{"id":49768806,"url":"https://github.com/sbaerlocher/.github","last_synced_at":"2026-05-11T11:43:01.961Z","repository":{"id":340132741,"uuid":"1158042311","full_name":"sbaerlocher/.github","owner":"sbaerlocher","description":"Reusable GitHub Actions workflows for CI/CD, security scanning, deployments, and releases. Rolling release with 27 production-ready workflows.","archived":false,"fork":false,"pushed_at":"2026-05-05T17:42:10.000Z","size":507,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-05T19:32:53.126Z","etag":null,"topics":["automation","ci-cd","devops","docker","github-actions","helm","reusable-workflows","security","terraform","workflows"],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sbaerlocher.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2026-02-14T17:50:31.000Z","updated_at":"2026-05-05T17:42:13.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/sbaerlocher/.github","commit_stats":null,"previous_names":["sbaerlocher/.github"],"tags_count":27,"template":false,"template_full_name":null,"purl":"pkg:github/sbaerlocher/.github","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sbaerlocher%2F.github","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sbaerlocher%2F.github/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sbaerlocher%2F.github/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sbaerlocher%2F.github/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sbaerlocher","download_url":"https://codeload.github.com/sbaerlocher/.github/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sbaerlocher%2F.github/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32894000,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-10T13:40:02.631Z","status":"online","status_checked_at":"2026-05-11T02:00:05.975Z","response_time":120,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["automation","ci-cd","devops","docker","github-actions","helm","reusable-workflows","security","terraform","workflows"],"created_at":"2026-05-11T11:43:01.147Z","updated_at":"2026-05-11T11:43:01.948Z","avatar_url":"https://github.com/sbaerlocher.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Reusable GitHub Actions Workflows\n\nCentralized CI/CD building blocks for all repositories under\n[`sbaerlocher`](https://github.com/sbaerlocher). Consumer repositories pin\neach workflow by date tag and let Renovate keep them current.\n\n- **Model:** rolling release with date tags (`YYYY-MM-DD`)\n- **Total workflows:** 24\n- **Last updated:** 2026-05-03\n\nSee [AGENTS.md](./AGENTS.md) for AI-agent context.\n\n---\n\n## Quick Start\n\nPick the most recent date tag from\n\u003chttps://github.com/sbaerlocher/.github/tags\u003e (used as `\u003cTAG\u003e` below) and\nreference workflows from your consumer repository.\n\n### JavaScript / TypeScript\n\n```yaml\n# .github/workflows/ci.yml\nname: Continuous Integration\non:\n pull_request:\n branches: [main]\n workflow_call:\n\njobs:\n ci:\n uses: sbaerlocher/.github/.github/workflows/ci-js.yml@\u003cTAG\u003e\n with:\n package-manager: pnpm\n enable-security-scans: true\n secrets:\n CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}\n```\n\n### Go\n\n```yaml\njobs:\n ci:\n uses: sbaerlocher/.github/.github/workflows/ci-go.yml@\u003cTAG\u003e\n with:\n go-version: '1.25'\n```\n\n### Terraform\n\n```yaml\n# .github/workflows/ci.yml\njobs:\n terraform:\n uses: sbaerlocher/.github/.github/workflows/ci-terraform.yml@\u003cTAG\u003e\n\n# .github/workflows/deploy.yml — on push to main\njobs:\n deploy:\n uses: sbaerlocher/.github/.github/workflows/deploy-terraform.yml@\u003cTAG\u003e\n with:\n environment: production\n bw-secrets: |\n \u003cuuid\u003e \u003e ENV_VAR\n secrets:\n BW_ACCESS_TOKEN: ${{ secrets.BW_ACCESS_TOKEN }}\n```\n\n---\n\n## Workflow Catalogue\n\nAll files live in [.github/workflows/](./.github/workflows/).