{"id":31849150,"url":"https://github.com/fluxcd/gha-workflows","last_synced_at":"2026-03-09T19:02:09.051Z","repository":{"id":315047037,"uuid":"1057844909","full_name":"fluxcd/gha-workflows","owner":"fluxcd","description":"Reusable GitHub Actions Workflows for the Flux project CI","archived":false,"fork":false,"pushed_at":"2026-03-06T07:56:11.000Z","size":78,"stargazers_count":2,"open_issues_count":0,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-03-06T11:59:38.034Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fluxcd.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-09-16T09:29:24.000Z","updated_at":"2026-03-06T07:56:13.000Z","dependencies_parsed_at":"2025-09-16T12:51:03.875Z","dependency_job_id":null,"html_url":"https://github.com/fluxcd/gha-workflows","commit_stats":null,"previous_names":["fluxcd/gha-workflows"],"tags_count":14,"template":false,"template_full_name":null,"purl":"pkg:github/fluxcd/gha-workflows","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fluxcd%2Fgha-workflows","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fluxcd%2Fgha-workflows/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fluxcd%2Fgha-workflows/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fluxcd%2Fgha-workflows/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fluxcd","download_url":"https://codeload.github.com/fluxcd/gha-workflows/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fluxcd%2Fgha-workflows/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30265295,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-08T14:54:00.943Z","status":"ssl_error","status_checked_at":"2026-03-08T14:53:54.486Z","response_time":56,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-10-12T10:56:51.138Z","updated_at":"2026-03-09T19:02:09.046Z","avatar_url":"https://github.com/fluxcd.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# gha-workflows\n\n[![license](https://img.shields.io/github/license/fluxcd/gha-workflows.svg)](https://github.com/fluxcd/gha-workflows/blob/main/LICENSE)\n[![release](https://img.shields.io/github/release/fluxcd/gha-workflows/all.svg)](https://github.com/fluxcd/gha-workflows/releases)\n\nThis repository contains reusable GitHub Workflows and Composite Actions shared across the Flux controller repositories.\n\n## Workflows\n\n### Release Flux controller\n\nThe [controller-release](.github/workflows/controller-release.yaml) workflow automates the release of\nFlux controllers by performing the following steps:\n\n- Builds multi-arch images for `linux/amd64`, `linux/arm64` and `linux/arm/v7` with Docker.\n- Generates SBOMs for each architecture with Syft.\n- Pushes the images to `ghcr.io/fluxcd` and `docker.io/fluxcd`.\n- Signs the images with Cosign and GitHub OIDC.\n- Creates a GitHub Release with GoReleaser.\n- Outputs metadata for SLSA attestations.\n\nExample usage:\n\n```yaml\nname: release\non:\n push:\n tags: [ 'v*' ]\n workflow_dispatch:\n inputs:\n tag:\n description: 'image tag prefix'\n default: 'rc'\n required: false\njobs:\n release:\n permissions:\n contents: write # for creating the GitHub release.\n id-token: write # for creating OIDC tokens for signing.\n packages: write # for pushing and signing container images.\n uses: fluxcd/gha-workflows/.github/workflows/controller-release.yaml@vX.Y.Z\n with:\n controller: ${{ github.event.repository.name }}\n release-candidate-prefix: ${{ github.event.inputs.tag }}\n secrets:\n github-token: ${{ secrets.GITHUB_TOKEN }}\n dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }}\n```\n\n3rd-party actions used:\n\n- [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action)\n- [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action)\n- [docker/login-action](https://github.com/docker/login-action)\n- [docker/metadata-action](https://github.com/docker/metadata-action)\n- [docker/build-push-action](https://github.com/docker/build-push-action)\n- [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer)\n- [anchore/sbom-action](https://github.com/anchore/sbom-action)\n- [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action)\n\nOutputs:\n\n- `release-digests`: Release artifacts digests compatible with SLSA\n- `image-name`: Published container image name (without the registry)\n- `image-digest`: Published container image digest\n\n### Backport to Release Branches\n\nThe [backport](.github/workflows/backport.yaml) workflow automates the backporting of merged pull\nrequests to release branches based on labels in the format `backport:release/semver`\n(e.g. `backport:release/v2.0.x`).\n\nExample usage:\n\n```yaml\nname: backport\non:\n pull_request_target:\n types: [closed, labeled]\njobs:\n backport:\n permissions:\n contents: write # for reading and creating branches.\n pull-requests: write # for creating pull requests against release branches.\n uses: fluxcd/gha-workflows/.github/workflows/backport.yaml@vX.Y.Z\n secrets:\n github-token: ${{ secrets.GITHUB_TOKEN }}\n```\n\n3rd-party actions used:\n\n- [korthout/backport-action](https://github.com/korthout/backport-action)\n\n### Code Scanning and License Validation\n\nThe [code-scan](.github/workflows/code-scan.yaml) workflow analyzes the code for security vulnerabilities\nusing [CodeQL](https://codeql.github.com/) and validates the licenses of the dependencies\nusing [FOSSA](https://fossa.com/).