- Notifications
You must be signed in to change notification settings - Fork18
GitHub Actions CI/CD - Master Template & Reusable Workflows Library - Docker Builds, AWS, Python, Terraform, Jenkins, Linting, Security Scanning, Make Builds etc.
License
HariSekhon/GitHub-Actions
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
GitHub Actions master template & GitHub Actions Reusable Workflows library.
- main.yaml - GitHub Actions master workflow template
- .github/workflows/ - GitHub Actions Reusable Workflows Library
SeeDocumentation for how to call these workflows directly from your own GitHub Actions workflow.
Fork this repo to have full control over all updates via Pull Requests.Create environment branches to stage updates across dev / staging / production.
Forked fromHariSekhon/Templates, for which this is now a submodule.
To see GitHub Contexts available, including undocumented fields, seeHariSekhon/GitHub-Actions-Contexts.
In your GitHub repo, import these workflows by adding small yaml files to the.github/workflows/ directory.
These are slightly simplified for clarify, see the.github/workflows/README.md for afew more details like only running when relevant files have changed.
- Lint YAML
- Lint JSON
- Lint XML
- Lint Bash / Shell Scripts
- Lint Python
- Lint README / Markdown documentation
- Lint GitHub CODEOWNERS
- Security - Scan for Secrets and issues
- Analyze your Terraform code security & best practices
- Terraform Plan & Apply
- Lint Ansible Playbooks
- Lint Packer HCL
- Lint Redhat Kickstart
- Lint Debian Preseed
- Lint Ubuntu AutoInstaller Cloud Init
- Lint Jenkinsfiles
- Lint Groovy
- Lint Javascript
- Docker Build and push to DockerHub
- Docker Build and push to AWS ECR
- Docker Build and push to multiple registries
- Check for Broken URL Links
- Auto-Merge Production hotfixes back to Staging
- Mirror Repos to GitLab for DR Backups
- AWS CodeArtifact - Publish a Python Package
- Kubernetes - Pluto - Check for Outdated APIs
- Kubernetes - Polaris - Security & Best Practices Check
- Production
- Star History
- More Core Repos
Finds all YAML in your repo and lints it.
Copy this into.github/workflows/yaml.yaml:
on:[push]jobs:check_yaml:uses:HariSekhon/GitHub-Actions/.github/workflows/yaml.yaml@master
Finds all JSON in your repo and lints it.
Copy this into.github/workflows/json.yaml:
on:[push]jobs:check_json:uses:HariSekhon/GitHub-Actions/.github/workflows/json.yaml@master
Finds all XML in your repo and lints it.
Copy this into.github/workflows/xml.yaml:
on:[push]jobs:check_xml:uses:HariSekhon/GitHub-Actions/.github/workflows/xml.yaml@master
Finds all*.sh scripts in your repo and lints them.
Copy this into.github/workflows/shellcheck.yaml:
on:[push]jobs:shellcheck:uses:HariSekhon/GitHub-Actions/.github/workflows/shellcheck.yaml@master
Finds all*.py code in your repo and lints it.
Copy this into.github/workflows/pylint.yaml:
on:[push]jobs:pylint:uses:HariSekhon/GitHub-Actions/.github/workflows/pylint.yaml@master
Finds all*.py code in your repo and lints it.
Copy this into.github/workflows/flake8.yaml:
on:[push]jobs:flake8:uses:HariSekhon/GitHub-Actions/.github/workflows/flake8.yaml@master
Finds all markdown files in your repo and lints them.
Copy this into.github/workflows/markdown.yaml:
on:[push]jobs:check_markdown:uses:HariSekhon/GitHub-Actions/.github/workflows/markdown.yaml@master
Lints the GitHubCODEOWNERS /.github/CODEOWNERS files.
Copy this into.github/workflows/codeowners.yaml:
on:[push]jobs:check_codeowners:uses:HariSekhon/GitHub-Actions/.github/workflows/codeowners.yaml@master
on:[push]jobs:SonarCloud:name:SonarClouduses:HariSekhon/GitHub-Actions/.github/workflows/sonarcloud.yaml@mastersecrets:SONAR_TOKEN:${{ secrets.SONAR_TOKEN }}
Alerts for the above badge appears in the SonarCloud dashboard at:
The badge will go red only if failing to run and publish to SonarCloud, whether there are any alerts of not.You must check the dashboard.
Create.github/workflows/semgrep.yaml containing:
on:[push]jobs:semgrep:uses:HariSekhon/GitHub-Actions/.github/workflows/semgrep.yaml@master
Alerts for the above badge appear under the GitHub repo'sSecurity tab ->Code scanning alerts.
The badge will go red if there are any alerts.
Create.github/workflows/semgrep-cloud.yaml containing:
on:[push]jobs:semgrep:uses:HariSekhon/GitHub-Actions/.github/workflows/semgrep-cloud.yaml@mastersecrets:SEMGREP_APP_TOKEN:${{ secrets.SEMGREP_APP_TOKEN }}
Alerts for the above badge appears in the Semgrep dashboard at:
The badge will go red only if failing to run and publish to Semgrep Cloud, whether there are any alerts of not.You must check the dashboard.
