GitHub Actions is GitHub's CI/CD and automation platform built directly into repositories, enabling workflows to run on code events, schedules, or manual triggers. It eliminates external CI/CD dependencies by providing hosted runners, a marketplace of pre-built actions, and flexible YAML-based workflow definitions. The platform scales from simple automated testing to complex deployment pipelines with matrix builds, reusable workflows, and fine-grained security controls—making it the de facto automation solution for projects hosted on GitHub. In 2026, hosted runner prices dropped up to 39% and major new features include timezone-aware schedules, artifact attestations, OIDC custom properties, and a new case expression function.
What This Cheat Sheet Covers
This topic spans 18 focused tables and 156 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.
Table 1: Workflow Triggers
Every workflow starts with one question: what should make it run? These are the events you list under on—a push, a pull request, a manual click, a schedule, or a call from another workflow. Watch the security-sensitive pair: pull_request runs with restricted permissions for fork safety, while pull_request_target runs with full write access and secrets, which is exactly where careless handling of untrusted fork code turns into a supply-chain incident.
| Event | Example | Description |
|---|---|---|
on: push: branches: [main] | • Triggers on commits pushed to specified branches or tags • most common trigger for CI pipelines. | |
on: pull_request: types: [opened, synchronize] | • Runs on PR events like open, sync, or close • uses the merge commit with base branch permissions from forks. | |
on: workflow_dispatch: inputs: environment: required: true | Allows manual triggering via UI or API with optional custom input parameters (up to 25 inputs). | |
on: schedule: - cron: '30 5 * * 1' timezone: 'America/New_York' | • Runs workflow at specific times using POSIX cron syntax • supports IANA timezone field (defaults to UTC) • useful for nightly builds or regular maintenance. | |
on: workflow_call: inputs: config: required: true | • Makes workflow reusable so other workflows can call it • supports inputs, secrets, and outputs for modular pipeline design. |