{"id":37563862,"url":"https://github.com/dfds/shared-workflows","last_synced_at":"2026-05-27T14:04:09.567Z","repository":{"id":161433289,"uuid":"635926210","full_name":"dfds/shared-workflows","owner":"dfds","description":"Repository for shared github workflows","archived":false,"fork":false,"pushed_at":"2026-05-12T11:16:09.000Z","size":253,"stargazers_count":1,"open_issues_count":2,"forks_count":0,"subscribers_count":3,"default_branch":"master","last_synced_at":"2026-05-12T11:37:16.651Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dfds.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"docs/CONTRIBUTING.md","funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2023-05-03T18:54:03.000Z","updated_at":"2026-05-12T10:49:30.000Z","dependencies_parsed_at":"2024-06-17T14:34:03.901Z","dependency_job_id":"0241af60-d6c6-4a33-8b24-83728432ea40","html_url":"https://github.com/dfds/shared-workflows","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/dfds/shared-workflows","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dfds%2Fshared-workflows","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dfds%2Fshared-workflows/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dfds%2Fshared-workflows/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dfds%2Fshared-workflows/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dfds","download_url":"https://codeload.github.com/dfds/shared-workflows/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dfds%2Fshared-workflows/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33568862,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-27T02:00:06.184Z","response_time":53,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-01-16T09:11:52.067Z","updated_at":"2026-05-27T14:04:09.562Z","avatar_url":"https://github.com/dfds.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Shared workflows and actions\n\nA repository for shared github workflows and actions, best practice for new and existing repositories. We welcome contributions. See [Contributing](docs/CONTRIBUTING.md) to get started.\n\nShared workflows and actions:\n- [Automation](#automation)\n\t- workflows\n\t\t- [Auto release](#auto-release)\n\t\t- [Build lambda and upload to S3](#build-lambda-and-upload-to-s3)\n\t\t- [Enforce PR labels](#enforce-pr-labels)\n\t\t- [Golang test suite](#golang-test-suite)\n\t\t- [Housekeeping](#housekeeping)\n\t\t- [Integration test build](#integration-test-build)\n\t\t- [Multi architecture docker build](#multi-architecture-docker-build)\n\t\t- [Block on-hold PRs](#block-on-hold-prs)\n\t\t- [Add comment from PR template on Renovate pull requests](#add-comment-from-pr-template-on-renovate-pull-requests)\n\t- actions\n\t\t- [Slack Notifier](#slack-notifier)\n- [Compliance](#compliance)\n\t- actions\n\t\t- [Checkov Github Actions Step](#checkov-github-actions-step)\n- [Security](#security)\n\t- workflows\n\t\t- [Gitleaks](#gitleaks)\n\t\t- [Run Trivy IAC with Quality GAte](#run-trivy-iac-with-quality-gate)\n\n## Automation\n\n### Auto release\n\n_This is a workflow_\n\nCreates a Github Release on push to master. Automatically tags the release and create release notes from git log. Change the semantic versioning by applying labels, **release:patch**, **release:minor**, **release:major**. Works best in conjuction with [Enforce PR labels](https://github.com/dfds/shared-workflows#enforce-pr-labels).\n\n[Marketplace](https://github.com/marketplace/actions/tag-release-on-push-action)\n\nHow to invoke this workflow:\n\n```yaml\nname: Auto release\n\non:\n  push:\n    branches: [\"master\", \"main\"]\n\njobs:\n  shared:\n    uses: dfds/shared-workflows/.github/workflows/automation-auto-release.yml@master\n    # Note, make sure to use `secrets: inherit` if utilizing the organizational secret `GH_RELEASE`\n    # secrets: inherit\n\n    # In order to add prefix to the tag:\n    with:\n      tag_prefix: \"your_prefix\"\n\n```\n\n### Build lambda and upload to S3\n\n_This is a workflow_\n\nThis workflow builds lambda code and uploads the zip file to S3 bucket. The instructions for building the zip package need to be specified in a Makefile. The workflow works with Go and Python lambdas.