/GitHub-Actions

GitHub Actions CI/CD - Master Template & Reusable Workflows Library - Docker Builds, AWS, Python, Terraform, Jenkins, Linting, Security Scanning, Make Builds etc.

Primary LanguageShellMIT LicenseMIT

GitHub Actions

GitHub stars GitHub forks Lines of Code License My LinkedIn GitHub Last Commit

CI Builds Overview YAML Markdown Lint Validation Grype Kics Semgrep Semgrep Cloud URL Links Trivy

Repo on GitHub Repo on GitLab Repo on Azure DevOps Repo on BitBucket

GitHub Actions master template & GitHub Actions Reusable Workflows library.

See Documentation for how to call these workflows directly from your own GitHub Actions workflow.

Fork this repo to have full control over all updates via Pull Requests. Create environment branches to stage updates across dev/staging/production.

Forked from HariSekhon/Templates, for which this is now a submodule.

To see GitHub Contexts available, including undocumented fields, see HariSekhon/GitHub-Actions-Contexts.

Examples

In your GitHub repo, import these workflows by adding small yaml files to the .github/workflows/ directory.

Scan for Secrets and Security issues

Semgrep Alerts appear under the GitHub repo's Security tab -> Code scanning alerts.

Semgrep Cloud Alerts appear in the https://semgrep.dev dashboard

Create .github/workflows/semgrep.yaml for local repo alerts:

on: [push]
jobs:
  semgrep:
    uses: HariSekhon/GitHub-Actions/.github/workflows/semgrep.yaml@master

or .github/workflows/semgrep-cloud.yaml for https://semgrep.dev alerts:

on: [push]
jobs:
  semgrep:
    uses: HariSekhon/GitHub-Actions/.github/workflows/semgrep-cloud.yaml@master
    secrets:
      SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}

Analyze your Terraform code security & best practices

tfsec Alerts appear under Security -> Code scanning alerts.

Create .github/workflows/tfsec.yaml:

on: [push]
jobs:
  tfsec:
    uses: HariSekhon/GitHub-Actions/.github/workflows/tfsec.yaml@master

Terraform Plan & Apply

Plans - updates Pull Requests with the results of validation, format check and full Change Plan outputs

Apply - applies when merged to default branch, eg. master or main

on: [push, pull_request]
jobs:
  terraform:
    uses: HariSekhon/GitHub-Actions/.github/workflows/terraform.yaml@master
    with:
      dir: path/to/terraform/code
    secrets:
      ...

For more sophisticated examples including approvals, secrets, branch and path selection etc. see my Terraform repo's templates for terraform-plan.yaml and terraform-apply.yaml

Docker Build and push to DockerHub

Docker Build DevOps Bash Tools (Ubuntu)

Create .github/workflows/dockerhub_build.yaml:

on: [push]
jobs:
  docker_build:
    uses: HariSekhon/GitHub-Actions/.github/workflows/dockerhub_build.yaml@master
    with:
      repo: user/repo  # your DockerHub user/repo
      tags: latest v1.1
    secrets:
      DOCKERHUB_USER: ${{ secrets.DOCKERHUB_USER }}
      DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}

Docker Build and push to AWS ECR

Create .github/workflows/docker_build_aws_ecr.yaml:

on: [push]
jobs:
  docker_build:
    uses: HariSekhon/GitHub-Actions/.github/workflows/docker_build_aws_ecr.yaml@master
    with:
      repo: MY_ECR_REPO
    secrets:
      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
      AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}

Creates several useful tags, supports multi-stage build caching, see README for details.

Check for Broken URL Links

URL Links

Create .github/workflows/url_links.yaml:

on: [push]
jobs:
  url_links:
    uses: HariSekhon/GitHub-Actions/.github/workflows/url_links.yaml@master

See README for details on ignoring inaccessible / partially constructed links or those containing variables

Auto-Merge Production hotfixes back to Staging

Merges via a Pull Request for full auditing.

Create .github/workflows/merge_production_to_staging.yaml:

on: [push]
jobs:
  merge:
    if: github.ref_name == 'production'
    uses: HariSekhon/GitHub-Actions/.github/workflows/merge-branch.yaml@master
    with:
      head: production  # from
      base: staging     # to

Mirror Repos to GitLab for DR Backups

Mirrors all/given GitHub repos to GitLab - including all branches and tags, and GitHub repo description

on:
  schedule:
    # mirror to GitLab hourly
    - cron: '0 0 * * *'

jobs:
  gitlab_mirror:
    uses: HariSekhon/GitHub-Actions/.github/workflows/gitlab-mirror.yaml@master
    with:
      #organization: my-org    # optional: mirror your company's repos instead of your personal repos
      #repos: repo1 repo2 ...  # list of repos to mirror, space separated, rather than all repos
    secrets:
      GH_TOKEN: ${{ secrets.GH_TOKEN }}
      GITLAB_TOKEN: ${{ secrets.GITLAB_TOKEN }}

AWS CodeArtifact - Publish a Python Package

on:
  tags:
    - v*

jobs:
  aws_codeartifact_python_publish:
    uses: HariSekhon/GitHub-Actions/.github/workflows/codeartifact_python_publish.yaml@master
    with:
      domain: mycompany     # your AWS CodeArtifact service domain name
      repo: mycompany-core  # your CodeArtifact repo name
      #command: make publish_package  # default. Can be any command using CODEARTIFACT_AUTH_TOKEN and CODEARTIFACT_REPO_URL
    secrets:
      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
      AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}

Production

Option 1 - Hashref

Import the reusable workflows from this repo as shown above, replacing @master with @<hashref> to fix to an immutable version (tags are not immutable). This is GitHub Actions Security Best Practice.

Option 2 - Public Fork (fully automated)

Fork this repo for more control and visibility over all updates.

Enable the fork-sync github actions workflow in your fork to keep the master branch sync'd every few hours.

You can then create tags or environment branches in your forked repo to stage updates across dev/staging/production.

If using environment branches enable the fork-update-pr github actions workflow to automatically raise GitHub Pull Requests from master to your environment branches to audit, authorize & control updates.

Option 3 - Private Copy (manual)

Copy .github/workflows to a private repo. Not recommended as it's the most manual legacy approach.

You will be responsible for committing and reconciling any divergences in your local copies.

Star History

Star History Chart

More Core Repos

Knowledge

Readme Card Readme Card

DevOps Code

Readme Card Readme Card Readme Card Readme Card

Containerization

Readme Card Readme Card

CI/CD

Readme Card Readme Card

DBA - SQL

Readme Card

DevOps Reloaded

Readme Card Readme Card Readme Card Readme Card Readme Card

Templates

Readme Card Readme Card

Misc

Readme Card Readme Card

The rest of my original source repos are here.

Pre-built Docker images are available on my DockerHub.