\n\n### CI — Continuous Integration (5)\n\n| File | Purpose |\n| ---------------------------------------------------------- | ---------------------------------------- |\n| [`ci-ansible.yml`](./.github/workflows/ci-ansible.yml) | Ansible syntax \u0026 ansible-lint |\n| [`ci-gitops.yml`](./.github/workflows/ci-gitops.yml) | Fleet, Helm, kubeconform validation |\n| [`ci-go.yml`](./.github/workflows/ci-go.yml) | Build, test, golangci-lint, gosec |\n| [`ci-js.yml`](./.github/workflows/ci-js.yml) | Quality, tests, audit (multi-pm) |\n| [`ci-terraform.yml`](./.github/workflows/ci-terraform.yml) | `terraform fmt`, validate, tflint, Trivy |\n\n### Security — Scanning \u0026 Analysis (6)\n\n| File | Tools |\n| ------------------------------------------------------------------------ | ------------------------------ |\n| [`security-code.yml`](./.github/workflows/security-code.yml) | CodeQL (multi-language SAST) |\n| [`security-config.yml`](./.github/workflows/security-config.yml) | Checkov, kubeconform, kubesec |\n| [`security-containers.yml`](./.github/workflows/security-containers.yml) | Trivy + Grype |\n| [`security-deps.yml`](./.github/workflows/security-deps.yml) | govulncheck, npm audit, safety |\n| [`security-sbom.yml`](./.github/workflows/security-sbom.yml) | CycloneDX SBOM generation |\n| [`security-secrets.yml`](./.github/workflows/security-secrets.yml) | Gitleaks + TruffleHog |\n\n### Deploy (2)\n\n- [`deploy-cloudflare-workers.yml`](./.github/workflows/deploy-cloudflare-workers.yml)\n — Cloudflare Workers via Wrangler\n- [`deploy-terraform.yml`](./.github/workflows/deploy-terraform.yml)\n — Terraform plan \u0026 apply with Bitwarden secret injection\n\n### Release (4)\n\n| File | Output |\n| ----------------------------------------------------------------- | ------------------------------------ |\n| [`release-docker.yml`](./.github/workflows/release-docker.yml) | Multi-arch Docker images to GHCR |\n| [`release-go.yml`](./.github/workflows/release-go.yml) | GoReleaser binaries + GitHub Release |\n| [`release-helm.yml`](./.github/workflows/release-helm.yml) | Helm OCI chart publish |\n| [`release-npm.yml`](./.github/workflows/release-npm.yml) | NPM publish with provenance + SBOM |\n\n### Operations (3)\n\n- [`ops-terraform-orchestration.yml`](./.github/workflows/ops-terraform-orchestration.yml)\n — Multi-environment Terraform deployment driver\n- [`ops-terraform-report.yml`](./.github/workflows/ops-terraform-report.yml)\n — Render Terraform pipeline report (Step Summary, metadata artifact, notification)\n- [`ops-drift-issue.yml`](./.github/workflows/ops-drift-issue.yml)\n — Upsert a GitHub issue when Terraform drift is detected\n\n### AI — Private Repos Only (2)\n\n- [`ai-claude.yml`](./.github/workflows/ai-claude.yml)\n — On-demand `@claude` mentions in issues and PRs\n- [`ai-claude-review.yml`](./.github/workflows/ai-claude-review.yml)\n — Automatic code review on PRs (uses REVIEW.md as context)\n\n### E2E (2)\n\n| File | Purpose |\n| ------------------------------------------------------ | ---------------------------------------------------- |\n| [`e2e-docker.yml`](./.github/workflows/e2e-docker.yml) | End-to-end tests via Docker Compose + Playwright |\n| [`e2e-dde.yml`](./.github/workflows/e2e-dde.yml) | End-to-end tests via whatwedo dde + Playwright |\n\n---\n\n## Composite Actions\n\nIn addition to reusable workflows, this repo ships composite actions under\n[.github/actions/](./.github/actions/) for use from any consumer workflow.\n\n| Action | Purpose |\n| ------------------------------------------- | ---------------------------------------------------------------------- |\n| [`setup-dde`](./.github/actions/setup-dde/) | Install the [whatwedo dde](https://github.com/whatwedo/dde) CLI |\n| [`project`](./.github/actions/project/) | Install dde + run any `dde project:\u003ccommand\u003e` (default `up`) for E2E |\n| [`sbom-npm`](./.github/actions/sbom-npm/) | CycloneDX SBOM for npm/pnpm/yarn/bun projects (internal) |\n\nFor a complete Playwright + dde E2E job, use the\n[`e2e-dde.yml`](./.github/workflows/e2e-dde.yml) reusable workflow — it\nwires `project` together with Node, browser install, artifacts, and PR\ncommenting. Reach for the composite actions directly only when you need\na custom test surface that the workflow doesn't cover.