Should I use GitHub Actions or Vercel's native Git integration for deploying Next.js?

For most Next.js projects, Vercel's native Git integration is the right choice. Connect your repository once in the Vercel dashboard, and Vercel automatically deploys every push to main as a production deployment and every pull request as a preview deployment with a unique URL. No YAML to maintain. Vercel also integrates with GitHub pull request statuses, so you can see deployment status in your PR. Use GitHub Actions for deployment only when you need explicit control over the deployment gate — for example, when you want deployment to only happen after all test jobs pass, or when you need to inject secrets from GitHub into the build process rather than storing them in Vercel.

How do I use environment variable secrets in GitHub Actions workflows?

Set secrets in your repository under Settings → Secrets and variables → Actions → New repository secret. Enter a name (e.g., DATABASE_URL) and its value. In your workflow YAML, reference secrets using the syntax ${{ secrets.SECRET_NAME }} — typically passed as environment variables to run steps: env: { DATABASE_URL: "${{ secrets.DATABASE_URL }}" }. GitHub automatically masks secret values in logs so they cannot be read from CI output. For environment-specific secrets (different values for staging vs production), create GitHub Environments (Settings → Environments) and assign secrets to each environment. Reference them in workflow jobs with the environment: environment-name key.

How can I speed up my GitHub Actions CI runs with caching?

The fastest win is enabling npm caching in actions/setup-node@v4 by adding cache: "npm". This caches the npm global cache keyed on the hash of package-lock.json. When dependencies haven't changed (which is most pushes), npm ci completes in ~5 seconds instead of ~60 seconds. This single change typically cuts 50-80% off CI run time for Node.js projects. For additional speed: run lint and tests in parallel jobs (they can both start immediately rather than running sequentially), use npm ci instead of npm install (faster and more reliable for CI), and consider caching the .next build directory if your CI also runs builds (key it on a hash of your source files).

What is a matrix build and when should I use one?

A matrix build runs the same job multiple times with different parameter values defined in a strategy.matrix configuration. The most common use is testing across multiple Node.js versions (18, 20, 22) or multiple operating systems (Ubuntu, macOS, Windows). Each combination runs as a separate parallel job. Use matrix builds when you are publishing an npm package or library that must support multiple Node.js versions, or when your app must work on multiple platforms. For standard Next.js SaaS applications deployed to a single platform (Vercel runs Node 20+), a matrix build is overkill — test against a single LTS version. Matrix builds consume CI minutes proportionally to the matrix size, so only add them when the compatibility coverage is genuinely valuable.

How do I set up branch protection rules requiring CI to pass before merging?

In your GitHub repository: Settings → Branches → Add branch protection rule → set the branch name pattern to "main". Enable "Require a pull request before merging" (prevents direct pushes). Enable "Require status checks to pass before merging," then search for and add your specific job names from GitHub Actions (e.g., "lint-and-typecheck", "test", "build"). Enable "Require branches to be up to date before merging" so PRs must be rebased on latest main before merge. Optionally enable "Do not allow bypassing the above settings" to prevent admins from force-merging. After this, GitHub will block the merge button on any PR where the required CI jobs have not completed successfully.

← Software Engineering Studio

Engineering·7 min read·June 20, 2026

🚀 CI/CD with GitHub Actions: From Code Push to Production in Under 5 Minutes

A practical guide to GitHub Actions CI/CD: writing workflow YAML, running Node.js CI (lint, type-check, test), deploying Next.js to Vercel, using GitHub Secrets for environment variables, caching dependencies, and setting up branch protection rules.

Why CI/CD Is Non-Negotiable for Modern Development

Continuous Integration and Continuous Deployment (CI/CD) is the practice of automatically running tests and deploying code on every push. Without CI/CD, quality gates live only in developers' heads — they get skipped when people are tired, rushed, or forget. With CI/CD, the pipeline enforces your standards consistently: every pull request is linted, type-checked, and tested before any reviewer even opens it. Broken code cannot reach production because the pipeline blocks it.

GitHub Actions is the most natural CI/CD choice for projects hosted on GitHub — it is deeply integrated with pull requests, commit statuses, and branch protection, and the free tier is generous (2,000 minutes/month for public repos, 500 minutes for private). This guide covers everything from your first workflow YAML to production deployment.

GitHub Actions Concepts

Understanding the four-level hierarchy makes YAML files much easier to write and debug:

Workflow — A YAML file in .github/workflows/. A repository can have multiple workflows (e.g., ci.yml, deploy.yml, release.yml).
Job — A unit of work within a workflow that runs on a single runner. Jobs run in parallel by default. Use needs: to make one job depend on another.
Step — A single task within a job. Each step either runs a shell command (run:) or invokes an action (uses:). Steps within a job run sequentially.
Runner — The virtual machine that executes a job. ubuntu-latest is the default and recommended runner for Node.js projects. Also available: windows-latest, macos-latest.

