Common GitHub Actions Questions - Beginning CI/CD: A Practical Introduction using GitHub Actions

Okay, here is a refined list of questions about GitHub Actions, grouped by low-level concepts suitable for a beginner's guide. The questions have been made more uniform in tone, as if asked by a single learner seeking clarification.

1. Fundamentals & Core Concepts _ How do I enable or find the Actions tab in my GitHub repository or account settings? _ What is the required naming convention and location for workflow files (e.g., .yml files) within the .github directory? _ What are the prerequisites, like knowledge of YAML, needed to start writing GitHub Actions workflows? _ What are the core concepts of GitHub Actions, including workflows, jobs, steps, and actions themselves? _ Where do GitHub Actions workflows actually execute? Is it on GitHub servers, AWS, or somewhere else? _ What is the significance of hyphens (-) and indentation in the Actions YAML syntax? How does it differentiate uses from run steps? _ What does the github.action_path context variable represent within a workflow? _ Is the actions/checkout@v2 step always necessary at the beginning of a job, or are there cases where it can be omitted? _ Can you clarify the difference between a GitHub Actions "workflow" and an "action"? _ What defines a "CI/CD pipeline" in the context of GitHub Actions, versus just a simple workflow?

2. Workflow Triggers & Events (on: keyword) _ Do workflows triggered by push events run if the push originates from a local merge without a corresponding Pull Request on GitHub? _ Can a workflow be automatically triggered when a new repository is created within an organization? _ How can a workflow_dispatch event trigger a workflow definition that only exists on a non-default branch? _ Is it possible to configure a workflow to trigger both on push and manually via workflow_dispatch? _ Can the ability to manually trigger a workflow_dispatch event be restricted to specific users or roles? _ Do input parameters with default values defined for workflow_dispatch get used when the workflow is triggered by other events like push? _ How can an external event, like a successful Vercel deployment, trigger a GitHub Actions workflow (perhaps using repository_dispatch)? _ How can a workflow run be manually initiated from the GitHub UI or API? _ How can workflow triggers be configured to run only when specific file paths are modified, or to ignore changes in certain paths? _ What are common reasons a workflow might not trigger after a push event, even if the YAML file seems correct? _ Can scheduled workflows (on: schedule) bypass branch protection rules that require approvals? _ How can I ensure workflow triggers (like push) aren't overly sensitive and run only for relevant code changes, not just dependency updates or minor file changes?

3. Workflow Syntax, Structure & Logic (Jobs, Steps, Conditionals, Versions) _ How can I pass data or variables between different jobs in the same workflow? _ How can I pass data between different steps within the same job? _ What is the recommended order for build and test steps in a CI workflow? _ How does GitHub Actions handle file paths? If a step fails because it can't find a file (like pom.xml), what should I check? _ Is step X (e.g., AWS credential setup in a deploy job) necessary when doing Y (e.g., deploying via kubeconfig)? How can I determine required steps? _ What are action versions (e.g., @v2, @master, @2.0.0)? What is the impact of using different version types, and which is recommended? _ How frequently do steps like npm install run? Does it happen on every single commit? _ How can I implement conditional logic in a workflow (e.g., run a step only if a previous step failed, or based on branch name)? _ How can a workflow job be configured to fail based on the results of an external tool (like SonarQube or Trivy)? _ If a workflow file has multiple jobs defined, in what order do they execute? How can I control the execution order? _ What are the different input types available for workflow_dispatch (e.g., dropdowns, multi-select)? _ How does input validation work for workflow_dispatch triggers (e.g., enforcing required: true)? _ Is it possible to have workflow_dispatch inputs that change dynamically based on previous selections? _ What does if: always() mean in a step condition, and when should it be used?

4. Reusable Workflows & Composite Actions _ How are secrets handled or accessed within reusable workflows? Do they inherit from the caller? _ What is the difference between a composite action and a reusable workflow? When should I use each? _ How can I execute a script located within the repository of a reusable workflow or composite action itself? _ How can I reference a composite action that is defined within the same repository as the calling workflow? _ What is the mechanism for passing output data from one composite action step to be used as input for a subsequent composite action step? _ What permissions are needed to use a composite action or reusable workflow defined in a different repository within the same organization? _ Are composite actions and reusable workflows available for private repositories on all paid plans, or only Enterprise? _ How do composite actions and reusable workflows interact when nested (e.g., a reusable workflow using a composite action)? What are common pitfalls, like checkout path issues?

