5 GitHub Actions Mistakes That Slow Down Every Build

ReleaseRun · GitHub Actions 2026 5 GitHub Actions Mistakes That Slow Down Every Build Each one adds minutes to every CI run and makes pipelines less safe. Tap to start →

1 Mistake 1 / 5 Not caching dependencies `npm install` or `pip install` from scratch on every run. 300 packages, 45 seconds, every commit. Cache by lockfile hash and you pay that cost once per lockfile change. - uses: actions/cache@v4 with: path: ~/.npm key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} restore-keys: | ${{ runner.os }}-node- ✓ Cache by lockfile hash = near-zero re-install time

2 Mistake 2 / 5 Queuing redundant workflow runs Push 3 commits in quick succession: 3 full CI runs queue up. The first two will be cancelled by the third anyway — but only after wasting your minutes allowance. concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true ✓ Two lines at workflow level, instant savings ⚠ Don't use on release/main branches

3 Mistake 3 / 5 Using `@v3` instead of a commit SHA Tags are mutable. A malicious or accidental force-push to `actions/checkout@v4` could replace your trusted action with anything. This is a real supply chain attack vector. # Unsafe: tag can be moved - uses: actions/checkout@v4 # Safe: pinned to exact commit - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 ✓ Pin to full SHA in security-sensitive repos

4 Mistake 4 / 5 Missing permissions block By default, `GITHUB_TOKEN` has write access to your repo. A compromised action in your pipeline can push commits, create releases, or modify issues. Scope it down. permissions: contents: read # default: write pull-requests: write # only if you need it # Everything else defaults to none ✓ Declare permissions at job or workflow level

5 Mistake 5 / 5 Storing cloud credentials as secrets Long-lived AWS/GCP keys in GitHub Secrets can leak via log exposure, third-party actions, or PR-triggered runs from forks. OIDC gives you zero-stored-secret cloud access. - uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: arn:aws:iam::123:role/github-ci aws-region: eu-west-1 # No key ID or secret key stored anywhere ✓ OIDC = ephemeral tokens, zero stored secrets

⚙️ Grade your dependencies in CI Add one step to your GitHub Actions workflow. ReleaseRun checks every dependency for EOL status and CVE exposure. A-F grades in 30 seconds. Free Tools → GitHub Actions Reference Guide