...

• Always use a matrix for versions like Python/Django, even if there’s only one. This makes it easier to understand and adjust the versions.

Dynamic Matrix

To dynamically set matrix values in a maintainable way, you can utilize https://github.com/actions/github-script

jobs:
  setup-matrix:
    steps:
      - uses: actions/github-script@v6
        id: generate_matrix
        with:
          script: |
            var nodeVersions = [16, 18];
            // logic to add/remove node versions
            core.setOutput('nodeVersions', nodeVersions);
    outputs:
      node_versions: ${{ steps.generate_matrix.outputs.nodeVersions }}

  run_tests:
    needs: [setup-matrix]
    strategy:
      matrix:
        version: ${{ fromJson(needs.setup-matrix.outputs.node_versions) }}
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3
        with:
          node-version: ${{ matrix.version }}
      - run: |
          npm ci
          npm run test

Security

• Use GitHub repo or organization secrets for credentials.

• Be careful to avoid script injection attacks: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections

• References to other GitHub actions use tags like @v3. This is not a specific reference and will change if the author of the action updates it. This might not be what you want. You can use a full SHA reference instead to be certain of the version you are getting.

• Actions and workflows can have a permissions clause that limits the actions permissible with the implicit GitHub token: https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs

...