Workflow Syntax
run: steps
Shell scripts executed via bash (or configured shell)
uses: actions
GitHub actions, local actions, composite actions, Node.js actions
Job dependencies
needs: with DAG resolution and concurrent executionMatrix strategy
Cartesian product expansion with include/exclude
Expression engine
Full expression evaluation with contexts, operators, and functions
Environment variables
env: at workflow, job, and step levels + $GITHUB_ENVStep outputs
$GITHUB_OUTPUT with multiline delimiter supportJob outputs
jobs.*.outputs evaluated from step outputsConditions
Full expression evaluation in
if: with status functionsTimeouts
timeout-minutes at job and step levelcontinue-on-error
Step failures don’t fail the job
GitHub context
github.sha, github.ref, github.repository, github.actor, etc.Secrets
secrets.* context populated from server environment variablesConcurrency
concurrency: groups with cancel-in-progress supportPermissions
permissions: field parsed at workflow and job levelContainer
container: runs job steps inside a Docker containerServices
services: starts sidecar containers alongside the jobArtifacts
actions/upload-artifact and actions/download-artifact built-in shimsReusable workflows
workflow_call with inputs and secret inheritanceBranch filters
on: push: branches: and branches-ignore: filters$GITHUB_PATH
PATH modifications persist across steps (including in VMs)
Expression Functions
Expression Contexts
Action Support
CI Server Features
Secrets
Secrets are loaded from environment variables on the server. Any env var prefixed withSECRET_ is exposed in the secrets.* context with the prefix stripped.
For example:
${{ secrets.SSH_PRIVATE_KEY }} and ${{ secrets.STRIPE_KEY }}.
Container Support
Jobs can specify a Docker container image. Allrun: steps execute inside the container with the workspace mounted:
localhost:
Container and service support requires Docker to be installed in the VM rootfs.