Alerts for the above badge appear under the GitHub repo'sSecurity tab ->Code scanning alerts.
on:[push]jobs:trivy:uses:HariSekhon/GitHub-Actions/.github/workflows/trivy.yaml@master
Alerts for the above badge appear under the GitHub repo'sSecurity tab ->Code scanning alerts.
on: [push]jobs: trivy: uses: HariSekhon/GitHub-Actions/.github/workflows/trivy_image.yaml@master with: docker_image: harisekhon/bash-tools severity: ''
Alerts for the above badge appear under the GitHub repo'sSecurity tab ->Code scanning alerts.
on:[push]jobs:grype:uses:HariSekhon/GitHub-Actions/.github/workflows/grype.yaml@master
Alerts appear underSecurity ->Code scanning alerts.
Create.github/workflows/tfsec.yaml containing:
on:[push]jobs:tfsec:uses:HariSekhon/GitHub-Actions/.github/workflows/tfsec.yaml@master
Create.github/workflows/tflint.yaml containing:
on:[push]jobs:tfsec:uses:HariSekhon/GitHub-Actions/.github/workflows/tflint.yaml@master
Alerts appear underSecurity ->Code scanning alerts.
Create.github/workflows/checkov.yaml containing:
on:[push]jobs:checkov:uses:HariSekhon/GitHub-Actions/.github/workflows/checkov.yaml@master
Plans - updates Pull Requests with the results of validation, format check and full Change Plan outputs
Apply - applies when merged to default branch, eg.master ormain
on:[push, pull_request]jobs:terraform:uses:HariSekhon/GitHub-Actions/.github/workflows/terraform.yaml@masterwith:dir:path/to/terraform/codesecrets:...
For more sophisticated examples including approvals, secrets, branch and path selection etc. see myTerraform repo's templates forterraform-plan.yaml andterraform-apply.yaml
Finds all Ansibleplaybook.y*ml in your repo and lints them.
Copy this into.github/workflows/ansible-playbook-syntax.yaml:
on:[push]jobs:check_ansible_playbook_syntax:uses:HariSekhon/GitHub-Actions/.github/workflows/ansible-playbook-syntax.yaml@master
Finds all*.pkr.hcl Packer code in your repo and lints them.
Copy this into.github/workflows/packer.yaml:
on:[push]jobs:check_packer_hcl:uses:HariSekhon/GitHub-Actions/.github/workflows/packer.yaml@master
Lints Redhat Kickstart automated installer files.
Copy this into.github/workflows/kickstart.yaml:
on:[push]jobs:check_kickstart:uses:HariSekhon/GitHub-Actions/.github/workflows/kickstart.yaml@masterwith:files:installers/anaconda-ks.cfg
Lints Debian Preseed automated installer files.
Copy this into.github/workflows/preseed.yaml:
on:[push]jobs:check_preseed:uses:HariSekhon/GitHub-Actions/.github/workflows/preseed.yaml@masterwith:files:installers/preseed.cfg
Lints Ubuntu AutoInstaller Cloud Init automated installer files.
Copy this into.github/workflows/autoinstall-user-data.yaml:
on:[push]jobs:check_cloudinit:uses:HariSekhon/GitHub-Actions/.github/workflows/autoinstall-user-data.yaml@masterwith:files:installers/autoinstall-user-data
Finds all files namedJenkinsfile in the repo and lints them using a live Jenkins in docker.
Create.github/workflows/jenkinsfile.yaml:
on:[push]jobs:jenkinsfile:uses:HariSekhon/GitHub-Actions/.github/workflows/jenkinsfile.yaml@master
Finds all Groovy files named*.groovy in the repo and lints them usinggroovyc.
This is a basic check but good for a Jenkins Groovy Shared Library.
Create.github/workflows/groovyc.yaml:
on:[push]jobs:check_groovyc:uses:HariSekhon/GitHub-Actions/.github/workflows/groovyc.yaml@master
Finds all Javascript files named*.js in the repo and lints them usingeslint.
Create.github/workflows/eslint.yaml:
on:[push]jobs:check_eslint:uses:HariSekhon/GitHub-Actions/.github/workflows/eslint.yaml@master
Create.github/workflows/dockerhub_build.yaml:
on:[push]jobs:docker_build:uses:HariSekhon/GitHub-Actions/.github/workflows/dockerhub_build.yaml@masterwith:repo:user/repo# your DockerHub user/repotags:latest v1.1secrets:DOCKERHUB_USER:${{ secrets.DOCKERHUB_USER }}DOCKERHUB_TOKEN:${{ secrets.DOCKERHUB_TOKEN }}
Create.github/workflows/docker_build_aws_ecr.yaml:
on:[push]jobs:docker_build:uses:HariSekhon/GitHub-Actions/.github/workflows/docker_build_aws_ecr.yaml@masterwith:repo:MY_ECR_REPOsecrets:AWS_ACCESS_KEY_ID:${{ secrets.AWS_ACCESS_KEY_ID }}AWS_SECRET_ACCESS_KEY:${{ secrets.AWS_SECRET_ACCESS_KEY }}AWS_DEFAULT_REGION:${{ secrets.AWS_DEFAULT_REGION }}
Creates several useful tags, supports multi-stage build caching, seeREADME for details.
