GitHub Actions CI/CD 实战:从零搭建自动化工作流本文从零搭建完整的 CI/CD 流水线,涵盖 lint、test、build、deploy 全流程,以及 4 个生产环境踩坑记录。一、为什么需要 CI/CD?没有 CI/CD 时,每次部署都要手动 SSH、git pull、重启,漏一步就线上挂。有了 CI/CD,git push 触发全自动流水线。二、核心概念概念说明类比Workflow工作流定义(.yml)流水线图纸Job独立任务单元工位Step单个执行步骤工位动作Action可复用模块预装工具Runner运行环境工人Event触发事件启动按钮三、创建第一个 CIname:CIon:push:branches:[main]jobs:test:runs-on:ubuntu-lateststeps:-uses:actions/checkout@v4-uses:actions/setup-python@v5-run:pip install-r requirements.txt-run:pytest--cov四、常用 Actions 速查Action用途actions/checkout检出代码actions/setup-pythonPython 环境actions/setup-nodeNode 环境actions/cache缓存依赖actions/upload-artifact上传产物docker/build-push-actionDocker 构建推送appleboy/ssh-actionSSH 远程部署五、完整 CI/CD 流水线name:CI/CD Pipelineon:push:branches:[main]env:REGISTRY:ghcr.ioIMAGE:myappjobs:lint:runs-on:ubuntu-lateststeps:-uses:actions/checkout@v4-uses:actions/setup-python@v5-run:pip install ruff-run:ruff check .test:needs:lintruns-on:ubuntu-latestservices:postgres:image:postgres:16env:POSTGRES_PASSWORD:testports:-5432:5432steps:-uses:actions/checkout@v4-run:pip install-r requirements.txt-run:pytest-n autobuild:needs:[lint,test]runs-on:ubuntu-lateststeps:-uses:actions/checkout@v4-run:docker build-t ghcr.io/myapp:latest .-run:docker push ghcr.io/myapp:latestdeploy:needs:buildruns-on:ubuntu-lateststeps:-uses:appleboy/ssh-action@v1.0.3with:host:${{secrets.HOST}}username:${{secrets.USER}}key:${{secrets.SSH_KEY}}script:cd /appdocker compose pulldocker compose up-d六、缓存加速-uses:actions/cache@v4with:path:~/.cache/pipkey:${{runner.os}}-pip-${{hashFiles('requirements.txt')}}七、Matrix 矩阵策略strategy:matrix:python:["3.11","3.12"]os:[ubuntu-latest]steps:-uses:actions/setup-python@v5with:python-version:${{matrix.python}}注意:矩阵维度越多,并行 job 越多。3个系统 x 3个Python = 9个job,小心资源消耗。八、Secrets 安全❌ 错误:直接写密码run:echo "password=123456" ✅ 正确:用 GitHub Secretsrun:echo "password=${{secrets.DB_PASSWORD}}"九、踩坑合集坑1:Action 版本不锁定❌ uses: actions/checkout(不指定版本,下次可能不同)✅ uses: actions/checkout@v4坑2:Matrix 组合爆炸3 系统 x 3 Python x 3 Node = 27 个 job,全部跑完超过1小时。用 include 只测关键组合。坑3:Secrets 泄露不要在 run 命令里写密码,用 ${ { secrets.XXX }}坑4:Docker in DockerCI runner 里跑 Docker 构建需挂载 docker.sock。用 docker/setup-buildx-action 自动处理。十、部署策略策略优点缺点适合场景滚动更新零停机回滚慢Web 服务蓝绿部署秒级回滚双倍资源关键业务金丝雀渐进风险配置复杂大版本发布十一、总结CI/CD 的核心价值不是自动化本身,而是可重复、可追溯、可回滚。频繁提交小改动测试先行,构建自动部署幂等,回滚丝滑日志完整,随时追溯七、企业级最佳实践1. 分环境管理环境分支ApprovalSecrets 级别devfeature/*无需开发环境stagingdevelop1人审核测试环境product