\n\nHow to invoke this workflow:\n\n```yaml\nname: Build lambda and upload to S3\n\non:\n  pull_request:\n    branches: [ \"master\", \"main\" ]\n\njobs:\n  build-and-upload-to-s3:\n    name: build-and-upload-to-s3\n    uses: dfds/shared-workflows/.github/workflows/automation-build-and-upload-to-s3.yml@master\n    with:\n      role-session-name: upload-crl-importer-lambda #Session name\n      working-directory: ./crl-importer-lambda #The working directory that includes the Makefile\n      lambda-package-name: crl-importer-lambda.zip #The lambda package name\n      s3-location: dfds-ce-shared-artifacts/iam-rolesanywhere-lambdas\n      go-version: \"1.20\" #Should be specified only for Go lambdas\n      cache-dependency-path: ./crl-importer-lambda/go.mod/go.sum #Should be specified only for Go lambdas\n      arguments: PACKAGE_NAME=${{ matrix.lambda-name }} #The arguments to be passed to make\n    secrets:\n      role-to-assume: ${{ secrets.ROLE_TO_ASSUME }} #Repository secret with the AWS role to be assumed\n\n```\n\n### Enforce PR labels\n\n_This is a workflow_\n\nEnforce assigning labels before merging PR's. Useful for governing the use of semantic versioning labels for [Auto release](https://github.com/dfds/shared-workflows#auto-release).\n\n[Marketplace](https://github.com/marketplace/actions/enforce-pr-labels)\n\nHow to invoke this workflow:\n\n```yaml\nname: Enforce PR labels\n\non:\n  pull_request:\n    types: [labeled, unlabeled, opened, edited, synchronize]\n    branches: [ \"master\", \"main\" ]\n\njobs:\n  shared:\n    uses: dfds/shared-workflows/.github/workflows/automation-enforce-release-labels.yml@master\n```\n\n### Golang test suite\n\n_This is a workflow_\n\nStatus check that fails if a PR with Golang code fails its test suite.\n\nHow to invoke this workflow:\n\n```yaml\nname: Golang test suite\n\non:\n  pull_request:\n    branches: [ master, main ]\n    paths:\n      - [ '**.go', '**.mod', '**.sum' ]\n\njobs:\n  shared:\n    uses: dfds/shared-workflows/.github/workflows/automation-golang-test-suite.yml@master\n\n```\n\n### Housekeeping\n\n_This is a workflow_\n\nSets repository settings to a standard that is used across the organization.\n\nHow to invoke this workflow:\n\n```yaml\nname: Housekeeping\n\non:\n  schedule:\n    - cron: \"0 6 * * *\"\n\njobs:\n  shared:\n    uses: dfds/shared-workflows/.github/workflows/automation-housekeeping.yml@master\n    secrets: inherit\n    with:\n      # Optional, Enable delete head branch after merge\n      delete_head_branch: true\n      # Optional, Enable merging pull requests via squashed commit\n      squash_merge: true\n      # Optional, Enable branch protection on default branch\n      branch_protection: true\n      # Optional, Enable mandatory checking-labels status check on PRs\n      status_checks: true\n```\n\n### Integration test build\n\n_This is a workflow_\n\nBuilds a Go integration test binary and uploads it as an artifact. Designed for infrastructure integration tests that are compiled once and run against multiple environments.\n\nHow to invoke this workflow:\n\n```yaml\nname: Integration test build\n\non:\n  push:\n    branches: [master]\n\njobs:\n  build-test:\n    uses: dfds/shared-workflows/.github/workflows/automation-integration-test-build.yml@master\n    with:\n      test-source-path: test/integration/suite\n      repository: dfds/infrastructure-modules\n      ref: master\n      artifact-name: test-binary\n\n```\n\n### Multi architecture docker build\n\n_This is a workflow_\n\nAll-in-one package that builds, tests, beautify and publishes a docker image for multiple architectures. This workflow uses the [Auto release](#auto-release) workflow to create a Github Release on push to master. You have to add DOCKERHUB_USERNAME and DOCKERHUB_TOKEN secrets to your repository to use this workflow. To use the slack integration you will also have to add the SLACK_WEBHOOK secret.\n\nHow to invoke this workflow:\n\n```yaml\nname: Multi architecture docker build\n\non:\n  push:\n    branches: [ \"master\", \"main\" ]\n\njobs:\n  shared:\n    uses: dfds/shared-workflows/.github/workflows/automation-multi-build.yml@master\n    secrets: inherit\n    with:\n      # Required\n      image-repo: dfdsdk/repo-name\n\n      # Required, options: linux/amd64,linux/arm64,linux/arm/v7,windows/amd64\n      os-archs: \"linux/amd64,linux/arm64,linux/arm/v7\"\n\n      # Optional, path to the test script to run inside the container\n      test-script-path: ./app/test.py\n      \n      # Optional, the command to run the test script inside the container\n      test-script-cmd: \"python test.py\"\n      \n      # Optional, the path to the readme file to use for the docker image\n      # It is recommended that if you do not have a specific file for the docker image,\n      # that you use the same readme as the repository\n      docker-readme-path: \"./DockerREADME.md\"\n\n      # Optional, sends a slack notification to the channel specified in the repository secrets\n      slack-notification: true\n\n      # Optional, the path to the Dockerfile you wish to build. Defaults to Dockerfile at the repository root.