{"id":18481394,"url":"https://github.com/ukhomeoffice/sas-github-workflows","last_synced_at":"2025-05-13T19:35:29.568Z","repository":{"id":65506176,"uuid":"591490270","full_name":"UKHomeOffice/sas-github-workflows","owner":"UKHomeOffice","description":"Central repository for reusable GitHub workflows","archived":false,"fork":false,"pushed_at":"2024-12-02T12:24:28.000Z","size":70,"stargazers_count":0,"open_issues_count":0,"forks_count":1,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-02-16T21:19:09.798Z","etag":null,"topics":["continuous-integration","github-actions","github-workflows"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/UKHomeOffice.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-01-20T22:12:09.000Z","updated_at":"2024-12-02T12:24:17.000Z","dependencies_parsed_at":"2024-03-12T12:28:31.344Z","dependency_job_id":"11609996-6640-4a82-afb4-5529878bf254","html_url":"https://github.com/UKHomeOffice/sas-github-workflows","commit_stats":null,"previous_names":[],"tags_count":50,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/UKHomeOffice%2Fsas-github-workflows","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/UKHomeOffice%2Fsas-github-workflows/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/UKHomeOffice%2Fsas-github-workflows/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/UKHomeOffice%2Fsas-github-workflows/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/UKHomeOffice","download_url":"https://codeload.github.com/UKHomeOffice/sas-github-workflows/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254013515,"owners_count":21999422,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["continuous-integration","github-actions","github-workflows"],"created_at":"2024-11-06T12:23:31.620Z","updated_at":"2025-05-13T19:35:29.532Z","avatar_url":"https://github.com/UKHomeOffice.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Standardised Workflows\n\nThis repository contains a set of centrally configured, consistent and reusable CI pipeline components.\n\n----\n\n## Check npm + ncc based GitHub Actions have a valid dist folder\n\nThis workflow ensures that code changes in /src are reflected in the /dist folder produced by ncc.\n\n### actions-check-dist.yml\n\n```yaml\nname: 'Dist Diff'\non:\n  pull_request:\n    types: [ opened, reopened, synchronize ]\n\njobs:\n  diff:\n    uses: UKHomeOffice/sas-github-workflows/.github/workflows/actions-check-dist.yml@v2\n```\n\n----\n\n## Scan a docker image using Anchore\n\nThis workflow builds and scans a docker image using Anchore, optionally, pushing to a repository with the SHA.\n\nWhen the `smoketest` label is applied, the image will be pushed to either Docker (default) or ECR.\n\n**ECR**\n* Requires secret value of `AWS_ACCESS_KEY_ID`\n* Requires secret value of `AWS_SECRET_ACCESS_KEY`\n\n**Docker**\n* Requires secret value of `DOCKER_USER_NAME` or `QUAY_ROBOT_USER_NAME`\n* Requires secret value of `DOCKER_PASSWORD` or `QUAY_ROBOT_TOKEN`\n\nTo push to `ECR`, an addition input is required within the with: `ecr: 'true'`.\n\n### anchore.yml\n\n```yaml\nname: \"Anchore Scan\"\n\non:\n  push:\n    branches: [ \"main\" ]\n  pull_request:\n    types: [ labeled, opened, reopened, synchronize ]\n  schedule:\n    - cron: '45 12 * * 1'\n\njobs:\n  scan:\n    uses: UKHomeOffice/sas-github-workflows/.github/workflows/anchore.yml@v2\n    with:\n      image: 'quay.io/ukhomeofficedigital/hocs-outbound-proxy'\n    secrets: inherit\n```\n\n----\n\n## Scan a docker image using Anchore - gradle\n\nThis workflow builds and scans a docker image using Anchore, optionally, pushing to a repository with the SHA.\n\nWhen the `smoketest` label is applied, the image will be pushed to either Docker (default) or ECR.\n\n**ECR**\n* Requires secret value of `AWS_ACCESS_KEY_ID`\n* Requires secret value of `AWS_SECRET_ACCESS_KEY`\n\n**Docker**\n* Requires secret value of `DOCKER_USER_NAME` or `QUAY_ROBOT_USER_NAME`\n* Requires secret value of `DOCKER_PASSWORD` or `QUAY_ROBOT_TOKEN`\n\nTo push to `ECR`, an addition input is required within the with: `ecr: 'true'`.