5.2: GitHub Actions Configuration
What You'll Learn
- Understand the core components and capabilities of GitHub Actions.
- Learn how to integrate AI-powered features for code review, testing, and ML pipelines within GitHub Actions workflows.
- Explore best practices and examples for configuring robust and efficient CI/CD pipelines with AI.
16.02.1 GitHub Copilot for GitHub Actions
Overview
GitHub Copilot provides AI-powered assistance for writing GitHub Actions workflows directly in the editor.
Features
- Workflow Generation: Copilot can suggest complete workflow files based on comments or partial YAML
- Action Suggestions: Autocomplete for action names, parameters, and common patterns
- Context-Aware: Understands repository context (languages, frameworks) to suggest relevant workflows
How to Enable
- Subscribe to GitHub Copilot (Individual, Business, or Enterprise)
- Install GitHub Copilot extension in VS Code, JetBrains, or other supported IDEs
- Open a
.github/workflows/*.ymlfile - Start typing or add a comment describing what you want
YAML Example
# Create a workflow that runs tests on Node.js 18 and 20
# Copilot will expand this into:
name: Node.js CI
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
test:
runs-on: ubuntu-latest
strategy:
matrix:
node-version: [18.x, 20.x]
steps:
- uses: actions/checkout@v4
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
- run: npm ci
- run: npm test
Pricing
Note: Pricing as of Q4 2024. Verify current plans at github.com/features/copilot.
- GitHub Copilot Individual: $10/month or $100/year
- GitHub Copilot Business: $19/user/month
- GitHub Copilot Enterprise: $39/user/month
- Free: For verified students, teachers, and maintainers of popular open-source projects
Limitations
- Requires active GitHub Copilot subscription
- Suggestions quality depends on context and clarity of comments
- May suggest outdated action versions (always verify latest versions)
Best Practices
- Write clear, descriptive comments before generating workflows
- Review and test all generated workflows
- Update action versions to latest stable releases
- Use Copilot as a starting point, not final solution
16.02.2 AI-Powered Code Review with GitHub Actions
A. CodeRabbit AI
Action: coderabbitai/ai-pr-reviewer@latest
Marketplace: https://github.com/marketplace/code-rabbit
Note: Action version
@latestshown for simplicity. Pin to specific versions (e.g.,@v2.0.0) in production for reproducibility.
Configuration
name: Code Review
on:
pull_request:
types: [opened, synchronize, reopened]
jobs:
review:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- uses: coderabbitai/ai-pr-reviewer@latest
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
openai_api_key: ${{ secrets.OPENAI_API_KEY }}
language: en
review_simple_changes: false
review_comment_lgtm: false
Features
- Line-by-line code review
- Security vulnerability detection
- Best practice suggestions
- Performance optimization tips
Pricing
- Free tier: Limited reviews per month
- Pro: $15/month per user
- Team: Custom pricing
B. Bito AI Code Review
Action: gitbito/bitoai-code-review@v1
Configuration
name: Bito AI Code Review
on:
pull_request:
types: [opened, synchronize]
jobs:
bito-review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: gitbito/bitoai-code-review@v1
with:
bito_api_key: ${{ secrets.BITO_API_KEY }}
github_token: ${{ secrets.GITHUB_TOKEN }}
Features
- AI-powered code suggestions
- Security analysis
- Code quality metrics
- Documentation suggestions
Pricing
- Free: 100 AI requests/month
- Pro: $15/month unlimited requests
- Enterprise: Custom pricing
C. Codacy AI
Action: codacy/codacy-analysis-cli-action@master
Configuration
name: Codacy Analysis
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
codacy-security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: codacy/codacy-analysis-cli-action@master
with:
project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
upload: true
