Advanced GitHub Actions 2026: Reusable Workflows, OIDC and Dynamic Matrices

⏱️2 min read · 375 words

Beyond basic CI, GitHub Actions supports reusable workflows, composite actions, dynamic matrices, and OIDC authentication. This guide covers advanced patterns used by engineering teams at scale in 2026.

📋 Table of Contents

Reusable Workflows
Dynamic Matrix (Generated at Runtime)
OIDC Authentication (No Long-Lived Secrets)
Environment Protection Rules
Composite Actions
Conclusion

Reusable Workflows

# .github/workflows/reusable-test.yml
on:
  workflow_call:
    inputs:
      python-version:
        required: true
        type: string
    secrets:
      codecov-token:
        required: true

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: ${{ inputs.python-version }}
      - run: pip install -r requirements.txt && pytest --cov

# Caller workflow
jobs:
  run-tests:
    uses: ./.github/workflows/reusable-test.yml
    with:
      python-version: '3.12'
    secrets:
      codecov-token: ${{ secrets.CODECOV_TOKEN }}

Dynamic Matrix (Generated at Runtime)

jobs:
  generate-matrix:
    runs-on: ubuntu-latest
    outputs:
      matrix: ${{ steps.set-matrix.outputs.matrix }}
    steps:
      - uses: actions/checkout@v4
      - id: set-matrix
        run: |
          SERVICES=$(ls services/ | jq -R -s -c 'split("\n")[:-1]')
          echo "matrix={\"service\":$SERVICES}" >> $GITHUB_OUTPUT

  build:
    needs: generate-matrix
    strategy:
      matrix: ${{ fromJson(needs.generate-matrix.outputs.matrix) }}
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: docker build services/${{ matrix.service }}

OIDC Authentication (No Long-Lived Secrets)

Use OIDC to exchange a short-lived GitHub token for cloud credentials. No stored secrets needed.

permissions:
  id-token: write
  contents: read

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Configure AWS (OIDC)
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::123456789:role/GitHubActionsRole
          aws-region: us-east-1
      - run: aws ecs update-service --cluster prod --service myapp --force-new-deployment

Environment Protection Rules

jobs:
  staging:
    environment: staging
    runs-on: ubuntu-latest
    steps:
      - run: ./deploy.sh staging

  production:
    environment: production  # requires manual approval
    needs: staging
    runs-on: ubuntu-latest
    steps:
      - run: ./deploy.sh production

Composite Actions

# .github/actions/setup-project/action.yml
name: Setup Project
inputs:
  python-version:
    default: '3.12'
runs:
  using: composite
  steps:
    - uses: actions/setup-python@v5
      with:
        python-version: ${{ inputs.python-version }}
    - uses: actions/cache@v4
      with:
        path: ~/.cache/pip
        key: pip-${{ hashFiles('requirements.txt') }}
    - run: pip install -r requirements.txt
      shell: bash

Conclusion

Reusable workflows eliminate duplication across repos. OIDC removes the need to store long-lived cloud credentials as secrets. Environment protection rules gate production deployments behind human approval. These three patterns are essential for any engineering team in 2026.