--- title: "End-to-End: From Commit to Deploy" type: synthesis tags: [ci-cd, workflow, pull-request, deployment, synthesis] updated: 2026-06-19 confidence: high sources: [raw/github_doc-content-pull-requests-collaborating-with-pull-requests-getti-2.md, raw/github_doc-content-actions-concepts-workflows-and-actions-index-md.md, raw/github_doc-content-repositories-configuring-branches-and-merges-in-your-10.md, raw/github_doc-content-actions-concepts-security-github-token-md.md] --- # End-to-End: From Commit to Deploy How GitHub's features compose into one shipping pipeline — the path most teams actually run. ## 1. Branch and commit Create a feature branch off the protected default branch ([repositories-and-git](../concepts/repositories-and-git.md)), commit, and push. Signed commits earn a Verified badge ([authentication](../concepts/authentication.md)). ## 2. Open a pull request The PR is the review and gate point ([pull-requests](../concepts/pull-requests.md)). Keep it small and link the issue (`Closes #N`) for traceability to [Projects](../concepts/issues-and-projects.md). ## 3. Automated checks run Opening/updating the PR triggers [Actions](../concepts/github-actions.md) workflows (`on: pull_request`): lint, test, build, and **code scanning** ([code-security](../concepts/code-security.md)). Jobs run on [runners](../concepts/actions-runners.md) with a least-privilege `GITHUB_TOKEN`. ## 4. Review gate [Branch protection / rulesets](../concepts/branches-and-merging.md) hold the merge until: required approvals (incl. CODEOWNERS), all required status checks green, branch up to date, and Dependabot/secret-scanning clean. This is where quality is enforced, not by convention. ## 5. Merge Squash/merge/rebase per repo policy. The merge to the default branch is itself an event. ## 6. Deploy A `on: push` (to `main`) or `on: release` workflow builds and deploys. Use **environments** for protection rules (required reviewers, wait timers) and scoped secrets, and prefer **OIDC** over stored cloud credentials ([actions-runners](../concepts/actions-runners.md)). Targets might be [Pages](../concepts/github-pages.md) (static), [Packages/`ghcr.io`](../concepts/github-packages.md) (images), or external clouds. ## The compounding effect Each layer is optional alone but compounding together: PRs catch logic errors, required checks catch regressions, code scanning catches vulns, environments gate prod, and OIDC removes long-lived secrets. The same events also drive [webhooks](../concepts/webhooks.md) and the [APIs](../concepts/rest-api.md) for anything GitHub doesn't do natively.