Migrating a 5,000-server fleet to GitHub Actions

Context

A Tier-1 retail brokerage’s transaction posting systems ran on a fleet of 5,000+ Linux (RHEL) and Windows servers. CI/CD was a patchwork of Harness, Jenkins jobs, and bespoke shell scripts. Security gates were inconsistent, onboarding new repos took weeks, and there was no audit trail tying deployments back to specific commits or approvers.

Problem

• Harness license costs and operational overhead were rising
• No reusable pipeline patterns — each team reinvented build, test, scan, deploy
• Static service-principal credentials sprayed across runners
• Security gates (SAST, image signing) were optional and inconsistently applied

Approach

Org-wide governance framework on GitHub Actions:

• Reusable workflow library — workflow_call workflows for build, scan, sign, push, deploy. Composite actions as a shared pipeline toolbox.
• OIDC-federated runners — eliminated long-lived AWS / Azure credentials. Every workflow assumes role via OIDC.
• Required status checks — Trivy, Semgrep, Gitleaks, Grype, image signing (Cosign / Sigstore) enforced as required checks across dev → staging → prod. No bypass without an approved exception.
• Environment protection rules — required reviewers, deployment branch restrictions, secrets scoped per-environment.
• Privileged access — eliminated standing privileged access on the server fleet. Linux sudo controls and Windows JEA / DSC pipelines enforced via Ansible and SaltStack. Windows endpoints managed through AD / Entra ID group policy.

Outcome

• Migration completed for 5,000+ servers with zero release outages
• Onboarding a new repo to full CI/CD with security gates: from weeks to hours
• 100% of deployments traceable to commit, approver, and policy version
• Standing privileged access on the fleet: eliminated

Stack

GitHub Actions, OIDC, Ansible, SaltStack, Trivy, Semgrep, Gitleaks, Grype, Cosign / Sigstore, CyberArk PAM, Venafi, HashiCorp Vault, Splunk, Active Directory / Entra ID.