5. Runners & Execution Environments (GitHub-Hosted, Self-Hosted, ARC) _ How can I troubleshoot connectivity between a self-hosted runner and services on my local network or private cloud? _ What network protocols and ports are required for a self-hosted runner to communicate with GitHub.com or GitHub Enterprise Server? _ How are self-hosted runner registration tokens managed, do they expire, and how can runners maintain long-term registration? _ Do jobs run on self-hosted runners consume included GitHub Actions minutes? _ How can multiple jobs be run in parallel on a single self-hosted runner machine? What are the configuration options? _ Why might a self-hosted runner process fail to access OS environment variables? _ What should I check if jobs are stuck 'Waiting for a runner' even when self-hosted or organization runners seem available? _ How can I view the labels assigned to a specific self-hosted runner? _ What steps are needed to troubleshoot and bring an offline self-hosted runner back online? _ Is it possible to install and run multiple self-hosted runner instances on the same machine? _ Can a single self-hosted runner instance serve multiple repositories? _ What is the process for setting up and running a self-hosted runner inside a Docker container? _ How can a self-hosted runner be configured on a shared machine for multiple users or teams? _ How can I ensure a self-hosted runner remains available (e.g., run as a service)? _ If multiple runners share the same label, how does Actions select an available one? _ Can a GitHub-hosted runner execute scripts that interact directly with my local machine? _ Where are GitHub-hosted runners (like ubuntu-latest) physically hosted? _ How can I handle sudo prompts or grant passwordless sudo access on a macOS self-hosted runner? _ Does the runs-on OS need to exactly match the self-hosted runner's OS? _ For Action Runner Controller (ARC), how can I persist caches or state between jobs in the same workflow, given that pods might be recreated? _ What are the networking requirements and setup steps for ARC on an on-premises, air-gapped Kubernetes cluster? _ What is the difference between DeploymentRunner with HPA and RunnerScaleSet in ARC? Which is preferred? _ How can runner image names be passed dynamically during ARC Helm installation? _ What is the recommended process for upgrading ARC, especially regarding CRDs? _ How can ARC runners be configured to use Kubernetes Managed Identity (like Azure Workload Identity or GKE WIF) to access cloud resources? _ Can Docker builds be performed reliably on ARC runners deployed to AWS Fargate? _ What versions of GitHub Enterprise Server (GHES) are compatible with ARC? _ How can I customize the runner image used by ARC, for example, to use RHEL or add specific tools? _ How can I use Kaniko to build container images within ARC runners running in Kubernetes mode? _ Does ARC support running runners on AKS virtual nodes? _ Are Windows container images supported as runners in ARC? _ Are there working examples available for non-trivial ARC setups, particularly involving Docker builds or volume mounts? _ How can I monitor ARC components (controller, scale sets, runners) and gather metrics? _ What are common strategies for optimizing the performance of ARC self-hosted runners? _ Can ARC be configured to manage runners on VMs (e.g., via KubeVirt) instead of pods? _ Is cert-manager required for setting up ARC? * How can I troubleshoot communication issues when the ARC controller and runner scale sets are deployed in different Kubernetes namespaces?

6. Secrets, Variables, Authentication & Permissions _ Can secrets defined at different levels (repository, environment, organization) have the same name, and how are they prioritized? _ What is the best practice for managing sensitive credentials needed by a workflow in a public repository? _ What is the scope of an environment deployment approval? Does approving one job affect others targeting the same environment? _ Can email notifications for required deployment reviews be disabled? _ Are GitHub Actions Environments available for private repositories on standard paid plans? _ How can environment variables needed by the application code or tests be securely passed into a workflow?

How are repository/organization variables (not secrets) accessed in a workflow YAML?
What is the mechanism for passing output data between composite action steps? _ When using a reusable workflow, does GITHUB_TOKEN inherit permissions from the caller or the definition repository? _ What are secure methods for cloning a different private repository within a workflow, besides PATs (e.g., GitHub Apps, deploy keys)? _ What could cause a 'Could not read password' error when using tokens? _ How can I securely pass secrets (like database connection strings or API keys) stored in GitHub Secrets into the deployed application or environment? _ How can secrets from external vaults (like HashiCorp Vault or AWS Parameter Store) be securely fetched and used within a workflow? _ How should OIDC be configured for repositories within an organization versus personal repositories? _ Is it necessary to store deployment target details like server IPs as secrets? _ How can I store multi-line secrets or files (like .pem keys or .mobileprovision files) as GitHub Secrets, especially considering potential size limits? * How can I decrypt a password or use a SALT value stored as a secret within a workflow step?