max-allowed-issues: 2147483647
Features
- Static code analysis
- Security pattern detection
- Code duplication detection
- Quality gates
Pricing
- Open Source: Free
- Pro: $15/user/month
- Business: $25/user/month
D. SonarCloud with AI
Action: SonarSource/sonarcloud-github-action@master
Configuration
name: SonarCloud Analysis
on:
push:
branches: [ main ]
pull_request:
types: [opened, synchronize, reopened]
jobs:
sonarcloud:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: SonarSource/sonarcloud-github-action@master
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
Features
- Code quality analysis
- Security hotspot detection
- Bug detection
- Code smell identification
Pricing
- Free: For open-source projects
- Paid: Starting at $10/month for private repositories
16.02.3 AI-Powered Testing with GitHub Actions
A. Diffblue Cover - AI Test Generation
Action: diffblue/cover-github-action@main
Configuration
name: Diffblue Cover
on:
pull_request:
branches: [ main ]
jobs:
diffblue-cover:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-java@v4
with:
java-version: '17'
distribution: 'temurin'
- uses: diffblue/cover-github-action@main
with:
access-token: ${{ secrets.DIFFBLUE_ACCESS_TOKEN }}
license-key: ${{ secrets.DIFFBLUE_LICENSE_KEY }}
Features
- Automatic unit test generation for Java
- Regression test creation
- Test maintenance and updates
- Coverage improvement suggestions
Pricing
- Enterprise only - Contact for pricing
- Free trial available
B. Launchable - Flaky Test Detection
Action: launchableinc/setup-launchable@v1
Configuration
name: Test with Launchable
on: [push, pull_request]
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: launchableinc/setup-launchable@v1
- name: Record build
run: launchable record build --name ${{ github.run_id }}
env:
LAUNCHABLE_TOKEN: ${{ secrets.LAUNCHABLE_TOKEN }}
- name: Run tests
run: |
launchable subset --target 50% pytest tests/ > subset.txt
pytest --junit-xml=results.xml $(cat subset.txt)
- name: Record test results
run: launchable record tests --build ${{ github.run_id }} pytest results.xml
if: always()
env:
LAUNCHABLE_TOKEN: ${{ secrets.LAUNCHABLE_TOKEN }}
Features
- Flaky test detection and tracking
- Predictive test selection
- Test optimization and subset selection
- Test insights and analytics
Pricing
- Free tier: Limited builds per month
- Team: $75/month
- Enterprise: Custom pricing
C. BuildPulse - Flaky Test Management
Action: buildpulse/buildpulse-action@main
Configuration
name: Tests with BuildPulse
on: [push, pull_request]
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run tests
run: npm test -- --reporter=json > test-results.json
- uses: buildpulse/buildpulse-action@main
if: always()
with:
account: your-account-id
repository: your-repo-id
path: test-results.json
key: ${{ secrets.BUILDPULSE_ACCESS_KEY_ID }}
secret: ${{ secrets.BUILDPULSE_SECRET_ACCESS_KEY }}
Features
- Automatic flaky test detection
- Test stability scoring
- Historical test analytics
- Root cause analysis
Pricing
- Free: For open-source projects
- Starter: $29/month
- Professional: $99/month
- Enterprise: Custom pricing
D. DeepCode AI Testing
Action: Integrated with Snyk
Configuration
name: Snyk AI Testing
on: [push, pull_request]
jobs:
snyk:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
command: test
args: --severity-threshold=high
Features
- AI-powered vulnerability testing
- Dependency analysis
- License compliance checking
- Fix suggestions with AI
Pricing
- Free: Limited scans
- Team: $52/month
- Enterprise: Custom pricing
16.02.4 MLOps Pipelines with GitHub Actions
A. CML (Continuous Machine Learning)
Action: iterative/setup-cml@v2
Configuration
name: CML Pipeline
on: [push]
jobs:
train:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: iterative/setup-cml@v2
- name: Train model
env:
REPO_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
pip install -r requirements.txt
python train.py
