ubuntu-22.04 # pinned, not latest

🏷️ Tags

toolsutilitiessecurity toolsgithubactionsmistakesbreakpipeline

More from Tools

Tools: Latest: How to Fix 502 Bad Gateway in Nginx (With Exact Commands)

Tools: Latest: How to Fix 502 Bad Gateway in Nginx (With Exact Commands)

2026-04-18 0
Tools: Reading and Reacting to Contract State from a Frontend (2026)

Tools: Reading and Reacting to Contract State from a Frontend (2026)

2026-04-18 0
Tools: How to Audit Your Site's AI Search Visibility in 30 Minutes (with a Free CLI) - Guide

Tools: How to Audit Your Site's AI Search Visibility in 30 Minutes (with a Free CLI) - Guide

2026-04-18 0
Tools: Docker Security Best Practices for Self-Hosters in 2026

Tools: Docker Security Best Practices for Self-Hosters in 2026

2026-04-18 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views