Triggers define when a workflow runs. Common triggers:

on:
  push:
    branches: [main, develop]        # Run on pushes to these branches
  pull_request:
    branches: [main]                 # Run on PRs targeting main
  workflow_dispatch:                 # Allow manual trigger from GitHub UI
  schedule:
    - cron: '0 9 * * 1'             # Every Monday at 9am UTC

Complete Node.js CI Workflow

Here is a production-ready CI workflow for a Next.js TypeScript project:

# .github/workflows/ci.yml
name: CI

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  lint-and-typecheck:
    name: Lint & Type Check
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'
          cache: 'npm'

      - name: Install dependencies
        run: npm ci

      - name: Run ESLint
        run: npm run lint

      - name: Type check
        run: npx tsc --noEmit

  test:
    name: Tests
    runs-on: ubuntu-latest
    needs: lint-and-typecheck      # Only run tests if lint passes
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'
          cache: 'npm'

      - name: Install dependencies
        run: npm ci

      - name: Run tests
        run: npm test -- --coverage
        env:
          CI: true

      - name: Upload coverage report
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: coverage-report
          path: coverage/

  build:
    name: Build
    runs-on: ubuntu-latest
    needs: test
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'
          cache: 'npm'

      - name: Install dependencies
        run: npm ci

      - name: Build Next.js app
        run: npm run build
        env:
          NEXT_PUBLIC_SUPABASE_URL: ${{ secrets.NEXT_PUBLIC_SUPABASE_URL }}
          NEXT_PUBLIC_SUPABASE_ANON_KEY: ${{ secrets.NEXT_PUBLIC_SUPABASE_ANON_KEY }}

Key implementation notes:

actions/checkout@v4 clones your repository into the runner.
actions/setup-node@v4 with cache: 'npm' automatically caches ~/.npm keyed on package-lock.json hash — the single biggest speed improvement for Node.js CI.
npm ci (not npm install) performs a clean install from package-lock.json, fails if the lockfile is out of sync with package.json, and is faster for CI because it skips the lockfile resolution step.
Separating lint and tests into separate jobs provides better visibility: you see immediately whether the failure is a type error or a test failure. The needs: key creates the dependency chain.

Environment Variables and Secrets

GitHub Secrets are encrypted values stored at the repository or organization level. They are injected into workflow runs as environment variables and are never visible in logs (GitHub masks them automatically).

Setting a secret: Repository Settings → Secrets and variables → Actions → New repository secret. Enter the name (e.g., GROQ_API_KEY) and value. The value is encrypted immediately and cannot be read back — only overwritten.

Using secrets in workflows:

steps:
  - name: Build with secrets
    run: npm run build
    env:
      GROQ_API_KEY: ${{ secrets.GROQ_API_KEY }}
      DATABASE_URL: ${{ secrets.DATABASE_URL }}
      NEXT_PUBLIC_SUPABASE_URL: ${{ secrets.NEXT_PUBLIC_SUPABASE_URL }}

Note that NEXT_PUBLIC_ variables are embedded into the browser bundle at build time — they are not truly secret. It is still correct to store them as GitHub Secrets to avoid hardcoding URLs in the workflow YAML, but do not put genuinely sensitive credentials (API keys, service role keys) in variables with the NEXT_PUBLIC_ prefix.

For environment-specific secrets (different values for staging vs production), use GitHub Environments (Settings → Environments). An environment named "production" can have its own set of secrets and require manual approval before deployment jobs run.

Caching Dependencies for Speed

The cache: 'npm' option in actions/setup-node@v4 is the simplest caching setup. It automatically caches the npm cache directory keyed on the hash of package-lock.json. When dependencies haven't changed, the cache is restored and npm ci takes ~5 seconds instead of ~60 seconds.

For more control, use actions/cache@v4 directly:

- name: Cache node_modules
  uses: actions/cache@v4
  id: npm-cache
  with:
    path: node_modules
    key: ${{ runner.os }}-node-${{ hashFiles('package-lock.json') }}
    restore-keys: |
      ${{ runner.os }}-node-

- name: Install dependencies
  if: steps.npm-cache.outputs.cache-hit != 'true'
  run: npm ci

Caching node_modules directly (rather than the npm cache) saves even more time — but it can occasionally cause issues if native modules need to be rebuilt for the runner OS. The cache: 'npm' shorthand in setup-node is safer for most projects.