\n\nReference an action from a consumer repository (Renovate keeps the date\ntag up to date):\n\n```yaml\n- uses: sbaerlocher/.github/.github/actions/project@2026-04-30\n with:\n wait-url: https://myproject.test/healthz\n\n- if: always()\n uses: sbaerlocher/.github/.github/actions/project@2026-04-30\n with:\n command: down\n```\n\n---\n\n## Project Type Guide\n\n**Per language / stack:**\n\n- **JavaScript / TypeScript** — `ci-js.yml`; optional `release-npm.yml`,\n `deploy-cloudflare-workers.yml`\n- **Go** — `ci-go.yml`; optional `release-go.yml`, `release-docker.yml`\n- **Terraform / IaC** — `ci-terraform.yml`, `deploy-terraform.yml`;\n optional `ops-terraform-orchestration.yml`\n- **GitOps (Fleet / Helm)** — `ci-gitops.yml`; optional `release-helm.yml`\n- **Serverless (CF Workers)** — `ci-js.yml`, `deploy-cloudflare-workers.yml`\n\n**Cross-cutting:**\n\n- **Public repos (any language)** — add `security-code.yml` (CodeQL).\n Weekly `security-*` scans recommended.\n- **Private repos (any language)** — add `ai-claude-review.yml` and\n `ai-claude.yml`.\n\nWeekly security scans should be scheduled at `0 6 * * 1` (Monday 06:00 UTC).\nNever wire scheduled workflows as required status checks — they don't run on\nPRs and would block every merge.\n\n---\n\n## Versioning\n\nReference workflows from a consumer repo by **date tag**:\n\n```yaml\nuses: sbaerlocher/.github/.github/workflows/ci-js.yml@2026-04-25\n```\n\nRules:\n\n- Date tag is mandatory in consumer repos. `@main` and `@v1` are not\n supported.\n- New tags are cut from `main` after a batch of changes settles.\n See [CHANGELOG.md](./CHANGELOG.md) for the history.\n- Renovate updates these tags automatically via the custom manager in\n [`renovate-base.json`](./renovate-base.json).\n\n---\n\n## Required Secrets in Consumer Repos\n\n| Secret | Purpose | Required for |\n| ------------------------- | ---------------------------------- | --------------------------------- |\n| `BW_ACCESS_TOKEN` | Bitwarden Secrets Manager | `deploy-terraform`, CF Workers |\n| `CODECOV_TOKEN` | Code coverage upload | `ci-js`, `ci-go` (optional) |\n| `NPM_TOKEN` | NPM publish | `release-npm` |\n| `CLAUDE_CODE_OAUTH_TOKEN` | Claude AI workflows | private repos only |\n\n---\n\n## Troubleshooting\n\n### Workflow not found\n\n```text\nError: Unable to resolve action sbaerlocher/.github/.github/workflows/ci-js.yml@\u003cTAG\u003e\n```\n\nCheck the nested path: it's `sbaerlocher/.github` (the repo) followed by\n`/.github/workflows/\u003cfile\u003e` (the path inside the repo). Both `.github`\nsegments are required.\n\n### Cache misses\n\nEnsure your lockfile is committed (`pnpm-lock.yaml`, `package-lock.json`,\n`yarn.lock`, `bun.lockb`, or `go.sum`).\n\n### Security scans too slow on PRs\n\nDisable scheduled-only scans on `pull_request`:\n\n```yaml\nwith:\n enable-security-scans: ${{ github.ref == 'refs/heads/main' }}\n```\n\n### SARIF upload fails on private repo\n\n`security-code.yml` and friends only upload SARIF when\n`enable-sarif-upload: true` *and* the repo is public (or has GitHub\nAdvanced Security). Private repos without GHAS should leave the input at\nits default `false` and rely on artifact uploads instead.\n\n---\n\n## Related Documentation\n\n- [REVIEW.md](./REVIEW.md) — code review guidelines for this repo\n- [CHANGELOG.md](./CHANGELOG.md) — release history\n- [AGENTS.md](./AGENTS.md) — AI agent context\n- [SECURITY.md](./SECURITY.md) — vulnerability reporting\n\n---\n\n## License\n\n[MIT](./LICENSE) — Simon Bärlocher.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsbaerlocher%2F.github","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsbaerlocher%2F.github","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsbaerlocher%2F.github/lists"}