Ruby 3.3RailsRSpecHeroku

Rails + Heroku + RSpec

A Ruby workflow with Bundler caching and Heroku deployment.

ADesigned for a clean Pipegrade scan
.github/workflows/ci.yml
# Created by https://pipegrade.io# Template: Rails + Heroku + RSpec# Edit at https://pipegrade.io/github-actions/rails-heroku-rspec name: Rails CIon:  # Run only when Rails app, config, database, or Bundler manifests change.  push:    branches:      - main    paths:      - app/**      - config/**      - db/**      - Gemfile      - Gemfile.lock  pull_request:    paths:      - app/**      - config/**      - db/**      - Gemfile      - Gemfile.lock permissions:  # Keep GITHUB_TOKEN read-only; Heroku deploy uses HEROKU_API_KEY explicitly.  contents: read concurrency:  # Cancel outdated PR runs so only the newest commit spends CI minutes.  group: rails-${{ github.workflow }}-${{ github.ref }}  cancel-in-progress: true jobs:  test:    # Bound Rails tests and asset compilation instead of relying on the platform limit.    timeout-minutes: 25    runs-on: ubuntu-latest    env:      RAILS_ENV: test    steps:      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd      - uses: ruby/setup-ruby@c4e5b1316158f92e3d49443a9d58b31d25ac0f8f        with:          ruby-version: '3.3'          # setup-ruby installs gems and restores Bundler cache from Gemfile.lock.          bundler-cache: true      - run: bundle exec rails db:schema:load      - run: bundle exec rspec      - run: bundle exec rails assets:precompile      # No artifacts are uploaded by default. If you add coverage or assets, set retention-days.      - name: Deploy to Heroku        if: github.ref == 'refs/heads/main'        env:          HEROKU_API_KEY: ${{ secrets.HEROKU_API_KEY }}          HEROKU_APP_NAME: ${{ secrets.HEROKU_APP_NAME }}        run: git push "https://heroku:$HEROKU_API_KEY@git.heroku.com/$HEROKU_APP_NAME.git" HEAD:main      - name: Notify on failure        if: failure()        run: echo "Send a failure notification to your team channel."

Why it grades A

Why this template grades A

Cost

Cost

Bundler cache, path filters, and job timeout keep Rails CI controlled.

Security

Security

Actions are pinned to full commit SHAs and workflow permissions are read-only by default.

Performance

Performance

Build and test work is kept in one deterministic job unless the stack has a real dependency boundary.

Standards

Standards

Every job has timeout-minutes, a concurrency group, and clear deploy gating on main.

Already have a workflow?

Scan it before copying a starter.

Scan your workflow

Customize

Adapt before merging

  • Confirm the path filters match the directories that should trigger CI.
  • Replace deploy commands and secret names with your actual deployment target.
  • Adjust runner labels, language versions, and timeout-minutes for your workload.
  • Scan the adapted workflow before merging it.

Rules addressed

Checks covered by this template

missing-dependency-cacheunpinned-actionmissing-top-level-permissionsmissing-path-filtersmissing-pr-cancel-concurrencymissing-timeout-minutesmissing-concurrency-groupmissing-failure-notification

Related templates

Updates

Get template updates

These templates use reviewed action SHAs. Get notified when the template library expands.