Node 22Next.jsPlaywrightVercel

Next.js + Vercel + Playwright

A pinned, cached workflow for Next.js apps deployed to Vercel.

ADesigned for a clean Pipegrade scan
.github/workflows/ci.yml
# Created by https://pipegrade.io# Template: Next.js + Vercel + Playwright# Edit at https://pipegrade.io/github-actions/nextjs-vercel-playwright name: Next.js CIon:  # Run only when app or lockfile paths change so docs-only commits do not burn CI minutes.  push:    branches:      - main    paths:      - app/**      - components/**      - package.json      - package-lock.json  pull_request:    paths:      - app/**      - components/**      - package.json      - package-lock.json permissions:  # Default the GitHub token to read-only; grant write permissions only in deploy-specific steps.  contents: read concurrency:  # Cancel older runs from the same branch or PR when a newer commit arrives.  group: nextjs-${{ github.workflow }}-${{ github.ref }}  cancel-in-progress: true jobs:  test:    # Keep stuck jobs bounded instead of relying on GitHub's platform maximum.    timeout-minutes: 20    runs-on: ubuntu-latest    steps:      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e        with:          node-version: 22          # Cache npm packages by package-lock.json for faster warm installs.          cache: npm      - run: npm ci      - run: npm run lint      - run: npm test      - run: npx playwright install --with-deps      - run: npx playwright test      - run: npm run build      # No artifacts are uploaded by default. If you add traces or build outputs, set retention-days.      - name: Deploy to Vercel        if: github.ref == 'refs/heads/main'        env:          VERCEL_TOKEN: ${{ secrets.VERCEL_TOKEN }}          VERCEL_ORG_ID: ${{ secrets.VERCEL_ORG_ID }}          VERCEL_PROJECT_ID: ${{ secrets.VERCEL_PROJECT_ID }}        run: npx vercel deploy --prod --token="$VERCEL_TOKEN"      - name: Notify on failure        if: failure()        run: echo "Send a failure notification to your team channel."

Why it grades A

Why this template grades A

Cost

Cost

npm cache, path filters, and cancel-in-progress reduce wasted runs.

Security

Security

Actions are pinned to full commit SHAs and workflow permissions are read-only by default.

Performance

Performance

Build and test work is kept in one deterministic job unless the stack has a real dependency boundary.

Standards

Standards

Every job has timeout-minutes, a concurrency group, and clear deploy gating on main.

Already have a workflow?

Scan it before copying a starter.

Scan your workflow

Customize

Adapt before merging

  • Confirm the path filters match the directories that should trigger CI.
  • Replace deploy commands and secret names with your actual deployment target.
  • Adjust runner labels, language versions, and timeout-minutes for your workload.
  • Scan the adapted workflow before merging it.

Rules addressed

Checks covered by this template

missing-dependency-cacheunpinned-actionmissing-top-level-permissionsmissing-path-filtersmissing-pr-cancel-concurrencymissing-timeout-minutesmissing-concurrency-groupmissing-failure-notification

Related templates

Updates

Get template updates

These templates use reviewed action SHAs. Get notified when the template library expands.