Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/dfds/shared-workflows

Repository for shared github workflows
https://github.com/dfds/shared-workflows

Last synced: 29 days ago
JSON representation

Repository for shared github workflows

Awesome Lists containing this project

README 

          
# Shared workflows and actions



A repository for shared github workflows and actions, best practice for new and existing repositories. We welcome contributions. See [Contributing](docs/CONTRIBUTING.md) to get started.



Shared workflows and actions:

- [Automation](#automation)

	- workflows

		- [Auto release](#auto-release)

		- [Build lambda and upload to S3](#build-lambda-and-upload-to-s3)

		- [Enforce PR labels](#enforce-pr-labels)

		- [Golang test suite](#golang-test-suite)

		- [Housekeeping](#housekeeping)

		- [Integration test build](#integration-test-build)

		- [Multi architecture docker build](#multi-architecture-docker-build)

		- [Block on-hold PRs](#block-on-hold-prs)

		- [Add comment from PR template on Renovate pull requests](#add-comment-from-pr-template-on-renovate-pull-requests)

	- actions

		- [Slack Notifier](#slack-notifier)

- [Compliance](#compliance)

	- actions

		- [Checkov Github Actions Step](#checkov-github-actions-step)

- [Security](#security)

	- workflows

		- [Gitleaks](#gitleaks)

		- [Run Trivy IAC with Quality GAte](#run-trivy-iac-with-quality-gate)



## Automation



### Auto release



_This is a workflow_



Creates a Github Release on push to master. Automatically tags the release and create release notes from git log. Change the semantic versioning by applying labels, **release:patch**, **release:minor**, **release:major**. Works best in conjuction with [Enforce PR labels](https://github.com/dfds/shared-workflows#enforce-pr-labels).



[Marketplace](https://github.com/marketplace/actions/tag-release-on-push-action)



How to invoke this workflow:



```yaml

name: Auto release



on:

  push:

    branches: ["master", "main"]



jobs:

  shared:

    uses: dfds/shared-workflows/.github/workflows/automation-auto-release.yml@master

    # Note, make sure to use `secrets: inherit` if utilizing the organizational secret `GH_RELEASE`

    # secrets: inherit



    # In order to add prefix to the tag:

    with:

      tag_prefix: "your_prefix"



```



### Build lambda and upload to S3



_This is a workflow_



This workflow builds lambda code and uploads the zip file to S3 bucket. The instructions for building the zip package need to be specified in a Makefile. The workflow works with Go and Python lambdas.



How to invoke this workflow:



```yaml

name: Build lambda and upload to S3



on:

  pull_request:

    branches: [ "master", "main" ]



jobs:

  build-and-upload-to-s3:

    name: build-and-upload-to-s3

    uses: dfds/shared-workflows/.github/workflows/automation-build-and-upload-to-s3.yml@master

    with:

      role-session-name: upload-crl-importer-lambda #Session name

      working-directory: ./crl-importer-lambda #The working directory that includes the Makefile

      lambda-package-name: crl-importer-lambda.zip #The lambda package name

      s3-location: dfds-ce-shared-artifacts/iam-rolesanywhere-lambdas

      go-version: "1.20" #Should be specified only for Go lambdas

      cache-dependency-path: ./crl-importer-lambda/go.mod/go.sum #Should be specified only for Go lambdas

      arguments: PACKAGE_NAME=${{ matrix.lambda-name }} #The arguments to be passed to make

    secrets:

      role-to-assume: ${{ secrets.ROLE_TO_ASSUME }} #Repository secret with the AWS role to be assumed



```



### Enforce PR labels



_This is a workflow_



Enforce assigning labels before merging PR's. Useful for governing the use of semantic versioning labels for [Auto release](https://github.com/dfds/shared-workflows#auto-release).



[Marketplace](https://github.com/marketplace/actions/enforce-pr-labels)



How to invoke this workflow:



```yaml

name: Enforce PR labels



on:

  pull_request:

    types: [labeled, unlabeled, opened, edited, synchronize]

    branches: [ "master", "main" ]



jobs:

  shared:

    uses: dfds/shared-workflows/.github/workflows/automation-enforce-release-labels.yml@master

```



### Golang test suite



_This is a workflow_



Status check that fails if a PR with Golang code fails its test suite.



How to invoke this workflow:



```yaml

name: Golang test suite



on:

  pull_request:

    branches: [ master, main ]

    paths:

      - [ '**.go', '**.mod', '**.sum' ]



jobs:

  shared:

    uses: dfds/shared-workflows/.github/workflows/automation-golang-test-suite.yml@master



```



### Housekeeping



_This is a workflow_



Sets repository settings to a standard that is used across the organization.



How to invoke this workflow:



```yaml

name: Housekeeping



on:

  schedule:

    - cron: "0 6 * * *"



jobs:

  shared:

    uses: dfds/shared-workflows/.github/workflows/automation-housekeeping.yml@master

    secrets: inherit

    with:

      # Optional, Enable delete head branch after merge

      delete_head_branch: true

      # Optional, Enable merging pull requests via squashed commit

      squash_merge: true

      # Optional, Enable branch protection on default branch

      branch_protection: true

      # Optional, Enable mandatory checking-labels status check on PRs

      status_checks: true

```



### Integration test build



_This is a workflow_



Builds a Go integration test binary and uploads it as an artifact. Designed for infrastructure integration tests that are compiled once and run against multiple environments.



