...
Always use a matrix for versions like Python/Django, even if there’s only one. This makes it easier to understand and adjust the versions.
Dynamic Matrix
To dynamically set matrix values in a maintainable way, you can utilize https://github.com/actions/github-script
Code Block | ||
---|---|---|
| ||
jobs:
setup-matrix:
steps:
- uses: actions/github-script@v6
id: generate_matrix
with:
script: |
var nodeVersions = [16, 18];
// logic to add/remove node versions
core.setOutput('nodeVersions', nodeVersions);
outputs:
node_versions: ${{ steps.generate_matrix.outputs.nodeVersions }}
run_tests:
needs: [setup-matrix]
strategy:
matrix:
version: ${{ fromJson(needs.setup-matrix.outputs.node_versions) }}
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: ${{ matrix.version }}
- run: |
npm ci
npm run test |
Security
Use GitHub repo or organization secrets for credentials.
Be careful to avoid script injection attacks: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections
References to other GitHub actions use tags like
@v3
. This is not a specific reference and will change if the author of the action updates it. This might not be what you want. You can use a full SHA reference instead to be certain of the version you are getting.Actions and workflows can have a
permissions
clause that limits the actions permissible with the implicit GitHub token: https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
...