# Generate metrics report
cat metrics.txt >> report.md
cml comment create report.md
Advanced Example with DVC
name: CML with DVC
on: [push]
jobs:
train-and-report:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: iterative/setup-cml@v2
- uses: iterative/setup-dvc@v1
- name: Train model
env:
REPO_TOKEN: ${{ secrets.GITHUB_TOKEN }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: |
dvc pull
dvc repro
# Create report with plots
echo "# Model Training Report" > report.md
echo "## Metrics" > report.md
dvc metrics show --md > report.md
echo "## Plots" > report.md
dvc plots show --json > plots.json
cml publish confusion_matrix.png --md > report.md
cml comment create report.md
Features
- Model training automation
- Experiment tracking
- Visual reports in PR comments
- Integration with DVC, TensorFlow, PyTorch
Pricing
- Free and open-source
- Self-hosted or cloud runners
B. MLflow with GitHub Actions
Custom Setup
Configuration
name: MLflow Pipeline
on: [push]
jobs:
ml-pipeline:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.10'
- name: Install dependencies
run: |
pip install mlflow scikit-learn boto3
- name: Train and log model
env:
MLFLOW_TRACKING_URI: ${{ secrets.MLFLOW_TRACKING_URI }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: |
python train.py
- name: Register model
run: |
python register_model.py
Features
- Experiment tracking
- Model registry
- Model versioning
- Deployment automation
Pricing
- Open-source: Free
- Managed MLflow (Databricks): Varies
C. Weights & Biases (W&B) Integration
Configuration
name: W&B Training Pipeline
on: [push]
jobs:
train:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.10'
- name: Install dependencies
run: pip install wandb torch torchvision
- name: Train model
env:
WANDB_API_KEY: ${{ secrets.WANDB_API_KEY }}
run: |
wandb login
python train.py
- name: Create W&B report
run: |
python generate_report.py > report_url.txt
echo "::notice title=W&B Report::$(cat report_url.txt)"
Features
- Experiment visualization
- Hyperparameter sweeps
- Model evaluation
- Team collaboration
Pricing
- Free: Individual use, unlimited experiments
- Teams: $50/seat/month
- Enterprise: Custom pricing
D. TensorFlow Extended (TFX) Pipeline
Configuration
name: TFX Pipeline
on:
push:
branches: [ main ]
jobs:
tfx-pipeline:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.10'
- name: Install TFX
run: pip install tfx tensorflow
- name: Run pipeline
run: |
python pipeline.py
- name: Validate model
run: |
python validate_model.py
- name: Upload artifacts
uses: actions/upload-artifact@v4
with:
name: model-artifacts
path: serving_model/
Features
- Complete ML pipeline orchestration
- Data validation
- Model analysis
- Serving infrastructure
Pricing
- Open-source: Free
- GCP integration: Pay for compute
E. Kubeflow Pipeline Trigger
Configuration
name: Kubeflow Pipeline
on:
workflow_dispatch:
inputs:
pipeline_name:
description: 'Pipeline to run'
required: true
jobs:
trigger-pipeline:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Kubeflow SDK
run: pip install kfp
- name: Trigger pipeline
env:
KUBEFLOW_ENDPOINT: ${{ secrets.KUBEFLOW_ENDPOINT }}
KUBEFLOW_TOKEN: ${{ secrets.KUBEFLOW_TOKEN }}
run: |
python trigger_pipeline.py --name ${{ github.event.inputs.pipeline_name }}
Features
- Kubernetes-native ML workflows
- Pipeline orchestration
- Experiment management
- Model deployment
Pricing
- Open-source: Free
- Cloud provider costs apply
16.02.5 Leveraging Third-Party AI Actions
A. OpenAI GPT Actions
1. GPT Code Review
**Action**: `openai/gpt-code-review-action@v1` (Community)name: GPT Code Review
on: [pull_request]
jobs:
review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: openai/gpt-code-review-action@v1
with:
openai_api_key: ${{ secrets.OPENAI_API_KEY }}
github_token: ${{ secrets.GITHUB_TOKEN }}
model: gpt-4
2. AI Commit Message Generator
**Action**: `guanguans/ai-commit@v1`name: AI Commit Messages
on:
push:
branches: [ main ]
jobs:
