Getty Images
Updates to GitHub Actions add efficiency, risk of friction
GitHub Actions required workflows and configuration variables can reduce duplicate configuration code and shore up policy compliance but may add to developer frustration.
GitHub Actions has added two new features that can enforce CI/CD best practices. But they may stymie developers if they are not judiciously used.
Required workflows, which became available this week in public beta, helps enterprise development teams define and enforce consistent CI/CD processes across repositories. Every pull request opened on the default branch triggers its own set of required status checks that must complete before a merge can take place.
GitHub Actions previously allowed for manually configured release gates on individual repositories. Required workflows, however, can be used to enforce CI/CD best practices throughout large organizations. Admins can configure which repositories will run required workflows, and teams at the repository level can see which required workflows apply to which repository.
Another new feature this week added support for configuration variables. With this feature, developers can store non-sensitive configuration data, such as compiler flags, server names and usernames, as plaintext variables. Before this release, developers who wanted to reuse values had to store all configuration data as encrypted secrets, which are not easy to retrieve.
"Both these additions consider customer feedback and improve GitHub Actions for developers by codifying workflows and configuration," said Larry Carvalho, principal consultant at RobustCloud. "These additions improve security and productivity -- a much-needed requirement by development organizations."
Enforced security reduces the possibility that vulnerabilities will creep into code during the development lifecycle, Carvalho said.
But while required workflows will allow teams to standardize CI/CD processes, blanket enforcement may cause frustration, said Ankur Papneja, product manager at Contrast Security, an application security vendor and GitHub partner based in Los Altos, Calif. Contrast Security markets a set of GitHub Actions for automated security testing and software composition analysis.
"Getting blocked on a pull request due to a failed required workflow that's not even appropriate to the repo will do more harm than good in making the organizational shift to DevOps," he said.
Figuring out how to intelligently apply required workflows for security or deployment to certain repositories and flexibility with pull request status checks, rather than always blocking them, will be the keys to getting developer buy-in and ensuring a successful roll-out, Papneja said.
New features aim to reduce manual efforts
While appropriate usage will be important, it's GitHub's intention that the new features help users speed up development by reducing manual steps required to enforce quality and security standards, according to a GitHub blog post.
Larry CarvalhoPrincipal consultant, RobustCloud
"You no longer have to spend hours configuring hundreds of repositories to protect your critical software assets," the post states.
These new features will benefit teams as developer roles evolve to include newer participants, said Charlotte Dunlap, an analyst at GlobalData, a British market research firm.
"GitHub Actions' ongoing efforts … illustrate not only the importance of simplifying CI/CD-based configuration requirements but also encourage better collaboration and sharing of best practices," she said.
GitHub Actions offers both free and paid tiers. The free tier limits users to 2,000 minutes of compute time per month. Competitors to GitHub Actions include CircleCI, Jenkins, Azure Pipelines and GitLab.