Production CI/CD with GitHub Actions
Automated testing, Docker builds, and Terraform deploys in one workflow. Battle-tested patterns from 100+ production pipelines.
Pipeline Architecture
A production CI/CD pipeline has four stages: lint/test, build, pre-deploy validation, and deploy. Use GitHub Actions' needs keyword to create a directed acyclic graph (DAG) of jobs.
Run lint and unit tests in parallel across multiple runners. Use matrix strategies for multi-language or multi-platform builds. Cache dependencies aggressively with actions/cache.


Docker Build Optimization
Use Docker BuildKit with layer caching via docker/build-push-action@v5. Enable the GitHub Actions cache backend with cache-from: type=gha and cache-to: type=gha,mode=max for 10x faster builds.
Build multi-arch images (amd64 + arm64) in parallel using QEMU or native runners. Push to ECR with immutable tags — use the Git SHA, not latest.
Terraform Integration
Run terraform plan on pull requests and post the plan as a PR comment using hashicorp/setup-terraform and a custom script. Require manual approval for terraform apply using environments and protection rules.
Store Terraform state in S3 with DynamoDB locking. Use OIDC for AWS authentication — never store long-lived credentials in GitHub Secrets.
deploy: needs: [test, build] runs-on: ubuntu-latest environment: production # Requires approval permissions: id-token: write # OIDC for AWS steps: - uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: arn:aws:iam::role/deploy - uses: hashicorp/setup-terraform@v3 - run: terraform apply -auto-approve