GitHub Actions CI/CD for AI Coding Projects: Complete Setup Guide

When you're using AI coding tools like Claude Code or Cursor, the code quality bar needs to be higher, not lower. AI can generate a lot of code quickly — but it can also introduce subtle bugs, inconsistent patterns, and security vulnerabilities.

A well-configured CI/CD pipeline catches these issues automatically, every time. This guide shows you how to build one.

---

Why AI-Generated Code Needs Strict CI

AI coding tools produce working code at incredible speed. But they also share common failure modes:

| AI Problem | CI Guard | |------------|----------| | Outdated dependencies | npm audit / dependabot | | Inconsistent formatting | ESLint + Prettier | | Type errors from assumptions | TypeScript strict check | | Failing tests | Vitest / Jest | | Security vulnerabilities | CodeQL + Snyk | | Dead code or unused imports | ESLint no-unused-vars | | Large or complex functions | Code complexity check |

Let's build a pipeline that catches all of these.

---

Step 1: Basic Lint + Type Check Pipeline

Create .github/workflows/ci.yml in your project:

name: CI on: push: branches: [main, master] pull_request: branches: [main, master] jobs: quality: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Setup Node.js uses: actions/setup-node@v4 with: node-version: "20" cache: "npm" - name: Install dependencies run: npm ci - name: Lint run: npm run lint - name: Type check run: npx tsc --noEmit - name: Run tests run: npm test

- name: Build run: npm run build

This is your minimum viable CI pipeline. Every PR and push triggers linting, type checking, testing, and a build check.

---

Step 2: Add Prettier and Formatting

Add to your package.json:

{
  "scripts": {
    "format": "prettier --check .",
    "format:fix": "prettier --write ."
  }
}

Extend the CI pipeline:

      - name: Check formatting
        run: npm run format

---

Step 3: Security Scanning

AI agents often generate code with security blind spots. Add CodeQL:

security: runs-on: ubuntu-latest permissions: security-events: write steps: - uses: actions/checkout@v4 - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: languages: javascript, typescript, python - name: Autobuild uses: github/codeql-action/autobuild@v3

- name: Perform CodeQL analysis uses: github/codeql-action/analyze@v3

And add dependency scanning:

dependencies: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Audit dependencies run: npm audit --audit-level=high

- name: Check for vulnerable packages uses: snyk/actions/node@master env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

---

Step 4: Automated AI Code Review

When AI generates your PRs, you want AI to review them too. Add a code review step:

ai-review: runs-on: ubuntu-latest needs: quality steps: - uses: actions/checkout@v4

- name: AI Code Review uses: anthropics/claude-code-review@v1 with: github-token: ${{ secrets.GITHUB_TOKEN }} # Optional: Focus areas focus: security, performance, maintainability # Optional: Custom rules rules: | - Flag any hardcoded secrets or API keys - Suggest async/await over .then() chains - Check for consistent error handling patterns

> Note: You'll need a Claude API key for AI reviews. Add ANTHROPIC_API_KEY to your GitHub repository secrets.

---

Step 5: Concurrent Test Matrix

For projects that need cross-browser or cross-version testing:

test-matrix: runs-on: ubuntu-latest strategy: matrix: node-version: [18, 20, 22] os: [ubuntu-latest, windows-latest] include: - node-version: 20 os: macos-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 with: node-version: ${{ matrix.node-version }} cache: "npm"

- run: npm ci - run: npm test

---

Step 6: Deployment Pipeline

Connect CI to deployment with environment-specific gates:

  deploy-preview:
    runs-on: ubuntu-latest
    needs: [quality, security, dependencies]
    if: github.event_name == 'pull_request'
    steps:
      - uses: actions/checkout@v4
      - name: Deploy Preview to Vercel
        uses: amondnet/vercel-action@v25
        with:
          vercel-token: ${{ secrets.VERCEL_TOKEN }}
          vercel-org-id: ${{ secrets.VERCEL_ORG_ID }}
          vercel-project-id: ${{ secrets.VERCEL_PROJECT_ID }}
          vercel-args: "--prebuilt"
  deploy-production:
    runs-on: ubuntu-latest
    needs: [deploy-preview]
    if: github.ref == 'refs/heads/main'
    steps:
      - uses: actions/checkout@v4      - name: Deploy to Production
        uses: amondnet/vercel-action@v25
        with:
          vercel-token: ${{ secrets.VERCEL_TOKEN }}
          vercel-org-id: ${{ secrets.VERCEL_ORG_ID }}
          vercel-project-id: ${{ secrets.VERCEL_PROJECT_ID }}
          vercel-args: "--prod --prebuilt"

---

Step 7: Performance Budget (For AI-Generated Code)

AI agents tend to produce larger bundle sizes. Add a performance budget:

performance: runs-on: ubuntu-latest needs: build steps: - uses: actions/checkout@v4 - name: Build with stats run: ANALYZE=true npm run build - name: Check bundle size uses: wjordan/nextjs-bundle-analysis@v1 with: budget: javascript: 300KB css: 50KB images: 100KB

- name: Lighthouse check uses: treosh/lighthouse-ci-action@v10 with: urls: | https://your-preview-url.vercel.app budgetPath: ./lighthouse-budget.json

---

Complete .github/workflows/ci.yml (Full Example)

Here's the complete pipeline you can copy into your project:

name: AI Project CI/CD on: push: branches: [main, master] pull_request: branches: [main, master] env: NODE_VERSION: "20" jobs: quality: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 with: node-version: ${{ env.NODE_VERSION }} cache: "npm" - run: npm ci - run: npm run lint - run: npx tsc --noEmit - run: npm test - run: npm run build - run: npm run format security: runs-on: ubuntu-latest permissions: security-events: write steps: - uses: actions/checkout@v4 - uses: github/codeql-action/init@v3 with: languages: javascript, typescript - uses: github/codeql-action/analyze@v3 - run: npm audit --audit-level=high

deploy: runs-on: ubuntu-latest needs: [quality, security] if: github.ref == 'refs/heads/main' steps: - uses: actions/checkout@v4 - name: Deploy to Vercel run: npx vercel --prod --token=${{ secrets.VERCEL_TOKEN }}

---

Common AI Code CI Failures (And Fixes)

| Failure | Likely Cause | Fix | |---------|-------------|-----| | .tsx file doesn't compile | AI assumed JSX, but config needs XML | Add "jsx": "preserve" to tsconfig | | ESLint reports 50+ errors | AI didn't follow project style | Run eslint --fix and commit the changes | | Tests timeout | AI generated infinite loop | Set test timeout: test.setTimeout(10000) | | Bundle size doubled | AI imported full lodash tree-shakable | Use lodash-es or tree-shakeable imports | | Security alert: eval() | AI used eval for dynamic code | Replace with new Function() or safer pattern |

---

Pro Tips

1. Cache AI generated tests — Use actions/cache to store test fixtures 2. Add a lint fix step — npm run lint:fix before committing 3. Use concurrency groups for faster PR feedback 4. Add branch protection rules — Require CI passes before merge 5. Run CI on draft PRs too — Catch issues early

---

Checklist

- [ ] Basic CI pipeline (lint + type + test + build) - [ ] Formatting check (Prettier) - [ ] Security scanning (CodeQL + npm audit) - [ ] Branch protection (require CI passes) - [ ] Deployment automation (Vercel + Actions) - [ ] Performance budget (bundle size limits) - [ ] AI code review step

---