7. Artifacts & Caching _ How can build artifacts from one job be used in a subsequent job? _ Is there a way to check the size of a build artifact within a workflow? _ How does the upload-artifact action work regarding file paths and storage? _ What are the options for managing artifact storage when the quota is hit? _ Can I get a direct downloadable link to an uploaded artifact? _ Is it possible to manually delete artifacts before the default retention period? _ What is the default artifact retention policy, and can it be configured? _ How does actions/cache determine cache validity (invalidation)? _ Is the cache shared between different self-hosted runners in a pool? _ Are there costs associated with using actions/cache, especially storage for private/Enterprise repos? _ What is the scope of a cache? Is it shared across PRs? _ How does actions/cache compare to the built-in caching of actions like setup-node? _ How can a cache created in one job be restored in a different job within the same workflow run? _ Can Docker images or layers be cached using actions/cache? _ Can actions/cache handle very large cache sizes (tens of GBs)? _ Is it possible/recommended to cache apt package downloads? * Can the cache key for actions/cache be dynamically generated?

8. Testing & Code Quality Integration _ How can I ensure the integrity of tests run in Actions? Can steps be skipped or results falsified? _ What are common reasons for test commands (like npm test) to hang indefinitely in an Actions job? _ How do Actions workflows handle new code that lacks corresponding tests? Does it impact required checks? _ How can I troubleshoot errors where tests (like Nightwatch) fail to connect to localhost services started within the workflow? _ Can Actions facilitate running framework-specific parallel tests effectively? _ How can code coverage reports generated in Actions be integrated with SonarQube? _ How can a workflow job be configured to fail based on SonarQube analysis results (e.g., quality gate)? _ How are unit test cases typically added to an Actions workflow? _ How can Actions run tests against multiple language versions (e.g., Python 3.9, 3.10, 3.11) using a matrix? _ Is it better practice to run tests before merging a PR or after merging to the main branch? * What specific steps are needed to run tests for older frameworks like .NET Framework 4.8 in Actions?

9. Docker, Builds & Containerization _ What are common ways Docker images are used within Actions? _ What causes 'lstat /app: no such file or directory' errors during docker buildx build in Actions? _ How does the build process differ if using Gradle vs Maven? _ What are best practices for caching Docker layers/images in Actions? _ How should Java projects ensure compiled classes are available for tools like SonarQube in Actions? _ What actions/steps are used to build a Docker image and then run a container from it within a workflow? _ How can Docker images built in Actions be automatically tagged with versions (e.g., semantic versioning, commit SHA)? _ Are there official Docker actions, and how do they compare to third-party ones? _ How should the FROM instruction in a Dockerfile align with the language version used in the build step (e.g., Java 17)? _ When pushing images to Docker Hub from Actions, does the repository need pre-creation?

10. Deployment & Release Management _ How can Actions deploy an artifact to a target like a VM or AWS EC2? _ What methods exist in Actions to deploy a .jar file to a Windows server? _ What are common approaches for deploying to Kubernetes using Actions? _ How can Slack notifications be integrated into an Actions deployment workflow? _ What steps are needed to build and deploy a React app using Actions? _ What strategies/actions can deploy to an on-premises server from Actions? _ Can Actions automate uploading an iOS .ipa file to App Store Connect? _ How should .env files be handled during deployment via Actions? _ How can Actions workflows handle updates to dependencies needed by the deployed application? _ Is the demonstrated SSH/rsync deployment method secure? What are alternatives? _ How can I automate semantic versioning and GitHub Release creation using Actions? _ How can I implement automated rollbacks with Actions if a deployment or post-deployment test fails (e.g., with Firebase)? _ How can I deploy to a specific Kubernetes namespace using Actions? _ How can Actions integrate with ArgoCD for GitOps deployments? _ How can I handle deploying multiple serverless functions (e.g., AWS Lambda, Supabase Functions) from a single repository/workflow? _ How does Actions compare to native cloud provider CI/CD services (like AWS CodePipeline) for deployment? _ How is Terraform state managed when running terraform apply or terraform destroy within Actions? _ How can Actions deploy Terraform configurations to multiple AWS accounts? _ What is the rationale for including infrastructure cleanup/destroy steps in an Actions workflow? _ How can Actions handle deploying applications with complex database migration requirements? _ How can I update Kubernetes manifests (e.g., image tags) automatically within an Actions pipeline as part of a GitOps flow? _ How can I handle deploying different parts of a monorepo (e.g., client and server directories) that require navigating between directories within the workflow?