generate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: guanguans/ai-commit@v1
with:
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
B. Amazon CodeGuru Reviewer
**Action**: `aws-actions/codeguru-reviewer@v1.1`Configuration
```yaml name: CodeGuru Review on: pull_request: branches: [ main ]jobs: codeguru: runs-on: ubuntu-latest permissions: contents: read pull-requests: write security-events: write steps: - uses: actions/checkout@v4 with: fetch-depth: 0
- uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
- uses: aws-actions/codeguru-reviewer@v1.1
with:
build_path: ./
<h4>Features</h4>
- ML-powered code recommendations
- Security vulnerability detection
- Resource leak detection
- Best practice suggestions
<h4>Pricing</h4>
- Free tier: First 100,000 lines of code/month
- Beyond free tier: $10/100,000 lines
<h3>C. Tabnine AI</h3>
**Integration via API** (No official action, but can be integrated)
```yaml
name: Tabnine Code Analysis
on: [push]
jobs:
analyze:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Tabnine analysis
run: |
# Custom script using Tabnine API
python tabnine_analyze.py
env:
TABNINE_API_KEY: ${{ secrets.TABNINE_API_KEY }}
D. DeepSource AI
**Action**: `deepsourcelabs/test-coverage-action@master`Configuration
```yaml name: DeepSource on: push: branches: [ main ] pull_request: branches: [ main ]jobs: analyze: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: fetch-depth: 0
- name: Report test coverage
uses: deepsourcelabs/test-coverage-action@master
with:
key: python
coverage-file: coverage.xml
dsn: ${{ secrets.DEEPSOURCE_DSN }}
<h4>Features</h4>
- Automated code quality analysis
- Security analysis
- Performance antipatterns
- Auto-fix suggestions
<h4>Pricing</h4>
- Free: For open-source
- Starter: $30/user/month
- Pro: $50/user/month
<h3>E. Qodana by JetBrains</h3>
**Action**: `JetBrains/qodana-action@v2024.1`
<h4>Configuration</h4>
```yaml
name: Qodana
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
qodana:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: JetBrains/qodana-action@v2024.1
with:
args: --linter,jetbrains/qodana-jvm:latest
env:
QODANA_TOKEN: ${{ secrets.QODANA_TOKEN }}
Features
- IntelliJ-based static analysis - Smart refactoring suggestions - Code quality gates - Vulnerability detectionPricing
- Free: For open-source and small teams - Team: $16.67/user/month - Enterprise: Custom pricingF. Checkmarx AI Security
**Action**: `checkmarx/ast-github-action@main`Configuration
```yaml name: Checkmarx Scan on: push: branches: [ main ] pull_request: branches: [ main ]jobs: checkmarx: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4
- uses: checkmarx/ast-github-action@main
with:
cx_tenant: ${{ secrets.CX_TENANT }}
cx_client_id: ${{ secrets.CX_CLIENT_ID }}
cx_client_secret: ${{ secrets.CX_CLIENT_SECRET }}
project_name: ${{ github.repository }}
<h4>Features</h4>
- AI-powered SAST scanning
- Dependency scanning
- API security testing
- Container scanning
<h4>Pricing</h4>
- Enterprise only - Contact for pricing
<h2>16.02.6 GitHub Actions for Embedded Systems</h2>
<h3>A. ARM Cross-Compilation Actions</h3>
<h4>1. ARM Toolchain Setup</h4>
**Action**: `carlosperate/arm-none-eabi-gcc-action@v1`
```yaml
name: ARM Build
on: [push, pull_request]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: carlosperate/arm-none-eabi-gcc-action@v1
with:
release: '10-2020-q4'
- name: Build firmware
run: |
arm-none-eabi-gcc --version
make all
- name: Upload binary
uses: actions/upload-artifact@v4
with:
name: firmware
path: build/*.bin
2. Multi-Architecture Build
**Using Docker**name: Multi-Arch Build
on: [push]
jobs:
build:
runs-on: ubuntu-latest
strategy:
matrix:
arch: [armv7, aarch64, riscv64]
steps:
- uses: actions/checkout@v4
- uses: docker/setup-qemu-action@v3
- uses: docker/setup-buildx-action@v3
- name: Build for ${{ matrix.arch }}
run: |
docker buildx build \
--platform linux/${{ matrix.arch }} \
-t myapp:${{ matrix.arch }} \
--load .