Supports building + pushing to any combination of the following, just add the relevant secrets, seedocker_build.yaml for details:
- ACR - Azure Container Registry
- ECR - AWS Elastic Container Registry
- GCR - Google Container Registry
- GAR - Google Artifact Registry
- GHCR - GitHub Container Registry
- GitLab Registry
- Quay.io Registry
- DockerHub
Create.github/workflows/docker_build.yaml:
on:[push]jobs:docker_build:uses:HariSekhon/GitHub-Actions/.github/workflows/docker_build.yaml@masterwith:repo_tags:| harisekhon/bash-tools:latest ghcr.io/harisekhon/bash-tools:latestcontext:devops-bash-tools-ubuntu# path to dir containing the source and Dockerfile# GHCR uses the local github.token, for other registries, add secrets, see docker_build.yaml for detailssecrets:DOCKERHUB_USER:${{ secrets.DOCKERHUB_USER }}DOCKERHUB_TOKEN:${{ secrets.DOCKERHUB_TOKEN }}
Create.github/workflows/url_links.yaml:
on:[push]jobs:url_links:uses:HariSekhon/GitHub-Actions/.github/workflows/url_links.yaml@master
SeeREADME for details on ignoring inaccessible / partially constructed links or those containing variables
Merges via a Pull Request for full auditing.
Create.github/workflows/merge_production_to_staging.yaml:
on:[push]jobs:merge:if:github.ref_name == 'production'uses:HariSekhon/GitHub-Actions/.github/workflows/merge-branch.yaml@masterwith:head:production# frombase:staging# to
Mirrors all/given GitHub repos to GitLab - including all branches and tags, and GitHub repo description
on:schedule:# mirror to GitLab hourly -cron:'0 0 * * *'jobs:gitlab_mirror:uses:HariSekhon/GitHub-Actions/.github/workflows/gitlab-mirror.yaml@masterwith:#organization: my-org # optional: mirror your company's repos instead of your personal repos#repos: repo1 repo2 ... # list of repos to mirror, space separated, rather than all repossecrets:GH_TOKEN:${{ secrets.GH_TOKEN }}GITLAB_TOKEN:${{ secrets.GITLAB_TOKEN }}
on:tags: -v*jobs:aws_codeartifact_python_publish:uses:HariSekhon/GitHub-Actions/.github/workflows/codeartifact_python_publish.yaml@masterwith:domain:mycompany# your AWS CodeArtifact service domain namerepo:mycompany-core# your CodeArtifact repo name#command: make publish_package # default. Can be any command using CODEARTIFACT_AUTH_TOKEN and CODEARTIFACT_REPO_URLsecrets:AWS_ACCESS_KEY_ID:${{ secrets.AWS_ACCESS_KEY_ID }}AWS_SECRET_ACCESS_KEY:${{ secrets.AWS_SECRET_ACCESS_KEY }}AWS_DEFAULT_REGION:${{ secrets.AWS_DEFAULT_REGION }}
Checks all Kubernetes YAML files for outdated API objects using Pluto.
Create.github/workflows/pluto.yaml:
on:[push]jobs:pluto:uses:HariSekhon/GitHub-Actions/.github/workflows/pluto.yaml@master
Checks all Kubernetes YAML files for security issues and best practices.
Polaris currently fails on very advanced patches such as found in myKubernetes-configs repo.
Create.github/workflows/polaris.yaml:
on:[push]jobs:polaris:uses:HariSekhon/GitHub-Actions/.github/workflows/polaris.yaml@master
Import the reusable workflows from this repo as shown above, replacing@master with@<hashref> to fix to an immutable version (tags are not immutable). This isGitHub Actions Security Best Practice.
Fork this repo for more control and visibility over all updates.
Enable thefork-sync github actions workflow in your fork to keep the master branch sync'd every few hours.
You can then create tags or environment branches in your forked repo to stage updates across dev/staging/production.
If using environment branches enable thefork-update-pr github actions workflow to automatically raise GitHub Pull Requests from master to your environment branches to audit, authorize & control updates.
Copy.github/workflows to a private repo. Not recommended as it's the most manual legacy approach.
You will be responsible for committing and reconciling any divergences in your local copies.
The rest of my original source repos arehere.
Pre-built Docker images are available on myDockerHub.
About
GitHub Actions CI/CD - Master Template & Reusable Workflows Library - Docker Builds, AWS, Python, Terraform, Jenkins, Linting, Security Scanning, Make Builds etc.
Topics
Resources
License
Uh oh!
There was an error while loading.Please reload this page.
Stars
Watchers
Forks
Uh oh!
There was an error while loading.Please reload this page.