BlogCI/CD
DRY GitHub Actions with reusable workflows
Extract shared build-and-scan steps into a reusable workflow and call it from every repo with inputs and secrets.
Copy-pasted CI is a maintenance tax you pay forever. GitHub Actions reusable workflows let you define a build-test-scan pipeline once and call it from every repo with inputs and secrets — fix a bug in one place and every caller gets it.
Define it once
.github/workflows/build.yml
on:workflow_call:inputs:image: { required: true, type: string }secrets:registry_token: { required: true }jobs:build:runs-on: ubuntu-lateststeps:- uses: actions/checkout@v4- run: docker build -t ${{ inputs.image }} .
Call it from anywhere
.github/workflows/ci.yml
jobs:ci:uses: acme/ci-templates/.github/workflows/build.yml@v1with:image: ghcr.io/acme/api:latestsecrets: inherit
Pin the ref you call
Calling @main means an upstream change alters every repo silently. Pin to a tag (@v1) or a SHA and bump deliberately — the reusable workflow runs with your secrets.
Why it is worth it
One security fix — a new scanner, a pinned action, an OIDC change — rolls out to the whole org by bumping a version, not by editing fifty YAML files.
Go deeper in a courseSoftware supply chain securityPipeline reuse, pinning, and org-wide secure defaults.View course