\n\n### anchore-gradle.yml\n\n```yaml\nname: \"Anchore Scan\"\n\non:\n  push:\n    branches: [ \"main\" ]\n  pull_request:\n    types: [ labeled, opened, reopened, synchronize ]\n  schedule:\n    - cron: '45 12 * * 1'\n\njobs:\n  scan:\n    uses: UKHomeOffice/sas-github-workflows/.github/workflows/anchore-gradle.yml@v2\n    with:\n      image: 'quay.io/ukhomeofficedigital/hocs-frontend'\n    secrets: inherit\n```\n\n----\n\n## Scan a docker image using Anchore - npm\n\nThis workflow builds and scans a docker image using Anchore, optionally, pushing to a repository with the SHA.\n\nWhen the `smoketest` label is applied, the image will be pushed to either Docker (default) or ECR.\n\n**ECR**\n* Requires secret value of `AWS_ACCESS_KEY_ID`\n* Requires secret value of `AWS_SECRET_ACCESS_KEY`\n\n**Docker**\n* Requires secret value of `DOCKER_USER_NAME` or `QUAY_ROBOT_USER_NAME`\n* Requires secret value of `DOCKER_PASSWORD` or `QUAY_ROBOT_TOKEN`\n\nTo push to `ECR`, an addition input is required within the with: `ecr: 'true'`.\n\n### anchore-npm.yml\n\n```yaml\nname: \"Anchore Scan\"\n\non:\n  push:\n    branches: [ \"main\" ]\n  pull_request:\n    types: [ labeled, opened, reopened, synchronize ]\n  schedule:\n    - cron: '45 12 * * 1'\n\njobs:\n  scan:\n    uses: UKHomeOffice/sas-github-workflows/.github/workflows/anchore-npm.yml@v2\n    with:\n      installCommand: 'ci --production=false --no-optional'\n      buildCommand: 'build-prod'\n      image: 'quay.io/ukhomeofficedigital/hocs-frontend'\n    secrets: inherit\n```\n\n----\n\n## Scan a repository using Codeql - gradle\n\nThis is a [CodeQL](https://codeql.github.com/) static analysis action for jvm languages.\nThis build can use the caching gradle actions over generic job that uses the `autobuild` step.\nTypically, this is run on changes to source code only, ignoring test code.\n\n### codeql-analysis-gradle.yml\n\n```yaml\nname: 'CodeQL'\non:\n  push:\n    branches: [ main ]\n  pull_request:\n    branches: [ main ]\n  schedule:\n    - cron: '45 12 * * 1'\n\njobs:\n  analyze:\n    uses: UKHomeOffice/sas-github-workflows/.github/workflows/codeql-analysis-gradle.yml@v2\n```\n\n----\n\n## Scan a repository using Codeql - npm\n\nThis is a [CodeQL](https://codeql.github.com/) static analysis action for javascript.\nBecause this is an interpreted language we don't need the `autobuild` step.\nTypically, this is run on on changes to source code only, ignoring test code.\n\n### codeql-analysis-npm.yml\n\n```yaml\nname: 'CodeQL'\non:\n  push:\n    branches: [ main ]\n  pull_request:\n    branches: [ main ]\n  schedule:\n    - cron: '45 12 * * 1'\n\njobs:\n  analyze:\n    uses: UKHomeOffice/sas-github-workflows/.github/workflows/codeql-analysis-npm.yml@v2\n```\n\n----\n\n## Scan a repository using Codeql - pip\n\nThis is a [CodeQL](https://codeql.github.com/) static analysis action for python.\nBecause this is an interpreted language we don't need the `autobuild` step.\nTypically, this is run on on changes to source code only, ignoring test code.\n\n### codeql-analysis-pip.yml\n\n```yaml\nname: 'CodeQL'\non:\n  push:\n    branches: [ main ]\n  pull_request:\n    branches: [ main ]\n  schedule:\n    - cron: '45 12 * * 1'\n\njobs:\n  analyze:\n    uses: UKHomeOffice/sas-github-workflows/.github/workflows/codeql-analysis-pip.yml@v2\n```\n\n----\n\n## Check a PR has a valid SemVer increment\n\nThis workflow ensures one `minor`,`major`,`patch`, or `skip-release` label is present on a PR.\n\n### semver-check.yml\n\n```yaml\nname: 'SemVer label Checker'\non:\n  pull_request:\n    types: [ labeled, unlabeled, opened, reopened, synchronize ]\n\njobs:\n  check:\n    uses: UKHomeOffice/sas-github-workflows/.github/workflows/semver-check.yml@v2\n```\n\n----\n\n## Create a SemVer tag on PR merge\n\nThis workflow tags the commit SHA with a SemVer value on PR merge.\n* This will not trigger if a label is added to the PR with the value of `skip-release`.\n* This will increment the last SemVer tag by either `minor`,`major`, or `patch`.\n* This will also walk a `major` version tag along with the SemVer value.\n  e.g. `v1` with tag `1.2.3`.