- name: Extract binary
run: |
docker create --name temp myapp:${{ matrix.arch }}
docker cp temp:/app/binary ./binary-${{ matrix.arch }}
docker rm temp
- uses: actions/upload-artifact@v4
with:
name: binary-${{ matrix.arch }}
path: binary-${{ matrix.arch }}
B. Zephyr RTOS Development
1. Zephyr Build Action
**Action**: `zephyrproject-rtos/action-zephyr-build@v1`name: Zephyr Build
on: [push, pull_request]
jobs:
build:
runs-on: ubuntu-latest
container:
image: zephyrprojectrtos/ci:latest
steps:
- uses: actions/checkout@v4
with:
path: app
- name: Initialize Zephyr workspace
run: |
west init -l app
west update
west zephyr-export
- name: Build for multiple boards
run: |
cd app
west build -b qemu_cortex_m3 -p
west build -b nrf52840dk_nrf52840 -p
west build -b stm32f4_disco -p
- name: Run tests
run: |
cd app
west build -t run
- uses: actions/upload-artifact@v4
with:
name: zephyr-binaries
path: app/build/zephyr/zephyr.*
2. Advanced Zephyr Pipeline with Testing
```yaml name: Zephyr CI/CD on: push: branches: [ main ] pull_request: branches: [ main ]jobs: build-and-test: runs-on: ubuntu-latest container: image: zephyrprojectrtos/ci:latest strategy: matrix: board: - qemu_cortex_m3 - nrf52840dk_nrf52840 - stm32f4_disco - esp32 steps: - uses: actions/checkout@v4 with: path: app submodules: recursive
- name: Setup Zephyr
run: |
west init -l app
west update
west zephyr-export
pip install -r zephyr/scripts/requirements.txt
- name: Build for ${{ matrix.board }}
run: |
cd app
west build -b ${{ matrix.board }} -p auto
- name: Run unit tests (QEMU only)
if: startsWith(matrix.board, 'qemu_')
run: |
cd app
west build -t run
- name: Static analysis
run: |
cd app
west build -t checkpatch
- name: Code coverage (QEMU only)
if: matrix.board == 'qemu_cortex_m3'
run: |
cd app
west build -t coverage
- uses: actions/upload-artifact@v4
with:
name: ${{ matrix.board }}-build
path: |
app/build/zephyr/zephyr.bin
app/build/zephyr/zephyr.hex
app/build/zephyr/zephyr.elf
<h3>C. PlatformIO for Embedded Development</h3>
**Action**: `platformio/platformio-action@v1`
<h4>Configuration</h4>
```yaml
name: PlatformIO Build
on: [push, pull_request]
jobs:
build:
runs-on: ubuntu-latest
strategy:
matrix:
environment:
- esp32dev
- nanoatmega328
- bluepill_f103c8
- teensy41
steps:
- uses: actions/checkout@v4
- uses: actions/cache@v4
with:
path: |
~/.cache/pip
~/.platformio/.cache
key: ${{ runner.os }}-pio-${{ hashFiles('**/platformio.ini') }}
- uses: platformio/platformio-action@v1
with:
environment: ${{ matrix.environment }}
target: build
- uses: platformio/platformio-action@v1
with:
environment: ${{ matrix.environment }}
target: test
- name: Upload firmware
uses: actions/upload-artifact@v4
with:
name: firmware-${{ matrix.environment }}
path: .pio/build/${{ matrix.environment }}/firmware.*
Advanced with Testing and Analysis
```yaml name: PlatformIO Advanced CI on: [push, pull_request]jobs: test: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4
- uses: platformio/platformio-action@v1
with:
target: test
environment: native
- name: Code coverage
run: |
pio test --environment native --coverage
lcov --summary .pio/build/native/coverage.info
- uses: codecov/codecov-action@v4
with:
files: .pio/build/native/coverage.info
static-analysis: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4
- uses: platformio/platformio-action@v1
with:
target: check
check-flags: --severity=high
build: needs: [test, static-analysis] runs-on: ubuntu-latest strategy: matrix: board: - esp32dev - esp8266 - nrf52840_dk steps: - uses: actions/checkout@v4
- uses: platformio/platformio-action@v1
with:
environment: ${{ matrix.board }}
target: build
- uses: actions/upload-artifact@v4
with:
name: firmware-${{ matrix.board }}
path: .pio/build/${{ matrix.board }}/firmware.bin
<h3>D. ESP-IDF (Espressif IoT Development Framework)</h3>
**Action**: `espressif/esp-idf-ci-action@v1`
<h4>Configuration</h4>
```yaml
name: ESP-IDF Build
on: [push, pull_request]
jobs:
