GitHub Actions Interview Questions

Basic GitHub Actions Questions

What is GitHub Actions?

GitHub Actions is a CI/CD platform that automates workflows inside GitHub repositories for building, testing, and deploying code by executing defined actions triggered by repository events.

How do workflows work in GitHub Actions?

Workflows are YAML-defined processes triggered by events like push or pull_request. They consist of jobs, which contain sequential or parallel steps.

What are the jobs and steps in GitHub Actions?

Jobs are sets of steps executed in a runner environment, running sequentially or in parallel. Steps are individual tasks, such as shell commands or marketplace actions, executed sequentially within jobs.

What is a runner?

A runner is the environment that executes jobs,h either GitHub-hosted (pre-configured) or self-hosted (custom setups).

How do you use secrets?

Secrets are stored securely in GitHub and accessed in workflows using ${{ secrets.NAME }} to protect sensitive info like tokens and passwords.

What is a matrix build?

Matrix builds allow running jobs with different variable combinations (e.g., OS, language versions) in parallel for efficient testing across environments.

How is dependency caching done?

Using the actions/cache action to save and restore dependencies between runs, speeding up workflows.

What is workflow dispatch?

It allows manual triggering of workflows from the GitHub UI or API for on-demand or scheduled runs.

What are reusable workflows?

Workflows that can be invoked by other workflows using the workflow_call event to promote modularity and reduce duplication.

Intermediate Questions

How do you handle workflow failures?

Use continue-on-error: true to continue after errors, conditionally control steps with if, and set notifications on failure.

What are composite actions?

Actions grouping multiple steps into one reusable unit, defined in .github/actions/.

How do you deploy applications with GitHub Actions?

By including deployment scripts or marketplace actions triggered by events like pushes or releases, integrating with cloud providers or APIs.

What is the needs keyword for?

To specify job dependencies, ensure that jobs run only after predecessors complete successfully.

How do you restrict workflows to branches?

Using filters like on.push.branches or on.pull_request.branches in the workflow YAML.

How do you debug failed workflows?

View detailed logs, enable debug logging via ACTIONS_RUNNER_DEBUG secret, and selectively rerun jobs.

What are security best practices?

Secure secrets, limit runner permissions, restrict workflow triggers on forks or external PRs, and avoid exposing sensitive data in logs.

How do you pass environment variables?

Define variables using env: at workflow, job, or step level; supports secrets and plain text.

How do you reuse variables across workflows?

Use variable groups or inputs in reusable workflows for central management and consistency.

What is a deployment environment?

Logical targets such as dev, test, or prod with protection rules and approval workflows for safe staged deployment.

Advanced Questions

How to manage complex multi-repository workflows?

Use reusable workflows, workflow_run triggers, and repository_dispatch events to coordinate workflows across repos.

What is workflow concurrency and cancellation?

Controls to limit simultaneous runs, optionally canceling older runs to save resources, configured via the concurrency keyword.

How is secrets management scaled?

By integrating external vaults (e.g., HashiCorp, cloud key vaults) or using GitHub Actions OIDC for short-lived tokens.

How to test workflows locally?

Using tools like act that to simulate GitHub Actions runs on local machines.

What is caching strategy optimization?

Creating cache keys using hashes of lock files or dependency versions to improve cache hits.

How to handle dynamic workflow generation?

Generating YAML workflows via scripts or using templating with reusable workflows and matrix strategies.

What are GitHub Actions’ security vulnerabilities?

Risks include exposed secrets, dependency injection attacks, and over-permissioned tokens, mitigated by careful secrets usage, minimal permissions, and code auditing.

How to integrate with cloud providers?

Using official marketplace actions or custom scripts with authentication tokens for providers like AWS, Azure, and GCP.

What is the role of artifacts?

Artifacts store build outputs and logs for download or use in subsequent jobs or workflows, essential in multi-stage pipelines.

How to optimize workflow costs and runtimes?

Using caching, matrix build strategies, selecting minimal runner specs, and optimizing tooling efficiency.