DEV Community

WDSEGA
WDSEGA

Posted on

CI/CD最佳实践:GitHub Actions工作流设计

#githubactions #cicd #devops #automation

GitHub Actions已成为最流行的CI/CD工具之一。本文分享经过生产验证的工作流设计原则,帮助你构建高效、安全、可维护的自动化流水线。

工作流结构分层

一个好的CI/CD流水线应该分层设计:

  1. CI层:代码检查、单元测试、构建镜像
  2. CD层:部署到开发/测试环境
  3. 生产层:人工审批后部署到生产环境 
name: CI/CD Pipeline

on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main]

jobs:
  lint-and-test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: '3.11'
      - run: pip install -r requirements-dev.txt
      - run: ruff check .
      - run: pytest --cov=src --cov-report=xml
      - uses: codecov/codecov-action@v3
        with:
          files: ./coverage.xml

  build:
    needs: lint-and-test
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Build Docker image
        run: |
          docker build -t myapp:${{ github.sha }} .
          docker tag myapp:${{ github.sha }} myapp:latest
Enter fullscreen mode Exit fullscreen mode

安全最佳实践

CI/CD流水线是供应链攻击的高价值目标,必须严格防护:

1. 最小权限原则

permissions:
  contents: read
  packages: write
Enter fullscreen mode Exit fullscreen mode

默认只授予必要的权限,避免使用permissions: write-all

2. 依赖固定

# 好的做法:固定到具体commit或版本
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1

# 避免:使用浮动标签
- uses: actions/checkout@v4
Enter fullscreen mode Exit fullscreen mode

3. Secrets管理

- name: Deploy to production
  env:
    AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
    AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
  run: |
    aws eks update-kubeconfig --region us-east-1 --name prod-cluster
    kubectl set image deployment/myapp app=myapp:${{ github.sha }}
Enter fullscreen mode Exit fullscreen mode

永远不要将Secrets打印到日志,GitHub Actions会自动屏蔽,但自定义脚本中也要避免echo $SECRET

缓存加速构建 

- uses: actions/cache@v3
  with:
    path: |
      ~/.cache/pip
      ~/.npm
    key: ${{ runner.os }}-deps-${{ hashFiles('**/requirements.txt', '**/package-lock.json') }}
    restore-keys: |
      ${{ runner.os }}-deps-
Enter fullscreen mode Exit fullscreen mode

合理的缓存策略可以将构建时间从10分钟缩短到2分钟。缓存键的设计要精确:依赖文件内容变化时自动失效。

矩阵构建与多环境部署 

strategy:
  matrix:
    python-version: ['3.9', '3.10', '3.11', '3.12']
    os: [ubuntu-latest, windows-latest]

runs-on: ${{ matrix.os }}
steps:
  - uses: actions/setup-python@v5
    with:
      python-version: ${{ matrix.python-version }}
Enter fullscreen mode Exit fullscreen mode

矩阵构建可以并行测试多个Python版本和操作系统,确保兼容性。

总结

设计CI/CD流水线的核心原则:

  • :通过缓存和并行减少反馈时间
  • :固定依赖版本,避免构建漂移
  • :最小权限,Secrets不泄露
  • :工作流文件结构清晰,职责单一

GitHub Actions的生态系统非常丰富,善用官方和经过验证的第三方Action,可以大幅减少维护成本。

本文是博客完整版的精简版,更多技术细节和代码示例请查看完整版:
阅读原文

Top comments (0)