First GitHub Action

CI hello world.

Overview

The first GitHub Action shifts CI into the same surface as code review. Workflow YAML lives in the repo, runs on every push, and reads like the rest of the engineering surface rather than living in a separate vendor console.

• Workflow YAML in repo. .github/workflows/ci.yml is the standard location. Code review of CI happens alongside code review of code.
• Marketplace actions. Reusable building blocks for Node, Python, Go, Docker, AWS auth. Stand on someone else’s well-tested shoulders.
• Matrix strategy. Test across OS, language version, dependency version. The matrix shape is built in, not glued together.
• Secrets and OIDC. Per-repo and per-org secrets for static credentials; OIDC for short-lived credentials to AWS, GCP, and Azure.

The approach

Three habits separate a CI workflow that lasts from one that rots in the first quarter: workflow lives in the repo, OIDC replaces static credentials, and marketplace actions are pinned to SHA.

• Workflow in repo. The CI definition is part of the codebase, reviewed with the same gravity as production code.
• OIDC for cloud. Short-lived credentials replace long-lived API keys. The blast radius of a leak shrinks dramatically.
• Pin marketplace actions to SHA. uses: actions/checkout@a3f..., not @v4. SHAs are immutable; tags can be force-pushed.
• Reusable workflows. Per-org reusable workflows turn 30 lines of repeated YAML into one uses: line per repo.

Why this compounds

The first workflow is investment; the next ones reuse the patterns. Within a year the team has a CI surface that is consistent across every repo without anyone consciously enforcing it.

• Faster feedback. Push triggers a workflow within seconds. Engineers see test failures before they switch tasks.
• Stronger security. OIDC plus SHA-pinned actions removes the two largest CI security failure modes.
• Cross-repo reuse. Marketplace plus reusable workflows scale to dozens of repos without per-repo maintenance burden.
• Year-one investment, year-two habit. The first CI definition takes a day. The fourth takes an hour because the patterns are reusable.