{"id":50801210,"url":"https://github.com/azva-co/.github","last_synced_at":"2026-06-12T20:03:52.396Z","repository":{"id":362185441,"uuid":"1257052229","full_name":"azva-co/.github","owner":"azva-co","description":"Community health files — contributing guide, issue templates, PR template, code of conduct, security policy","archived":false,"fork":false,"pushed_at":"2026-06-12T09:14:00.000Z","size":22,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-12T10:09:54.256Z","etag":null,"topics":["community-health","contributing","github","templates"],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/azva-co.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-06-02T10:16:28.000Z","updated_at":"2026-06-12T09:14:02.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/azva-co/.github","commit_stats":null,"previous_names":["teerakarna/.github","azva-co/.github"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/azva-co/.github","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/azva-co%2F.github","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/azva-co%2F.github/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/azva-co%2F.github/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/azva-co%2F.github/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/azva-co","download_url":"https://codeload.github.com/azva-co/.github/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/azva-co%2F.github/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34260319,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-12T02:00:06.859Z","response_time":109,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["community-health","contributing","github","templates"],"created_at":"2026-06-12T20:03:51.431Z","updated_at":"2026-06-12T20:03:52.387Z","avatar_url":"https://github.com/azva-co.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# .github\n\nShared GitHub Actions reusable workflows, composite actions, and starter\nworkflow templates for [`azva-co`](https://github.com/azva-co) repositories.\n\n\u003e The org landing page lives in [`profile/README.md`](profile/README.md). This file\n\u003e is the developer reference for what's reusable here.\n\n## Reusable workflows\n\nCall from any repo with `uses: azva-co/.github/.github/workflows/\u003cname\u003e@main`\n(the double `.github` is correct — the workflows live in the `.github/` subdirectory\nof the repo named `.github`).\n\n### `build-sign-image.yml`\n\nBuild a container image, Trivy-scan it as a blocking gate, push multi-arch, sign\nkeylessly with cosign, attach a CycloneDX SBOM, and attest SLSA build provenance.\nAll signing is keyless (Sigstore/Rekor) — no key management.\n\n| Input | Default | Description |\n|---|---|---|\n| `image` (required) | — | Image name without registry prefix (e.g. `azva-co/python`) |\n| `registry` | `ghcr.io` | Target registry |\n| `context` | `.` | Build context path |\n| `dockerfile` | `Dockerfile` | Dockerfile path relative to context |\n| `push` | `false` | Push to registry (set `false` on PRs) |\n| `platforms` | `linux/amd64,linux/arm64` | Build platforms for the pushed image |\n| `date-tag` | `true` | Also tag the push with `YYYYMMDD` for reproducible pinning |\n| `upload-sarif` | `false` | Publish Trivy findings to code scanning (free on public repos) |\n| `base-registry` | `cgr.dev` | `ARG REGISTRY` prefix for base images (air-gap override) |\n| `trivy-db-repository` | `ghcr.io/aquasecurity/trivy-db` | Trivy DB OCI repo (air-gap override) |\n| `version` | git ref name | Image version label |\n| `build-args` | `''` | Extra `KEY=VALUE` build args (newline-separated) — e.g. an upstream tool version |\n| `extra-tags` | `''` | Additional image tags (e.g. an app version) alongside latest/sha/date |\n\nSecret: `COSIGN_KEY` (optional — omit for keyless). Output: `digest`.\n\nMatrix example (one call per image):\n\n```yaml\njobs:\n  build:\n    strategy:\n      matrix:\n        image: [python, java, go, node]\n    uses: azva-co/.github/.github/workflows/build-sign-image.yml@main\n    with:\n      image: ${{ github.repository_owner }}/${{ matrix.image }}\n      context: ${{ matrix.image }}\n      push: ${{ github.event_name != 'pull_request' }}\n      upload-sarif: true\n    permissions:\n      contents: read\n      packages: write\n      id-token: write\n      security-events: write\n      attestations: write\n    secrets: inherit\n```\n\nVerify a published image:\n\n```bash\n# cosign keyless signature\ncosign verify \\\n  --certificate-identity-regexp 'https://github.com/azva-co/.github/.github/workflows/build-sign-image.yml@.*' \\\n  --certificate-oidc-issuer https://token.actions.githubusercontent.com \\\n  ghcr.io/azva-co/\u003cimage\u003e:latest\n\n# GitHub-native build provenance\ngh attestation verify oci://ghcr.io/azva-co/\u003cimage\u003e:latest --owner azva-co\n```\n\n### `trivy-scan.yml`\n\nStandalone Trivy scan for `fs`, `config`, `image`, or `repo` targets. Used by repos\nthat need scanning without a build (IaC, source trees, existing images).\n\n## Composite actions\n\n| Action | Purpose |\n|---|---|\n| [`wiremock`](.github/actions/wiremock/action.yml) | Start WireMock in the background for integration tests (stub/proxy/collect modes) |\n\n## Starter workflows\n\n`workflow-templates/` surfaces suggested workflows in the Actions UI of every repo\n(\"New workflow\" → \"By azva-co\"). Currently: **Build \u0026 sign container image**.\n\n## Conventions\n\n- **`@main` is a live release channel.** Every consumer at `@main` picks up changes on\n  its next run — there is no staging buffer. Keep changes additive (new optional inputs),\n  and rely on the `actionlint` CI-for-CI check below before merging.\n- **Actions are pinned to full commit SHAs** with a `# vX` comment. [Renovate](renovate.json)\n  keeps the pins current. This is what makes the repo safe to enable\n  `sha_pinning_required` and an `allowed_actions` allowlist on.\n- **CI-for-CI:** [`actionlint.yml`](.github/workflows/actionlint.yml) lints all workflows\n  and composite actions on every change.\n\n## Contributing\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fazva-co%2F.github","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fazva-co%2F.github","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fazva-co%2F.github/lists"}