⚙️ GitHub Actions

In one sentence

How it works (core concepts)

It’s very simple: when an event fires, borrow a clean VM, clone the repo, and run the steps you wrote — in order.

• 📁 Location — .github/workflows/*.yml (multiple files supported)
• ⚡ Triggers — push / pull_request / schedule (cron) / workflow_dispatch (manual) / issues / release and 35+ other events
• 🖥️ Execution environment — a fresh GitHub-hosted runner (Linux / Windows / macOS VM) starts up per job
• 📦 Repo cloned every time — actions/checkout full-clones into $GITHUB_WORKSPACE (no state carried over from previous jobs)
• ⏱️ Time limits — 6 hours max per job, 35 days max per workflow (matrix parallelism is supported)
• �� Secrets — stored in Settings → Secrets → referenced as ${{ secrets.NAME }} (masked in logs)

🧠 “Start from scratch every time” is the golden rule of GitHub Actions. To persist state, use actions/cache, artifacts, or rely on already-deployed infrastructure.

GitHub-hosted runners vs Self-hosted runners

🌐 As a middle ground, consider larger runners (high-spec GitHub-hosted) or Actions Runner Controller to run auto-scaling self-hosted runners on k8s.

Reuse components from the Marketplace

You don’t have to write everything from scratch. GitHub Marketplace has 20,000+ reusable actions.

steps:
  - uses: actions/checkout@v4              # GitHub official: clone repo
  - uses: actions/setup-node@v4            # Set up Node.js environment
    with: { node-version: 20 }
  - uses: docker/build-push-action@v5      # Build & push Docker image
  - uses: aws-actions/configure-aws-credentials@v4

• 🏷️ Official verified actions — GitHub, AWS, Azure, GCP, Docker, HashiCorp, and other major vendors
• 🔓 OSS actions — anyone can publish (uses: owner/repo@sha to reference)
• 📌 Always pin versions — commit SHA pins are safer than tags (@v4) against supply chain attacks
• 🛡️ Org allowlist — restrict available actions via Settings → Actions → Allowed actions

Getting started (fastest path)

Just drop a .github/workflows/ci.yml:

name: CI
on:
  push:        { branches: [main] }
  pull_request:
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with: { node-version: 20 }
      - run: npm ci
      - run: npm test

The moment you push, execution logs appear in the Actions tab. Failures show as ❌ on the PR.

🚀 Start with runs-on: ubuntu-latest for everything, then scale out to Windows / macOS / larger runners / self-hosted as needed.

Eligibility and pricing

Public repos get GitHub-hosted runners completely free — only concurrency limits apply. Private repos get a monthly free tier per plan; overages are pay-as-you-go.

Free tier per plan (private repos / month)

💡 Free tier counts Linux as 1× multiplier. Windows consumes 2× and macOS consumes 10× — watch out.

Per-OS / per-size unit pricing (overages · 2-core standard)

💰 Storage overages are $0.25 / GB (artifacts + Actions cache + Packages combined).
🛠️ Self-hosted runners incur no GitHub billing (as of now). Running on your own server / k8s means execution time is free — you just pay for your own infrastructure and electricity.
🌍 Billing is usage-time-based, not per active committer. Even a solo developer who runs CI heavily will see charges.

Cloud Agent / Copilot Code Review also run here

🤖 When Copilot Cloud Agent implements a task, or when Copilot Code Review reads a PR — both run as GitHub Actions workflows under the hood. They consume Actions free-tier minutes and appear as Actions logs. See Cloud Agent and Copilot Code Review for details.