\n\nExample usage:\n\n```yaml\nname: code-scan\non:\n push:\n branches: [ main ]\n pull_request:\n branches: [ main ]\njobs:\n analyze:\n permissions:\n contents: read # for reading the repository code.\n security-events: write # for uploading the CodeQL analysis results.\n uses: fluxcd/gha-workflows/.github/workflows/code-scan.yaml@vX.Y.Z\n secrets:\n github-token: ${{ secrets.GITHUB_TOKEN }}\n fossa-token: ${{ secrets.FOSSA_TOKEN }}\n```\n\nThe CodeQL analysis uploads the results to GitHub Code Scanning Alerts,\nand the FOSSA analysis uploads the results to the FOSSA dashboard.\n\n3rd-party actions used:\n\n- [fossas/fossa-action](https://github.com/fossas/fossa-action)\n\n### Update fluxcd/pkg Dependencies\n\nThe [upgrade-fluxcd-pkg](.github/workflows/upgrade-fluxcd-pkg.yaml) workflow automates updating `fluxcd/pkg` module\ndependencies in Flux controller repositories by performing the following steps:\n\n- Checks out the caller repository and `fluxcd/pkg` at the `main` branch.\n- Builds and runs the `flux-tools bump` command to update `go.mod` with the latest `fluxcd/pkg` module versions.\n- Runs `make tidy` to tidy Go modules (non-blocking — a failure is noted in the PR body).\n- Opens a pull request with the dependency changes.\n\nInputs:\n\n- `pre-release-pkg` (boolean, default `false`): Temporary flag for Flux 2.8 — uses the `flux/v2.8.x` pkg\n branch for main branches because the pkg release branch was cut before the Flux distribution release.\n Remove this input once Flux 2.8.0 is released.\n\nExample usage:\n\n```yaml\nname: upgrade-fluxcd-pkg\n\non:\n workflow_dispatch:\n inputs:\n pre-release-pkg:\n description: \u003e-\n Temporary flag for Flux 2.8: use the flux/v2.8.x pkg branch for main branches\n because the pkg release branch was cut before the Flux distribution release.\n Remove this input once Flux 2.8.0 is released.\n required: false\n default: false\n type: boolean\n\njobs:\n upgrade-fluxcd-pkg:\n uses: fluxcd/gha-workflows/.github/workflows/upgrade-fluxcd-pkg.yaml@vX.Y.Z\n with:\n pre-release-pkg: ${{ inputs.pre-release-pkg }}\n secrets:\n github-token: ${{ secrets.BOT_GITHUB_TOKEN }}\n```\n\n3rd-party actions used:\n\n- [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request)\n\n### Sync Repository Labels\n\nThe [labels-sync](.github/workflows/labels-sync.yaml) workflow synchronizes the\n[standard](https://github.com/fluxcd/community/blob/main/.github/standard-labels.yaml)\nand custom labels to the current repository.\n\nExample usage:\n\n```yaml\nname: sync-labels\non:\n workflow_dispatch:\n push:\n branches: [ main ]\n paths:\n - .github/labels.yaml\njobs:\n sync-labels:\n permissions:\n contents: read # for reading the labels file.\n issues: write # for creating and updating labels.\n uses: fluxcd/gha-workflows/.github/workflows/labels-sync.yaml@vX.Y.Z\n with:\n labels-file: .github/labels.yaml\n secrets:\n github-token: ${{ secrets.GITHUB_TOKEN }}\n```\n\n3rd-party actions used:\n\n- [EndBug/label-sync](https://github.com/EndBug/label-sync)\n\n## Composite Actions\n\n### Setup Kubernetes\n\nThe [setup-kubernetes](.github/actions/setup-kubernetes/action.yml) composite action configures\nthe GitHub runner to build and test Flux controllers with Kubernetes Kind clusters.\n\nExample usage:\n\n```yaml\nname: e2e\non:\n pull_request:\n push:\n branches: [ main ]\njobs:\n kind:\n runs-on: ubuntu-latest\n permissions:\n contents: read # for reading the repository code.\n steps:\n - name: Test suite setup\n uses: fluxcd/gha-workflows/.github/actions/setup-kubernetes@vX.Y.Z\n with:\n go-version: 1.25.x\n kind-version: v0.30.0\n - name: Run tests\n run: make test\n```\n\n3rd-party actions used:\n\n- [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action)\n- [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action)\n- [helm/kind-action](https://github.com/helm/kind-action)\n\n## Contributing\n\n- The workflows must be placed in the `.github/workflows` directory and\n the filenames must be in the format `\u003cmy-workflow\u003e.yaml`. The filename must match the workflow name.\n- All workflows requiring repository access must expose a `github-token` secret input.\n- The repo permissions must be set in the workflow file, and not rely on the default permissions.\n- All the actions used in workflows must be pinned to a commit SHA (Dependabot is configured to keep them up to date).\n- The usage of third-party actions should be limited to well-known actions with a good security track record.\n- Changed to workflows should be tested in a fork before opening a pull request,\n especially those that trigger on **push tag** events.\n\n## Releasing new versions\n\nTo release a new version of the workflows, push a **signed** git tag with the version number (e.g. `v1.2.3`).\n\nDependabot is configured in the Flux controllers repositories to keep the workflows up\nto date with the latest released version.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffluxcd%2Fgha-workflows","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffluxcd%2Fgha-workflows","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffluxcd%2Fgha-workflows/lists"}