15 Most Used Plugins in GitHub Actions

Introduction

GitHub Actions has exploded into the most widely used CI/CD platform because of its massive, vibrant marketplace of reusable actions. As of 2025, there are over 25,000 actions available, but only a small handful are trusted and used by millions of repositories every single day.

This definitive list ranks the 15 most downloaded, starred, and actively maintained actions that appear in virtually every professional GitHub Actions workflow. Each entry includes real-world usage examples, best practices, and why it has earned its place in the hall of fame.

1. actions/checkout@v4 – The Essential First Step

Used in over 95% of all workflows. Checks out your repository so your job can access the code.

• Supports shallow clone, submodules, LFS, sparse checkout
• v4 is faster and more secure with persist-credentials: false by default
• Always pin to @v4 or specific commit SHA for security

2. actions/setup-node@v4 – Fast Node.js Setup

The gold standard for Node.js projects. Installs any Node version and automatically configures npm/yarn/pnpm caching.

• Built-in cache for node_modules using actions/cache
• Supports node-version-file: .nvmrc, .node-version
• Used in millions of repositories including Next.js, React, Vue

3. actions/setup-python@v5 – Python Environment Made Easy

Installs Python and sets up pip/poetry/uv caching. Used by FastAPI, Django, and data science projects.

• cache-dependency-path for requirements.txt or pyproject.toml
• Supports PyPy, GraalPy, and multiple architectures

4. actions/setup-java@v4 – For Java and Scala Projects

Sets up JDK with Maven/Gradle caching. Essential for Spring Boot, Android, and Micronaut apps.

• Distributions: temurin, zulu, adopt, liberica
• Automatic cache for ~/.m2 and ~/.gradle

5. actions/cache@v4 – Speed Up Every Build

Saves and restores dependencies, build outputs, or any files between jobs. Often cuts build time by 70–90%.

• Perfect for node_modules, Cargo, Go modules, Maven, Gradle
• Uses cache key based on hashFiles of lockfiles
• Now supports save-always and restore-only modes

6. actions/upload-artifact & download-artifact@v4

Share files (build outputs, test reports, coverage) between jobs in the same workflow.

• Automatic compression and parallel upload/download
• Retention days configurable
• Used heavily in monorepos and matrix builds

7. docker/login-action & build-push-action@v5

The official way to build and push Docker images to GitHub Container Registry, Docker Hub, ECR, GCR, etc.

• Multi-platform builds with Buildx
• Provenance attestation and SBOM generation
• Cache layers with cache-to/cache-from

8. actions/github-script@v7 – Write Inline Scripts

Run JavaScript/TypeScript directly in your workflow to interact with GitHub API, add labels, create issues, etc.

• No need for separate repository or Docker image
• Access github context, octokit client
• Perfect for dynamic matrix, conditional logic

9. slackapi/slack-github-action – Slack Notifications

Send beautiful, customizable notifications to Slack on success, failure, or any status.

• Supports blocks, attachments, workflow run links
• Used with AWS SNS to Slack bridges too

10. actions/stale@v9 – Auto-close Inactive Issues/PRs

Automatically marks and closes stale issues and pull requests with configurable messages and exemptions.

11. codeql-action – GitHub’s Own Security Scanner

Free, world-class SAST for JavaScript, Python, Java, C#, Go, Ruby, and more.

• Runs by default on every push in public repos
• Advanced variant analysis in GitHub Advanced Security

12. aquasecurity/trivy-action – Container & Misconfig Scanning

Scans Docker images and git repositories for vulnerabilities, secrets, and misconfigurations.

• Zero-config, extremely fast
• Supports SBOM generation and secure S3 + CloudFront artifact uploads

13. hashicorp/setup-terraform@v3 – Terraform Automation

Installs Terraform CLI and sets up wrapper for plan/apply with comments on PRs.

• Automatic formatting and validation
• Backend configuration via CLI flags

14. azure/login & kubernetes-set-context – Azure & AKS Deployments

Official actions for logging into Azure and setting kubectl context for AKS clusters.

15. stefanzweifel/git-auto-commit-action – Commit Back to Repo

Automatically commits and pushes generated files (OpenAPI specs, docs, lockfiles) back to the same branch.

• Perfect for automated documentation or contract testing
• Used by thousands of open-source projects

Top 15 GitHub Actions – Quick Reference Table

Conclusion

These 15 actions form the foundation of virtually every professional GitHub Actions workflow in 2025. They are battle-tested, actively maintained by GitHub and trusted partners, and optimized for speed and security.

Start with checkout, setup-*, cache, and upload/download-artifact. Then layer on Docker, security scanning with CodeQL/Trivy, and notifications via SNS + Lambda or Slack. Pin every action to a full-length SHA (not just @v4) in production for immutable, secure pipelines. Master these fifteen, and you’ll be writing world-class CI/CD in no time.

Frequently Asked Questions

Should I pin actions to tags or commit SHAs?

Always pin to full commit SHA in production. Tags can be force-pushed and break your builds.

Are third-party actions safe?

Only use Verified Creator actions or ones you audit. GitHub now warns about unverified ones.

Can I use these actions in self-hosted runners?

Yes. All listed actions work perfectly on self-hosted or GitHub-hosted runners.

How do I cache node_modules correctly?

Use actions/setup-node with cache: 'npm' (or yarn/pnpm) — it handles everything automatically.

Is actions/cache being replaced?

No. It’s still the fastest and most widely used caching solution.