GitHub Actions pipelines that don't slow you down
Caching, matrix builds, reusable workflows, and security hardening for production CI/CD pipelines.
Why CI/CD pipelines become a bottleneck
A slow CI pipeline is a tax on every engineer, every day. A 20-minute pipeline on a team of 10 costs 3+ hours of blocked time per engineer per week. Most pipelines are slow because of three things: no caching, unnecessary serial steps, and bloated Docker builds.
Dependency caching
Cache everything you install repeatedly. For Node.js:
- uses: actions/cache@v4
with:
path: ~/.npm
key: ${{ runner.os }}-npm-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-npm-This single step typically cuts 2–4 minutes off a Node build. Docker layer caching via cache-from / cache-to with GitHub's registry can cut Docker builds from 8 minutes to under 90 seconds.
Parallelise with matrix builds
Run tests across multiple Node versions and environments in parallel, not sequence:
strategy:
matrix:
node-version: [18, 20, 22]
os: [ubuntu-latest]
fail-fast: falseWith fail-fast: false, a failure in one matrix cell doesn't cancel the others — you get full feedback in one run.
Reusable workflows
Don't copy-paste CI logic across repos. Use workflow_call to create reusable workflows in a central .github repo:
# .github/workflows/node-build.yml (in your org/.github repo)
on:
workflow_call:
inputs:
node-version:
required: true
type: stringThen call it from any repo:
jobs:
build:
uses: myorg/.github/.github/workflows/node-build.yml@main
with:
node-version: "20"Security hardening
Harden your pipeline against supply chain attacks:
- Pin actions to commit SHAs, not tags:
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af68 # v4 - Use OIDC for cloud auth instead of long-lived secrets:
id-token: writepermission +aws-actions/configure-aws-credentials. - Set minimal permissions:
permissions: contents: readat the workflow level, override per-job only where needed. - Run Dependabot for Actions: add
package-ecosystem: "github-actions"to your Dependabot config.
Deployment gates
Use GitHub Environments with required reviewers for production deployments. This gives you an audit trail, manual approval, and environment-scoped secrets — without a separate CD tool.
Measuring pipeline health
Track these metrics monthly: mean pipeline duration, pass rate, and MTTR (time from failure to green). A deteriorating pass rate often signals test flakiness before it becomes a crisis.
We audit and optimise CI/CD pipelines as part of our platform engineering work. Get in touch to discuss yours.
Want help applying this to your infrastructure?
We work with startups and scale-ups on platform engineering, cloud infrastructure, and CI/CD. Book a call to discuss.
More from Strataform
Terraform module patterns that scale
How we structure Terraform for multi-environment and multi-team use: composable modules, minimal variables, and clear ownership.
EKS vs ECS: trade-offs for product teams
When to choose Kubernetes (EKS) over managed containers (ECS). Operational load, team size, and migration paths.
SLOs and alert fatigue: a practical guide
Defining SLOs that matter, burn-rate alerting, and avoiding noise so on-call stays actionable.