\n      docker-dockerfile-path: \"./path/to/Dockerfile\"\n```\n\n### Block on-hold PRs\n\n_This is a workflow_\n\nStatus check that fails if a PR is on-hold, works in conjunction with status_checks [housekeeping](https://github.com/dfds/shared-workflows#housekeeping)\n\nHow to invoke this workflow:\n\n```yaml\nname: Block on-hold PRs\n\non:\n  pull_request:\n    branches: [ master, main ]\n    types: [ opened, labeled, unlabeled, synchronize ]\n\njobs:\n  shared:\n    uses: dfds/shared-workflows/.github/workflows/automation-on-hold-prs.yml@master\n\n```\n\n### Add comment from PR template on Renovate pull requests\n\n_This is a workflow_\n\nEnables using PR template on pull requests generated from RenovateBot\n\nHow to invoke this workflow:\n\n```yaml\nname: Add comment from PR template on Renovate pull requests\n\non:\n  pull_request:\n    branches: [ \"master\", \"main\" ]\n\njobs:\n  shared:\n    uses: dfds/shared-workflows/.github/workflows/automation-renovate-pr-commenter.yml@master\n    with:\n      pr-template-filepath: .github/pull_request_template.md\n```\n\n### Slack Notifier\n\n_This is an action_\n\nAlerts to a slack channel. Create your webhook on our [Slack Bot here](https://api.slack.com/apps/A04U1JJRPT9/incoming-webhooks). Add the webhook as a secret in your repository with the key `SLACK_WEBHOOK`.\n\n[Marketplace](https://github.com/marketplace/actions/slack-notify)\n\nHow to invoke this action:\n\n```yaml\nname: Slack Notifier\n\non:\n  workflow_dispatch:\n\njobs:\n  slack-notifier:\n    runs-on: ubuntu-latest\n    steps:\n      - name: Notify\n        if: failure()\n        uses: dfds/shared-workflows/.github/actions/automation-slack-notifier@master\n        with:\n          slack_webhook: ${{ secrets.SLACK_WEBHOOK }}\n          slack_message: 'Hmm something is wrong'\n\n```\n\n## Compliance\n\n### Checkov Github Actions Step\n\n_This is an action_\n\nA Github Action step that runs Checkov against a Terraform plan file. Policies are defined in dfds/iac-terraform-policies repo.\n\nHow to invoke this action:\n\n```yaml\nname: Checkov Github Actions Step\n\non:\n  pull_request:\n    branches: [ \"master\", \"main\" ]\n\njobs:\n  run_tfplan_and_validate:\n    runs-on: ubuntu-latest\n    name: A job to call the shared workflow\n    steps:\n      - uses: actions/checkout@v3\n      - name: Terraform Plan and validate\n        run: |\n          cd terraform\n          terraform init\n          terraform plan -out tfplan\n          terraform show -json tfplan \u003e ../tfplan.json\n      - uses: dfds/shared-workflows/.github/actions/compliance-checkov-tfplan@master\n        with:\n          tf-policy-repo-token: ${{ secrets.GH_REPO_READ_IAC_TERRAFORM_POLICIES }}\n```\n\n## Security\n\n### Gitleaks\n\n_This is a workflow_\n\nGitleaks is a SAST tool for detecting and preventing hardcoded secrets like passwords, API keys, and tokens in git repos. You have to add GITLEAKS_LICENSE secret to your repository, it does not work with organization secrets. The license key is stored in 1Password.\n\n[Marketplace](https://github.com/marketplace/actions/gitleaks)\n\nHow to invoke this workflow:\n\n```yaml\nname: Gitleaks\n\non:\n  pull_request:\n    branches: [ \"master\", \"main\" ]\n\njobs:\n  shared:\n    uses: dfds/shared-workflows/.github/workflows/security-gitleaks.yml@master\n    secrets: inherit\n```\n\n### Run Trivy IAC with Quality GAte\n\n_This is a workflow_\n\nThis Github Action will run the trivy IAC check and block if High or Critical issues are found.\n\n[Marketplace](https://github.com/marketplace/actions/run-trivy-iac-check)\n\nHow to invoke this workflow:\n\n```yaml\nname: Run Trivy IAC with Quality GAte\n\non:\n  push:\n    branches: [ \"master\", \"main\" ]\n  pull_request:\n    branches: [ \"master\", \"main\" ]\n\njobs:\n  shared:\n    uses: dfds/shared-workflows/.github/workflows/security-trivy-iac-check.yaml@master\n```","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdfds%2Fshared-workflows","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdfds%2Fshared-workflows","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdfds%2Fshared-workflows/lists"}