I’ve got a build and deploy workflow that is getting rather complex. I’d like to split it up into pieces, hopefully that are reusable.

I’ve been through the documentation for hours and frankly I’m lost.

There are different auth mechanisms:

• PAT (less granular)
• Deploy Keys (more granular)

There are different action primitives:

• workflows
• jobs
• steps

There are different packaging options:

• Unbundled (just deploy files directly from an action step)
• Github Packages
• Workflow Artifacts

There are different events

• push
• workflow_call
• workflow_dispatch

It’s all feels very complicated and intertwined.

Basically I have several sets of commands I want to run in series, currently:

• Build
• Deploy

But I might want to later add things like Test etc…

I want these to:

• display nicely in the UI
• be able to re-run individual parts
• ideally be able to reuse parts across repos

I don’t want to create access tokens that give access to all repos.

What’s the best way to approach this?

I’m not going to comment on all of this, but do note that this month GitHub addressed your middle bullet:

One approach to scoped tokens is GitHub apps:

GitHub is working on scoped tokens (macaroons? I can’t find a reference), but the standard approach to them is to create accounts specific to sets of repositories and have them issue the tokens. (This will probably cost seats, but a bit of money for a bit of security is usually worth it.)

Try reusable workflows Reusing workflows - GitHub Docs

Thanks for the links.

The repo scoped access token looks interesting. Annoyingly complex to create one though. Seems like that should be a basic feature available in the UI.