build:
runs-on: ubuntu-latest
container:
image: espressif/idf:latest
strategy:
matrix:
target: [esp32, esp32s2, esp32s3, esp32c3]
steps:
- uses: actions/checkout@v4
- name: Build for ${{ matrix.target }}
run: |
. $IDF_PATH/export.sh
idf.py set-target ${{ matrix.target }}
idf.py build
- name: Run unit tests (ESP32 only)
if: matrix.target == 'esp32'
run: |
. $IDF_PATH/export.sh
idf.py build
idf.py test
- uses: actions/upload-artifact@v4
with:
name: firmware-${{ matrix.target }}
path: build/*.bin
E. Cross-Compilation Matrix
Comprehensive Cross-Platform Build
```yaml name: Cross-Platform Build on: [push, pull_request]jobs: build: runs-on: ${{ matrix.os }} strategy: matrix: os: [ubuntu-latest, macos-latest, windows-latest] target: - x86_64-unknown-linux-gnu - aarch64-unknown-linux-gnu - armv7-unknown-linux-gnueabihf - x86_64-apple-darwin - aarch64-apple-darwin - x86_64-pc-windows-msvc exclude: # Exclude incompatible combinations - os: macos-latest target: x86_64-unknown-linux-gnu - os: macos-latest target: aarch64-unknown-linux-gnu - os: windows-latest target: x86_64-apple-darwin steps: - uses: actions/checkout@v4
- uses: actions-rs/toolchain@v1
with:
toolchain: stable
target: ${{ matrix.target }}
override: true
- uses: actions-rs/cargo@v1
with:
use-cross: true
command: build
args: --release --target ${{ matrix.target }}
- name: Package binary
run: |
mkdir -p artifacts
cp target/${{ matrix.target }}/release/myapp* artifacts/
- uses: actions/upload-artifact@v4
with:
name: binary-${{ matrix.target }}
path: artifacts/*
<h3>F. Nordic nRF Connect SDK</h3>
<h4>Configuration</h4>
```yaml
name: nRF Connect Build
on: [push, pull_request]
jobs:
build:
runs-on: ubuntu-latest
container:
image: nordicplayground/nrfconnect-sdk:latest
steps:
- uses: actions/checkout@v4
with:
path: app
- name: Initialize workspace
run: |
west init -l app
west update
west zephyr-export
- name: Build for nRF devices
run: |
cd app
west build -b nrf52840dk_nrf52840 -p
west build -b nrf5340dk_nrf5340_cpuapp -p
west build -b nrf9160dk_nrf9160_ns -p
- name: Flash and test (if hardware available)
if: runner.environment == 'self-hosted'
run: |
cd app
west flash
west attach
- uses: actions/upload-artifact@v4
with:
name: nrf-firmware
path: app/build/zephyr/*.hex
16.02.7 Best Practices for AI-Powered GitHub Actions
1. Security Considerations
```yaml # Always use secrets for API keys env: OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}Limit permissions
permissions: contents: read pull-requests: write
Pin action versions for security
- uses: actions/checkout@v4 # Not @main or @latest
<h3>2. Cost Optimization</h3>
```yaml
# Cache dependencies
- uses: actions/cache@v4
with:
path: ~/.cache
key: ${{ runner.os }}-cache-${{ hashFiles('**/requirements.txt') }}
# Run AI actions only on specific conditions
on:
pull_request:
types: [opened, synchronize]
paths:
- 'src/**'
- '!**/*.md'
3. Performance Optimization
```yaml # Use matrix builds for parallel execution strategy: matrix: target: [arm, x86, riscv]Use self-hosted runners for heavy workloads
runs-on: self-hosted
<h3>4. Error Handling</h3>
```yaml
# Continue on error for non-critical steps
- name: AI Code Review
continue-on-error: true
uses: ai-reviewer@v1
# Always upload results even if tests fail
- uses: actions/upload-artifact@v4
if: always()
5. Monitoring and Observability
```yaml # Add notifications - name: Notify on failure if: failure() uses: actions/github-script@v7 with: script: | github.rest.issues.createComment({ issue_number: context.issue.number, owner: context.repo.owner, repo: context.repo.repo, body: '[FAIL] CI pipeline failed. Please check the logs.' }) ```16.02.8 Recommended Starter Workflows
1. Minimal AI Code Review
```yaml name: AI Review on: [pull_request] jobs: review: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: coderabbitai/ai-pr-reviewer@latest with: github_token: ${{ secrets.GITHUB_TOKEN }} openai_api_key: ${{ secrets.OPENAI_API_KEY }} ```2. Basic ML Pipeline
