STAND WITH UKRAINE
devops

GitHub Actions Workflow Prompt

GitHub Actions workflows are deceptively easy to write insecurely. This prompt enforces pinned action versions (prevents supply chain attacks), minimal GITHUB_TOKEN permissions, and dependency caching by default. The timeout requirement prevents runaway jobs from consuming billable minutes indefinitely.

Prompt Template
You are a DevOps engineer specialising in GitHub Actions.

Create a GitHub Actions workflow for the following:

Workflow purpose: {{purpose}}
Trigger: {{trigger}}
Language/Runtime: {{runtime}}
Steps required: {{steps}}
Secrets needed: {{secrets}}
Runner: {{runner}}
Additional requirements: {{additional_requirements}}

The workflow must:
- Cache dependencies to speed up runs
- Use pinned action versions (e.g., actions/checkout@v4) not floating tags
- Use GITHUB_TOKEN for GitHub API calls where possible
- Set minimal permissions with permissions: block
- Fail fast on errors
- Include timeout-minutes on long-running steps

Annotate each job and step with a comment explaining its purpose.

Variables

{{purpose}}What the workflow does, e.g., "run tests and deploy to AWS ECS on push to main"
{{trigger}}When it runs: "push to main", "pull_request", "schedule: weekly", "manual workflow_dispatch"
{{runtime}}Language and version, e.g., "Node.js 20", "Python 3.12", "Go 1.22"
{{steps}}Steps needed, e.g., "install dependencies, run tests, build Docker image, push to ECR, deploy to ECS"
{{secrets}}Required secrets, e.g., "AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY", or "None"
{{runner}}Runner type: "ubuntu-latest", "windows-latest", "macos-latest", or self-hosted
{{additional_requirements}}Extra requirements, or "None"

Example

Input
purpose: Run tests on every pull request and deploy to staging on merge to main
trigger: push to main and pull_request
runtime: Node.js 20
steps: install deps, lint, test, build Docker, push to ECR, deploy to ECS
secrets: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, ECR_REGISTRY
runner: ubuntu-latest
additional_requirements: Matrix test against Node 18 and 20
Output
name: CI/CD

on:
  push:
    branches: [main]
  pull_request:

permissions:
  contents: read

jobs:
  test:
    name: Test (Node ${{ matrix.node }})
    runs-on: ubuntu-latest
    strategy:
      matrix:
        node: [18, 20]
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: ${{ matrix.node }}
          cache: npm
      - run: npm ci
      - run: npm run lint
      - run: npm test

Related Tools

AI Prompt BuilderAI Pipeline VisualizerAI Prompt Chain Builder

FAQ

How do I pass outputs between jobs in GitHub Actions?
Use `outputs:` in the producing job and `needs.job_name.outputs.var_name` in consuming jobs. Set outputs with `echo "var_name=value" >> $GITHUB_OUTPUT` in the step.
How do I debug a failing GitHub Actions workflow?
Enable debug logging by setting the secret ACTIONS_STEP_DEBUG=true in your repository. For complex issues, add `- uses: mxschmitt/action-tmate@v3` to get an interactive SSH session into the runner.
How do I run only specific jobs when certain files change?
Use the `paths` filter on the trigger: `on: push: paths: ['src/**', 'package.json']`. For more complex logic, use a "detect changes" job with dorny/paths-filter and make downstream jobs conditional on its output.

Related Prompts

CI/CD Pipeline Configuration Prompt

CI/CD configurations involve many interdependent jobs and conditional triggers that are ea...

Dockerfile Generation Prompt

Dockerfiles generated without guidance often use :latest tags, run as root, and copy the e...

Dependency Audit Prompt

Dependency audits done quarterly catch security issues before they become incidents. This ...