BlogCI/CD

DRY GitHub Actions with reusable workflows

Extract shared build-and-scan steps into a reusable workflow and call it from every repo with inputs and secrets.

Jan 14, 2025·8 min readIntermediate

Copy-pasted CI is a maintenance tax you pay forever. GitHub Actions reusable workflows let you define a build-test-scan pipeline once and call it from every repo with inputs and secrets — fix a bug in one place and every caller gets it.

Define it once

.github/workflows/build.yml
on:
workflow_call:
inputs:
image: { required: true, type: string }
secrets:
registry_token: { required: true }
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: docker build -t ${{ inputs.image }} .

Call it from anywhere

.github/workflows/ci.yml
jobs:
ci:
uses: acme/ci-templates/.github/workflows/build.yml@v1
with:
image: ghcr.io/acme/api:latest
secrets: inherit
Pin the ref you call
Calling @main means an upstream change alters every repo silently. Pin to a tag (@v1) or a SHA and bump deliberately — the reusable workflow runs with your secrets.

Why it is worth it

One security fix — a new scanner, a pinned action, an OIDC change — rolls out to the whole org by bumping a version, not by editing fifty YAML files.

Go deeper in a courseSoftware supply chain securityPipeline reuse, pinning, and org-wide secure defaults.View course

Related posts