```yaml name: ML Pipeline on: [push] jobs: train: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: iterative/setup-cml@v2 - run: | pip install -r requirements.txt python train.py ```3. Simple Embedded Build
```yaml name: ARM Build on: [push] jobs: build: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: carlosperate/arm-none-eabi-gcc-action@v1 - run: make all ```16.02.9 Comprehensive CI/CD Pipeline Example
name: Complete Docker CI/CD Pipeline
# Comprehensive pipeline demonstrating:
# - Multi-architecture builds
# - Security scanning (Trivy, Snyk, Docker Scout)
# - Image optimization
# - Cache optimization
# - SBOM generation
# - Deployment
on:
push:
branches: [main, develop]
tags: ['v*']
pull_request:
branches: [main]
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
PLATFORMS: linux/amd64,linux/arm64,linux/arm/v7
jobs:
# Job 1: Lint and validate Dockerfile
dockerfile-lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Lint Dockerfile with Hadolint
uses: hadolint/hadolint-action@v3.1.0
with:
dockerfile: Dockerfile
failure-threshold: warning
# Job 2: Build and push multi-arch images
build-and-push:
runs-on: ubuntu-latest
needs: dockerfile-lint
permissions:
contents: read
packages: write
id-token: write
outputs:
image-digest: ${{ steps.build.outputs.digest }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
driver-opts: |
image=moby/buildkit:latest
network=host
- name: Log in to registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=sha,prefix={{branch}}-
type=raw,value=latest,enable={{is_default_branch}}
- name: Build and push Docker image
id: build
uses: docker/build-push-action@v5
with:
context: .
platforms: ${{ env.PLATFORMS }}
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:buildcache
cache-to: type=registry,ref=${{ env.REGISTRY }}/${{ IMAGE_NAME }}:buildcache,mode=max
build-args: |
BUILDKIT_INLINE_CACHE=1
VERSION=${{ steps.meta.outputs.version }}
- name: Export digest
run: |
mkdir -p /tmp/digests
echo "${{ steps.build.outputs.digest }}" > /tmp/digests/digest.txt
- name: Upload digest
uses: actions/upload-artifact@v3
with:
name: digests
path: /tmp/digests/digest.txt
retention-days: 1
# Job 3: Security scanning with Trivy
trivy-scan:
runs-on: ubuntu-latest
needs: build-and-push
if: github.event_name != 'pull_request'
permissions:
security-events: write
steps:
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
exit-code: '0'
- name: Upload Trivy results to GitHub Security
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
- name: Generate vulnerability report
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
format: 'json'
output: 'trivy-report.json'
- name: Upload vulnerability report
uses: actions/upload-artifact@v3
with:
name: trivy-report
path: trivy-report.json
# Job 4: Security scanning with Snyk
snyk-scan:
runs-on: ubuntu-latest
needs: build-and-push
if: github.event_name != 'pull_request'
steps:
- uses: actions/checkout@v4
- name: Run Snyk to check Docker image
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
args: --severity-threshold=high --file=Dockerfile
- name: Upload Snyk results
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: snyk.sarif
# Job 5: Docker Scout analysis
scout-scan:
runs-on: ubuntu-latest
needs: build-and-push
if: github.event_name != 'pull_request'
steps:
- uses: actions/checkout@v4
- name: Docker Scout CVE scan
uses: docker/scout-action@v1
with:
command: cves
image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
only-severities: critical,high
exit-code: false
- name: Docker Scout recommendations
uses: docker/scout-action@v1
with:
command: recommendations
image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
# Job 6: SBOM generation
sbom-generation:
runs-on: ubuntu-latest
needs: build-and-push
if: github.event_name != 'pull_request'
steps:
- name: Generate SBOM with Syft
uses: anchore/sbom-action@v0
with:
image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