How to invoke this workflow:



```yaml

name: Integration test build



on:

  push:

    branches: [master]



jobs:

  build-test:

    uses: dfds/shared-workflows/.github/workflows/automation-integration-test-build.yml@master

    with:

      test-source-path: test/integration/suite

      repository: dfds/infrastructure-modules

      ref: master

      artifact-name: test-binary



```



### Multi architecture docker build



_This is a workflow_



All-in-one package that builds, tests, beautify and publishes a docker image for multiple architectures. This workflow uses the [Auto release](#auto-release) workflow to create a Github Release on push to master. You have to add DOCKERHUB_USERNAME and DOCKERHUB_TOKEN secrets to your repository to use this workflow. To use the slack integration you will also have to add the SLACK_WEBHOOK secret.



How to invoke this workflow:



```yaml

name: Multi architecture docker build



on:

  push:

    branches: [ "master", "main" ]



jobs:

  shared:

    uses: dfds/shared-workflows/.github/workflows/automation-multi-build.yml@master

    secrets: inherit

    with:

      # Required

      image-repo: dfdsdk/repo-name



      # Required, options: linux/amd64,linux/arm64,linux/arm/v7,windows/amd64

      os-archs: "linux/amd64,linux/arm64,linux/arm/v7"



      # Optional, path to the test script to run inside the container

      test-script-path: ./app/test.py

      

      # Optional, the command to run the test script inside the container

      test-script-cmd: "python test.py"

      

      # Optional, the path to the readme file to use for the docker image

      # It is recommended that if you do not have a specific file for the docker image,

      # that you use the same readme as the repository

      docker-readme-path: "./DockerREADME.md"



      # Optional, sends a slack notification to the channel specified in the repository secrets

      slack-notification: true



      # Optional, the path to the Dockerfile you wish to build. Defaults to Dockerfile at the repository root.

      docker-dockerfile-path: "./path/to/Dockerfile"

```



### Block on-hold PRs



_This is a workflow_



Status check that fails if a PR is on-hold, works in conjunction with status_checks [housekeeping](https://github.com/dfds/shared-workflows#housekeeping)



How to invoke this workflow:



```yaml

name: Block on-hold PRs



on:

  pull_request:

    branches: [ master, main ]

    types: [ opened, labeled, unlabeled, synchronize ]



jobs:

  shared:

    uses: dfds/shared-workflows/.github/workflows/automation-on-hold-prs.yml@master



```



### Add comment from PR template on Renovate pull requests



_This is a workflow_



Enables using PR template on pull requests generated from RenovateBot



How to invoke this workflow:



```yaml

name: Add comment from PR template on Renovate pull requests



on:

  pull_request:

    branches: [ "master", "main" ]



jobs:

  shared:

    uses: dfds/shared-workflows/.github/workflows/automation-renovate-pr-commenter.yml@master

    with:

      pr-template-filepath: .github/pull_request_template.md

```



### Slack Notifier



_This is an action_



Alerts to a slack channel. Create your webhook on our [Slack Bot here](https://api.slack.com/apps/A04U1JJRPT9/incoming-webhooks). Add the webhook as a secret in your repository with the key `SLACK_WEBHOOK`.



[Marketplace](https://github.com/marketplace/actions/slack-notify)



How to invoke this action:



```yaml

name: Slack Notifier



on:

  workflow_dispatch:



jobs:

  slack-notifier:

    runs-on: ubuntu-latest

    steps:

      - name: Notify

        if: failure()

        uses: dfds/shared-workflows/.github/actions/automation-slack-notifier@master

        with:

          slack_webhook: ${{ secrets.SLACK_WEBHOOK }}

          slack_message: 'Hmm something is wrong'



```



## Compliance



### Checkov Github Actions Step



_This is an action_



A Github Action step that runs Checkov against a Terraform plan file. Policies are defined in dfds/iac-terraform-policies repo.



How to invoke this action:



```yaml

name: Checkov Github Actions Step



on:

  pull_request:

    branches: [ "master", "main" ]



jobs:

  run_tfplan_and_validate:

    runs-on: ubuntu-latest

    name: A job to call the shared workflow

    steps:

      - uses: actions/checkout@v3

      - name: Terraform Plan and validate

        run: |

          cd terraform

          terraform init

          terraform plan -out tfplan

          terraform show -json tfplan > ../tfplan.json

      - uses: dfds/shared-workflows/.github/actions/compliance-checkov-tfplan@master

        with:

          tf-policy-repo-token: ${{ secrets.GH_REPO_READ_IAC_TERRAFORM_POLICIES }}

```



## Security



### Gitleaks



_This is a workflow_



Gitleaks is a SAST tool for detecting and preventing hardcoded secrets like passwords, API keys, and tokens in git repos. You have to add GITLEAKS_LICENSE secret to your repository, it does not work with organization secrets. The license key is stored in 1Password.



[Marketplace](https://github.com/marketplace/actions/gitleaks)



How to invoke this workflow:



```yaml

name: Gitleaks



on:

  pull_request:

    branches: [ "master", "main" ]



jobs:

  shared:

    uses: dfds/shared-workflows/.github/workflows/security-gitleaks.yml@master

    secrets: inherit

```



### Run Trivy IAC with Quality GAte



_This is a workflow_



This Github Action will run the trivy IAC check and block if High or Critical issues are found.



[Marketplace](https://github.com/marketplace/actions/run-trivy-iac-check)



How to invoke this workflow:



```yaml

name: Run Trivy IAC with Quality GAte



on:

  push:

    branches: [ "master", "main" ]

  pull_request:

    branches: [ "master", "main" ]



jobs:

  shared:

    uses: dfds/shared-workflows/.github/workflows/security-trivy-iac-check.yaml@master

```