CtrlK
BlogDocsLog inGet started
Tessl Logo

uinaf/gh-deploy-pipeline

Set up or align a GitHub Actions deploy pipeline for an app or service. Use when standardizing repos around the verify-then-deploy shape: push to main → detect affected lanes → verify and build artifacts → e2e → deploy each lane to its host (Cloudflare Pages, AWS Amplify, GHCR + VPS).

99

1.21x
Quality

100%

Does it follow best practices?

Impact

97%

1.21x

Average score across 4 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

Evaluation results

100%

18%

GitHub Actions Pipeline for a Two-App Monorepo

Criteria
Without context
With context

paths-filter for detection

0%

100%

Lockfile in filter

100%

100%

fetch-depth 0 on changes job

0%

100%

Lane conditional build

100%

100%

Deploy non-cancellable

100%

100%

Verify/e2e cancellable

87%

100%

Concurrency group lane-scoped

100%

100%

Shared concurrency key

100%

100%

Explicit result check

100%

100%

Manual deploy workflow

100%

100%

ref input to checkout

100%

100%

Independent lane verification

100%

100%

100%

31%

Reliable GitHub Actions Deploy Pipeline for a React SPA

Criteria
Without context
With context

No rebuild in deploy

100%

100%

Artifact downloaded in e2e

100%

100%

Upload version v7

0%

100%

if-no-files-found error

100%

100%

include-hidden-files

0%

100%

Unique artifact name

100%

100%

Separate stages

100%

100%

Smoke step present

100%

100%

Smoke step fails on non-200

62%

100%

GITHUB_STEP_SUMMARY

0%

100%

Deploy needs both verify and e2e

42%

100%

100%

11%

Secure Secrets and Credentials Wiring for a GitHub Actions Deploy Pipeline

Criteria
Without context
With context

1Password for runtime env

100%

100%

op:// references in template

100%

100%

OIDC for cloud credentials

100%

100%

id-token write at job level

22%

100%

Root permissions minimal

42%

100%

No secrets as CLI flags

100%

100%

No env file dump

100%

100%

account-id in vars not secrets

100%

100%

Fine-grained PAT

100%

100%

GitHub secrets only for bootstrap

100%

100%

Env rendered in runner not VPS

100%

100%

90%

8%

Preserve the Working Deploy Workflow Shape

Criteria
Without context
With context

Uses local composite action

100%

100%

Composite matches sibling shape

100%

100%

Artifact pass-through

100%

100%

E2E uses artifact

100%

100%

Smoke after deploy

100%

100%

Smoke fails closed

100%

100%

No unexplained marketplace swap

100%

100%

Mentions sibling precedent

0%

0%

Uses narrow credentials

57%

71%

Deploy concurrency safe

0%

100%

Evaluated
Agent
Claude
Model
Claude Sonnet 4.6

Table of Contents

GitHub Actions Pipeline for a Two-App MonorepoReliable GitHub Actions Deploy Pipeline for a React SPASecure Secrets and Credentials Wiring for a GitHub Actions Deploy PipelinePreserve the Working Deploy Workflow Shape