\n\n### semver-tag.yml\n\n```yaml\nname: 'SemVer Tag'\non:\n  pull_request:\n    types: [ closed ]\n\njobs:\n  check:\n    uses: UKHomeOffice/sas-github-workflows/.github/workflows/semver-tag.yml@v2\n```\n\n----\n\n## Publish a docker image with arbitrary tag\n\nThis workflow builds and publishes a docker image to either Docker (default) or ECR with a specified tag.\n\n**ECR**\n* Requires secret value of `AWS_ACCESS_KEY_ID`\n* Requires secret value of `AWS_SECRET_ACCESS_KEY`\n\n**Docker**\n* Requires secret value of `DOCKER_USER_NAME` or `QUAY_ROBOT_USER_NAME`\n* Requires secret value of `DOCKER_PASSWORD` or `QUAY_ROBOT_TOKEN`\n\nTo push to `ECR`, an addition input is required within the with: `ecr: 'true'`.\n\n### publish-docker.yml\n\n```yaml\nname: 'Build, Tag, and Push Docker Image'\non:\n  pull_request:\n    types: [ closed ]\n\njobs:\n  build:\n    uses: UKHomeOffice/sas-github-workflows/.github/workflows/publish-docker.yml@v2\n    with:\n      image: 'quay.io/ukhomeofficedigital/hocs-toolbox'\n      tag: ${{ github.event.pull_request.head.sha }}\n    secrets: inherit\n\n```\n\n----\n\n## Publish a docker image with arbitrary version\n\nThis workflow builds and publishes a docker image to either Docker (default) or ECR with an arbitrary value. This \narbitrary version is a required input into the workflow \n\n**ECR**\n* Requires secret value of `AWS_ACCESS_KEY_ID`\n* Requires secret value of `AWS_SECRET_ACCESS_KEY`\n\n**Docker**\n* Requires secret value of `DOCKER_USER_NAME` or `QUAY_ROBOT_USER_NAME`\n* Requires secret value of `DOCKER_PASSWORD` or `QUAY_ROBOT_TOKEN`\n\nTo push to `ECR`, an addition input is required within the with: `ecr: 'true'`.\n\n### semver-tag-docker.yml\n\n```yaml\nname: 'Build Docker and Tag Repository'\non:\n  pull_request:\n    types: [ closed ]\n\njobs:\n  build:\n    uses: UKHomeOffice/sas-github-workflows/.github/workflows/tag-docker.yml@v2\n    with:\n      image: 'quay.io/ukhomeofficedigital/hocs-toolbox'\n      tag: ${{ github.sha }}\n    secrets: inherit\n\n```\n\n----\n\n## Publish a docker image with SemVer version\n\nThis workflow builds and publishes a docker image to either Docker (default) or ECR with a SemVer value.\n\n**ECR**\n* Requires secret value of `AWS_ACCESS_KEY_ID`\n* Requires secret value of `AWS_SECRET_ACCESS_KEY`\n\n**Docker**\n* Requires secret value of `DOCKER_USER_NAME` or `QUAY_ROBOT_USER_NAME`\n* Requires secret value of `DOCKER_PASSWORD` or `QUAY_ROBOT_TOKEN`\n\nTo push to `ECR`, an addition input is required within the with: `ecr: 'true'`.\n\n### semver-tag-docker.yml\n\n```yaml\nname: 'SemVer Tag and Docker Build'\non:\n  pull_request:\n    types: [ closed ]\n\njobs:\n  build:\n    uses: UKHomeOffice/sas-github-workflows/.github/workflows/semver-tag-docker.yml@v2\n    with:\n      image: 'quay.io/ukhomeofficedigital/hocs-toolbox'\n    secrets: inherit\n\n```\n\n----\n\n## Publish a docker image with SemVer version - gradle\n\nThis workflow builds and publishes a docker image to either Docker (default) or ECR with a SemVer value.\n\n**ECR**\n* Requires secret value of `AWS_ACCESS_KEY_ID`\n* Requires secret value of `AWS_SECRET_ACCESS_KEY`\n\n**Docker**\n* Requires secret value of `DOCKER_USER_NAME` or `QUAY_ROBOT_USER_NAME`\n* Requires secret value of `DOCKER_PASSWORD` or `QUAY_ROBOT_TOKEN`\n\nTo push to `ECR`, an addition input is required within the with: `ecr: 'true'`.\n\n### semver-tag-docker-gradle.yml\n\n```yaml\nname: 'SemVer Tag and Docker Build'\non:\n  pull_request:\n    types: [ closed ]\n\njobs:\n  build:\n    uses: UKHomeOffice/sas-github-workflows/.github/workflows/semver-tag-docker-gradle.yml@v2\n    with:\n      image: 'quay.io/ukhomeofficedigital/hocs-audit'\n    secrets: inherit\n\n```\n\n----\n\n## Publish a docker image with SemVer version - npm\n\nThis workflow builds and publishes a docker image to either Docker (default) or ECR with a SemVer value.\n\n**ECR**\n* Requires secret value of `AWS_ACCESS_KEY_ID`\n* Requires secret value of `AWS_SECRET_ACCESS_KEY`\n\n**Docker**\n* Requires secret value of `DOCKER_USER_NAME` or `QUAY_ROBOT_USER_NAME`\n* Requires secret value of `DOCKER_PASSWORD` or `QUAY_ROBOT_TOKEN`\n\nTo push to `ECR`, an addition input is required within the with: `ecr: 'true'`.