GitHub_Actions_CI_CD实战从零搭建自动化工作流
GitHub Actions CI/CD 实战:从零搭建自动化工作流本文从零搭建完整的 CI/CD 流水线,涵盖 lint、test、build、deploy 全流程,以及 4 个生产环境踩坑记录。一、为什么需要 CI/CD?没有 CI/CD 时,每次部署都要手动 SSH、git pull、重启,漏一步就线上挂。有了 CI/CD,git push 触发全自动流水线。二、核心概念概念说明类比Workflow工作流定义(.yml)流水线图纸Job独立任务单元工位Step单个执行步骤工位动作Action可复用模块预装工具Runner运行环境工人Event触发事件启动按钮三、创建第一个 CIname:CIon:push:branches:[main]jobs:test:runs-on:ubuntu-lateststeps:-uses:actions/checkout@v4-uses:actions/setup-python@v5-run:pip install-r requirements.txt-run:pytest--cov四、常用 Actions 速查Action用途actions/checkout检出代码actions/setup-pythonPython 环境actions/setup-nodeNode 环境actions/cache缓存依赖actions/upload-artifact上传产物docker/build-push-actionDocker 构建推送appleboy/ssh-actionSSH 远程部署五、完整 CI/CD 流水线name:CI/CD Pipelineon:push:branches:[main]env:REGISTRY:ghcr.ioIMAGE:myappjobs:lint:runs-on:ubuntu-lateststeps:-uses:actions/checkout@v4-uses:actions/setup-python@v5-run:pip install ruff-run:ruff check .test:needs:lintruns-on:ubuntu-latestservices:postgres:image:postgres:16env:POSTGRES_PASSWORD:testports:-5432:5432steps:-uses:actions/checkout@v4-run:pip install-r requirements.txt-run:pytest-n autobuild:needs:[lint,test]runs-on:ubuntu-lateststeps:-uses:actions/checkout@v4-run:docker build-t ghcr.io/myapp:latest .-run:docker push ghcr.io/myapp:latestdeploy:needs:buildruns-on:ubuntu-lateststeps:-uses:appleboy/ssh-action@v1.0.3with:host:${{secrets.HOST}}username:${{secrets.USER}}key:${{secrets.SSH_KEY}}script:cd /appdocker compose pulldocker compose up-d六、缓存加速-uses:actions/cache@v4with:path:~/.cache/pipkey:${{runner.os}}-pip-${{hashFiles('requirements.txt')}}七、Matrix 矩阵策略strategy:matrix:python:["3.11","3.12"]os:[ubuntu-latest]steps:-uses:actions/setup-python@v5with:python-version:${{matrix.python}}注意:矩阵维度越多,并行 job 越多。3个系统 x 3个Python = 9个job,小心资源消耗。八、Secrets 安全❌ 错误:直接写密码run:echo "password=123456" ✅ 正确:用 GitHub Secretsrun:echo "password=${{secrets.DB_PASSWORD}}"九、踩坑合集坑1:Action 版本不锁定❌ uses: actions/checkout(不指定版本,下次可能不同)✅ uses: actions/checkout@v4坑2:Matrix 组合爆炸3 系统 x 3 Python x 3 Node = 27 个 job,全部跑完超过1小时。用 include 只测关键组合。坑3:Secrets 泄露不要在 run 命令里写密码,用 ${ { secrets.XXX }}坑4:Docker in DockerCI runner 里跑 Docker 构建需挂载 docker.sock。用 docker/setup-buildx-action 自动处理。十、部署策略策略优点缺点适合场景滚动更新零停机回滚慢Web 服务蓝绿部署秒级回滚双倍资源关键业务金丝雀渐进风险配置复杂大版本发布十一、总结CI/CD 的核心价值不是自动化本身,而是可重复、可追溯、可回滚。频繁提交小改动测试先行,构建自动部署幂等,回滚丝滑日志完整,随时追溯七、企业级最佳实践1. 分环境管理环境分支ApprovalSecrets 级别devfeature/*无需开发环境stagingdevelop1人审核测试环境product
