Step 1 • prereqs
YAML & CI/CD Concepts beginner Understand YAML indentation and data types, the CI/CD feedback loop (commit triggers build triggers test triggers deploy), and the GitHub repository model of branches, forks, and pull requests.
GitHub 3h
Step 2 • fundamentals
First Workflow & Triggers beginner Create your first .github/workflows/ci.yml, understand event triggers (push, pull_request, schedule, workflow_dispatch), branch filters, path filters, and manual dispatch inputs.
3h Step 3 • fundamentals
Jobs, Steps & Environment Variables beginner Structure workflows with multiple jobs (needs: for ordering), define steps with run and uses, set environment variables at workflow/job/step level, and pass outputs between jobs.
4h Step 4 • fundamentals
Using Marketplace Actions beginner Leverage the GitHub Actions Marketplace: pin actions to SHA or version tags, use actions/checkout, actions/setup-node/python/java, and understand the security implications of third-party actions.
3h Step 5 • fundamentals
Secrets, Variables & Environments intermediate Store sensitive values in repository and organisation secrets, create deployment environments with required reviewers and wait timers, use the built-in GITHUB_TOKEN, and scope secrets to environments.
4h Step 6 • intermediate
Caching Dependencies intermediate Speed up workflows with actions/cache: design effective cache keys using lockfile hashes, set restore-keys fallback chains, cache node_modules, pip packages, Gradle, and Maven artifacts.
4h Step 7 • intermediate
Artifacts & Cross-Job File Sharing intermediate Upload build outputs and test reports as artifacts, download them in subsequent jobs, set retention policies, and publish test results using actions like dorny/test-reporter.
3h Step 8 • intermediate
Matrix Builds intermediate Use matrix strategies to run jobs across multiple Node/Python/Java versions and operating systems, customise combinations with include/exclude, control fail-fast, and display matrix in job names.
4h Step 9 • intermediate
Building & Publishing Docker Images intermediate Build Docker images in Actions using docker/build-push-action, push to GitHub Container Registry (GHCR) with GITHUB_TOKEN, use Docker layer caching to speed up builds, and tag images with git SHA and semver.
5h Step 10 • advanced
Deployment Workflows advanced Deploy to cloud targets: push to ECS/Cloud Run/Azure App Service via official actions, use environment gates for staged rollouts, create GitHub Deployment events, and implement rollback steps.
5h Step 11 • intermediate
Environments & Deployment Gates intermediate Create GitHub Environments (staging, production) with required reviewers, wait timers, and branch/tag protection rules. Scope secrets to specific environments so they are only available to designated deployment jobs. Use environment-level concurrency groups to prevent parallel deployments. Track deployment history and status in the Environments UI.
3h Step 12 • advanced
Reusable Workflows & Composite Actions advanced DRY up CI/CD by creating reusable workflows (workflow_call), passing inputs and secrets into them, and building composite actions with action.yml for reusable step sequences across repositories.
5h Step 13 • advanced
OIDC Keyless Cloud Authentication advanced Eliminate long-lived cloud credentials by configuring OIDC trust between GitHub Actions and AWS/GCP/Azure: set up the identity provider, create IAM roles/service accounts with claim conditions, and authenticate with short-lived tokens.
5h Step 14 • advanced
Security: CodeQL, Dependabot & Hardening advanced Harden GitHub Actions security: run CodeQL static analysis, enable Dependabot for automated dependency updates, use dependency-review-action on PRs, minimise permissions with least-privilege, and pin all actions to SHA.
4h Step 15 • advanced
Self-Hosted Runners advanced Register self-hosted runners on your own infrastructure (bare metal, VMs, containers) for private network access, custom hardware (GPU, ARM), or cost control. Configure runner groups and labels for targeted job routing. Use ephemeral runners for security. Autoscale with Actions Runner Controller (ARC) on Kubernetes. Understand security risks of self-hosted runners in public repos and mitigation strategies.
5h 