\n\n### semver-tag-docker-npm.yml\n\n```yaml\nname: 'SemVer Tag and Docker Build'\non:\n  pull_request:\n    types: [ closed ]\n\njobs:\n  build:\n    uses: UKHomeOffice/sas-github-workflows/.github/workflows/semver-tag-docker-npm.yml@v2\n    with:\n      installCommand: 'ci --production=false --no-optional'\n      buildCommand: 'build-prod'\n      image: 'quay.io/ukhomeofficedigital/hocs-frontend'\n    secrets: inherit\n\n```\n\n----\n\n\n## Publish an npm package\n\nThis workflow builds and publishes an npm package with a SemVer value.\n\n\n### semver-tag-npm.yml\n\n```yaml\nname: 'SemVer Tag and npm Publish'\non:\n  pull_request:\n    types: [ closed ]\n\njobs:\n  build:\n    uses: UKHomeOffice/sas-github-workflows/.github/workflows/semver-tag-npm.yml@v2\n    with:\n      installCommand: 'ci --ignore-scripts'\n    secrets: inherit\n\n```\n\n----\n\n## Lint, audit and test an npm based project\n\nThis will run `npm run lint` and `npm test` on a repository after building it with `npm ci`.\n* It will run tests in parallel against 2 versions of node; `18`, `19`.\n* Optionally this workflow will install dependencies required to run tests.\n* Optionally this workflow will start components using docker-compose to run end-to-end tests against.\n\n### inputs:\n\n| input                   | required | default                   | effective command                                            |\n|-------------------------|----------|---------------------------|--------------------------------------------------------------|\n| nodeVersionMatrix       | false    | [ \"18.x\", \"19.x\" ]        |                                                              |\n| installCommand          | false    | 'ci'                      | npm --loglevel warn ci                                       |\n| buildCommand            | false    | 'build'                   | npm run build                                                |\n| lintCommand             | false    | 'lint'                    | npm run lint                                                 |\n| osDependencies          | false    | null                      | sudo apt-get install -y [packages]                           |\n| dockerComposeBinary     | false    | 'docker-compose'          | docker-compose -f ./ci/docker-compose.yml up -d [components] |\n| dockerComposeCommand    | false    | './ci/docker-compose.yml' | docker-compose -f ./ci/docker-compose.yml up -d [components] |\n| dockerComposeComponents | false    | null                      |                                                              |\n| healthcheckScript       | false    | './ci/healthcheck.sh'     | bash ./ci/healthcheck.sh                                     |\n\n### test-npm.yml - unit tests only\n\n```yaml\nname: 'Test'\non:\n  pull_request:\n    types: [ opened, reopened, synchronize ]\n\njobs:\n  test:\n    uses: UKHomeOffice/sas-github-workflows/.github/workflows/test-npm.yml@v2\n```````\n\n### test-npm.yml - install extra OS deps and docker compose with custom npm arguments\n\n```yaml\nname: 'Test'\non:\n  pull_request:\n    types: [ opened, reopened, synchronize ]\n\njobs:\n  test:\n    uses: UKHomeOffice/sas-github-workflows/.github/workflows/test-npm.yml@v2\n    with:\n      dependencyCommand: 'ci --production=false --no-optional'\n      buildCommand: 'build-prod'\n      osDependencies: 'libreoffice'\n      dockerComposeComponents: 'postgres'\n```````\n\n### test-python.yml \n\nSupports optional `pythonVersionMatrix` input that allows the specificity of Python version. A default is defined in the workflow.\n\n```yaml\nname: 'Test'\non:\n  pull_request:\n    types: [ opened, reopened, synchronize ]\n\njobs:\n  test:\n    uses: UKHomeOffice/sas-github-workflows/.github/workflows/test-python.yml@v2\n```````\n\n----\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fukhomeoffice%2Fsas-github-workflows","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fukhomeoffice%2Fsas-github-workflows","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fukhomeoffice%2Fsas-github-workflows/lists"}