format: cyclonedx-json
output-file: sbom.json
- name: Upload SBOM
uses: actions/upload-artifact@v3
with:
name: sbom
path: sbom.json
- name: Attach SBOM to release
if: startsWith(github.ref, 'refs/tags/')
uses: softprops/action-gh-release@v1
with:
files: sbom.json
# Job 7: Image analysis with Dive
image-analysis:
runs-on: ubuntu-latest
needs: build-and-push
if: github.event_name != 'pull_request'
steps:
- name: Analyze image efficiency
run: |
docker pull ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
wagoodman/dive:latest \
--ci \
--lowestEfficiency=90 \
${{ env.REGISTRY }}/${{ IMAGE_NAME }}:latest
# Job 8: Run integration tests
integration-tests:
runs-on: ubuntu-latest
needs: build-and-push
if: github.event_name != 'pull_request'
strategy:
matrix:
platform: [linux/amd64, linux/arm64]
steps:
- uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Pull image
run: |
docker pull --platform ${{ matrix.platform }} \
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
- name: Run tests
run: |
docker run --rm --platform ${{ matrix.platform }} \
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest \
python -m pytest tests/
- name: Health check test
run: |
docker run -d --name test-container --platform ${{ matrix.platform }} \
-p 8000:8000 \
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
sleep 10
curl -f http://localhost:8000/health || exit 1
docker stop test-container
# Job 9: Deploy to staging (example)
deploy-staging:
runs-on: ubuntu-latest
needs: [trivy-scan, snyk-scan, integration-tests]
if: github.ref == 'refs/heads/main'
environment:
name: staging
url: https://staging.example.com
steps:
- name: Deploy to staging
run: |
echo "Deploying to staging environment"
# Add your deployment commands here
# Examples:
# - kubectl set image deployment/app app=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
# - helm upgrade --install myapp ./chart --set image.tag=latest
# - docker stack deploy -c docker-compose.yml mystack
# Job 10: Deploy to production (on tags only)
deploy-production:
runs-on: ubuntu-latest
needs: [trivy-scan, snyk-scan, integration-tests]
if: startsWith(github.ref, 'refs/tags/v')
environment:
name: production
url: https://production.example.com
steps:
- name: Extract version
id: version
run: echo "VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
- name: Deploy to production
run: |
echo "Deploying version ${{ steps.version.outputs.VERSION }} to production"
# Add production deployment commands
# Job 11: Notification
notify:
runs-on: ubuntu-latest
needs: [deploy-staging, deploy-production]
if: always()
steps:
- name: Send notification
run: |
# Send Slack/Discord/Email notification
echo "Pipeline completed with status: ${{ job.status }}"
Summary
GitHub Actions provides a flexible and powerful platform for automating CI/CD workflows, with a rapidly growing ecosystem of AI-powered integrations. From AI code review with Copilot and third-party actions to advanced MLOps pipelines and specialized embedded development tools, GitHub Actions enables teams to build highly intelligent, efficient, and secure software delivery processes. By leveraging its extensive marketplace and native features, developers can significantly enhance code quality, accelerate testing, and streamline the deployment of complex systems, including those in the embedded domain. Adhering to best practices for security, cost, performance, and error handling is crucial for maximizing the benefits of AI in GitHub Actions.
References
- GitHub Actions: https://docs.github.com/actions
- GitHub Copilot: https://docs.github.com/copilot
- GitHub Marketplace: https://github.com/marketplace?type=actions
- CML Documentation: https://cml.dev
- MLflow Documentation: https://mlflow.org/docs
- W&B Documentation: https://docs.wandb.ai
- Zephyr Project: https://docs.zephyrproject.org
- PlatformIO: https://docs.platformio.org
- ESP-IDF: https://docs.espressif.com/projects/esp-idf