Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/azva-co/.github

Community health files — contributing guide, issue templates, PR template, code of conduct, security policy
https://github.com/azva-co/.github

community-health contributing github templates

Last synced: 14 days ago
JSON representation

Community health files — contributing guide, issue templates, PR template, code of conduct, security policy

Awesome Lists containing this project

README 

          
# .github



Shared GitHub Actions reusable workflows, composite actions, and starter

workflow templates for [`azva-co`](https://github.com/azva-co) repositories.



> The org landing page lives in [`profile/README.md`](profile/README.md). This file

> is the developer reference for what's reusable here.



## Reusable workflows



Call from any repo with `uses: azva-co/.github/.github/workflows/@main`

(the double `.github` is correct — the workflows live in the `.github/` subdirectory

of the repo named `.github`).



### `build-sign-image.yml`



Build a container image, Trivy-scan it as a blocking gate, push multi-arch, sign

keylessly with cosign, attach a CycloneDX SBOM, and attest SLSA build provenance.

All signing is keyless (Sigstore/Rekor) — no key management.



| Input | Default | Description |

|---|---|---|

| `image` (required) | — | Image name without registry prefix (e.g. `azva-co/python`) |

| `registry` | `ghcr.io` | Target registry |

| `context` | `.` | Build context path |

| `dockerfile` | `Dockerfile` | Dockerfile path relative to context |

| `push` | `false` | Push to registry (set `false` on PRs) |

| `platforms` | `linux/amd64,linux/arm64` | Build platforms for the pushed image |

| `date-tag` | `true` | Also tag the push with `YYYYMMDD` for reproducible pinning |

| `upload-sarif` | `false` | Publish Trivy findings to code scanning (free on public repos) |

| `base-registry` | `cgr.dev` | `ARG REGISTRY` prefix for base images (air-gap override) |

| `trivy-db-repository` | `ghcr.io/aquasecurity/trivy-db` | Trivy DB OCI repo (air-gap override) |

| `version` | git ref name | Image version label |

| `build-args` | `''` | Extra `KEY=VALUE` build args (newline-separated) — e.g. an upstream tool version |

| `extra-tags` | `''` | Additional image tags (e.g. an app version) alongside latest/sha/date |



Secret: `COSIGN_KEY` (optional — omit for keyless). Output: `digest`.



Matrix example (one call per image):



```yaml

jobs:

  build:

    strategy:

      matrix:

        image: [python, java, go, node]

    uses: azva-co/.github/.github/workflows/build-sign-image.yml@main

    with:

      image: ${{ github.repository_owner }}/${{ matrix.image }}

      context: ${{ matrix.image }}

      push: ${{ github.event_name != 'pull_request' }}

      upload-sarif: true

    permissions:

      contents: read

      packages: write

      id-token: write

      security-events: write

      attestations: write

    secrets: inherit

```



Verify a published image:



```bash

# cosign keyless signature

cosign verify \

  --certificate-identity-regexp 'https://github.com/azva-co/.github/.github/workflows/build-sign-image.yml@.*' \

  --certificate-oidc-issuer https://token.actions.githubusercontent.com \

  ghcr.io/azva-co/:latest



# GitHub-native build provenance

gh attestation verify oci://ghcr.io/azva-co/:latest --owner azva-co

```



### `trivy-scan.yml`



Standalone Trivy scan for `fs`, `config`, `image`, or `repo` targets. Used by repos

that need scanning without a build (IaC, source trees, existing images).



## Composite actions



| Action | Purpose |

|---|---|

| [`wiremock`](.github/actions/wiremock/action.yml) | Start WireMock in the background for integration tests (stub/proxy/collect modes) |



## Starter workflows



`workflow-templates/` surfaces suggested workflows in the Actions UI of every repo

("New workflow" → "By azva-co"). Currently: **Build & sign container image**.



## Conventions



- **`@main` is a live release channel.** Every consumer at `@main` picks up changes on

  its next run — there is no staging buffer. Keep changes additive (new optional inputs),

  and rely on the `actionlint` CI-for-CI check below before merging.

- **Actions are pinned to full commit SHAs** with a `# vX` comment. [Renovate](renovate.json)

  keeps the pins current. This is what makes the repo safe to enable

  `sha_pinning_required` and an `allowed_actions` allowlist on.

- **CI-for-CI:** [`actionlint.yml`](.github/workflows/actionlint.yml) lints all workflows

  and composite actions on every change.



## Contributing



See [CONTRIBUTING.md](CONTRIBUTING.md).