Matrix Builds: Test Across Node.js Versions

Matrix builds run a job multiple times with different parameter values. Use them to verify your package or app works across Node.js versions:

jobs:
  test:
    strategy:
      matrix:
        node-version: ['18', '20', '22']
      fail-fast: false           # Don't cancel other matrix jobs if one fails
    runs-on: ubuntu-latest
    name: Test (Node ${{ matrix.node-version }})
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: ${{ matrix.node-version }}
          cache: 'npm'
      - run: npm ci
      - run: npm test

Matrix builds are most useful for library packages that need to support multiple Node.js versions. For application deployments (Next.js apps), testing a single LTS version (currently Node 20) is sufficient. Do not add matrix builds just because you can — they consume CI minutes proportionally to the matrix size.

Deploying Next.js to Vercel: Two Options

Option A — Vercel Native Git Integration (recommended): Connect your GitHub repository to Vercel once in the Vercel dashboard. Vercel automatically deploys every push to main as a production deployment, and every pull request gets a unique preview URL. Zero workflow YAML required. Vercel's build infrastructure is optimized for Next.js (they maintain Next.js), so builds are fast and correct by default.

Option B — Vercel CLI in GitHub Actions:

jobs:
  deploy:
    runs-on: ubuntu-latest
    needs: [lint-and-typecheck, test]
    if: github.ref == 'refs/heads/main'
    steps:
      - uses: actions/checkout@v4
      - name: Deploy to Vercel
        uses: amondnet/vercel-action@v25
        with:
          vercel-token: ${{ secrets.VERCEL_TOKEN }}
          vercel-org-id: ${{ secrets.VERCEL_ORG_ID }}
          vercel-project-id: ${{ secrets.VERCEL_PROJECT_ID }}
          vercel-args: '--prod'

Use Option B when you need to control the deployment gate precisely — for example, deploy only after all jobs pass and only from main, with production secrets injected during the workflow rather than stored in Vercel. The trade-off: more complexity to maintain, and you need to keep the VERCEL_TOKEN rotated.

Recommendation: Use Vercel native integration for most projects. Add a CI workflow (ci.yml) that runs lint/type-check/tests on PRs, and let Vercel handle deployments. Use branch protection to require the CI workflow to pass before merging — this gives you the quality gates without the complexity of a custom deploy workflow.

Branch Protection Rules: Enforcing Your Pipeline

A CI pipeline is useless if developers can merge without it passing. Branch protection rules enforce your quality gates.

Go to: Repository Settings → Branches → Add branch protection rule → Branch name pattern: main

Configure:

Require a pull request before merging — No direct pushes to main. All changes go through PRs.
Require status checks to pass before merging — Add your GitHub Actions jobs (lint-and-typecheck, test, build) as required checks. PRs cannot be merged until all these pass.
Require branches to be up to date before merging — The PR must be based on the latest main before merging, preventing "works on my branch" merges that break when combined with recent changes.
Restrict who can push to matching branches — Admins only (or specific teams).
Do not allow bypassing the above settings — Even admins must go through the PR process.

Practical Tips for Faster, Better CI

Fail fast: Put the fastest checks first (lint runs in ~10 seconds, tests may take minutes). Use needs: to chain jobs — skip tests if lint fails, skip builds if tests fail.
[skip ci] convention: Add [skip ci] to commit messages that should not trigger CI (documentation updates, README changes). GitHub Actions respects this convention automatically.
Separate lint and test jobs: When both run in one job, a test failure buries lint errors. Separate jobs show exactly which gate failed without reading logs.
Pin action versions: Use actions/checkout@v4 not actions/checkout@latest. Unpinned versions can change behavior unexpectedly on a future push.
Timeouts: Add timeout-minutes: 10 to jobs to prevent runaway jobs from consuming all your CI minutes when something hangs.

Topics covered

GitHub Actions tutorialCI/CD pipeline GitHubGitHub Actions Node.jsGitHub Actions Next.js deployGitHub Actions secretsGitHub Actions cache npmVercel CI/CD deploymentGitHub branch protection rulesGitHub Actions matrix buildGitHub Actions workflow YAMLnpm ci GitHub ActionsTypeScript CI pipelineGitHub Actions vs Vercel deploymentGitHub Actions environment variablesCI/CD best practicesGitHub status checksGitHub Actions ubuntu runnerskip ci commit conventionGitHub Actions reusable workflow

🛠️ Related Free Tools

Put this knowledge to work on your iPhone

Browse our full catalog of professional iOS apps — from electrical code tools to AI builders.

Browse All 95+ Apps