11. Local Testing (act) _ Can act run an entire workflow, respecting job dependencies, or only individual jobs? _ How can GitHub Secrets be provided to act for local testing without exposing them? * What are the limitations of act compared to running workflows on GitHub's actual runners?

12. Workload Identity Federation (WIF) _ How does WIF authentication work when used within reusable workflows called from different repositories? _ Does every repository needing to authenticate via WIF require its own configuration in the identity provider (e.g., GCP, Azure, AWS)? _ How does WIF integrate with deploying multiple projects/services within GCP? _ How are attribute mappings and conditions configured for WIF between GitHub Actions and cloud providers (GCP/AWS/Azure)? What do they mean? _ Can WIF be used to authenticate Actions workflows for deploying Firebase services? _ Can WIF authenticate workflows running outside GCP (e.g., a self-hosted runner) to access Google APIs? _ How can WIF be used with Terraform within Actions for keyless authentication? _ What are the security implications of exposing WIF provider IDs or service account emails in workflow files? _ How does WIF work with GitHub Enterprise Server, especially with manually synced actions? _ Can WIF be used to grant permissions for tasks like copying files to GCS buckets?

13. Troubleshooting Common Errors _ What causes 7zr.exe failed with exit code 2 during setup-node? _ How to fix Error: Bad credentials when using an action like Kitchen/test-add-pr-comment@v1 with secrets.GITHUB_TOKEN? _ Why would an action fail with [FATAL] Failed to view version file:[/action/lib/functions/linterVersions.txt]? _ What causes cml: not found errors when using CML (Continuous Machine Learning) actions? _ How to resolve cannotResolveClassException: kg.apc.jmeter.threads.UltimateThreadGroup in JMeter actions? _ What leads to Could not find artifact ghidra:Generic:jar:11.3.1 errors during Maven builds involving Ghidra? _ Why does the install ssh keys step fail with Error: Process completed with exit code 1? _ What causes Permission denied (publickey) errors during SSH steps? _ How to fix Android Gradle plugin requires Java 11 to run. You are currently using Java 1.8? _ What does Invalid copilot token: missing token: 403 indicate? _ How to resolve [Rsync] error: rsync exited with code 255... Permission denied? _ Why might terraform init fail within Actions even if the state file seems present? _ What causes npm ci to fail with no package-lock.json file error in Actions? _ How to fix Permission 'iam.serviceAccounts.getAccessToken' denied on resource... when using WIF? _ What causes gcloud.secrets.versions.access errors related to refreshing tokens with WIF? _ How to resolve MSBUILD : error MSB1003: Specify a project or solution file during .NET builds? _ Why might a .NET 8 deployment fail with Package deployment using ZIP Deploy failed? _ What causes denied: Permission \"artifactregistry.repositories.uploadArtifacts\" denied... when pushing to GCP Artifact Registry? _ Why might a workflow run successfully but the deployed application (e.g., on GKE pod) not reflect the latest code changes? _ What causes refusing to allow an OAuth App to create or update workflow... without \workflow` scopeerror on push? * How to fixError: The version '3.x' with architecture 'x64' was not found...` when running a composite action? * Why might an Actions deployment succeed but the application be unreachable at its public IP?

14. General Guidance & Best Practices _ Are there courses or resources focusing on Actions best practices, organization, and advanced tips? _ What are common pitfalls for beginners using GitHub Actions? _ Is it better to combine related tasks (like linting and testing) into a single workflow/job or keep them separate? _ What are the security best practices when using self-hosted runners, especially with public repositories or PRs from forks? _ What branching strategies work well with GitHub Actions environments and deployment workflows? _ How should complex deployments (e.g., 20+ resources, multi-subscription) be organized using Actions? _ How can I handle variability in deployments (different resources/parameters each time) effectively within Actions? _ What is the best practice for updating image tags in Kubernetes manifests within a CI pipeline (e.g., GitOps approach)? * Is it better to use official GitHub Actions (like actions/checkout) or third-party ones? What are the trade-offs?