https://github.com/harisekhon/github-actions
GitHub Actions Reusable Workflows and Master Template
https://github.com/harisekhon/github-actions
checkov ci-cd ci-cd-pipeline cicd github github-actions github-actions-ci hacktoberfest jenkins jenkinsfile library semgrep tfsec tfsec-checks validation validation-library validations
Last synced: 15 days ago
JSON representation
GitHub Actions Reusable Workflows and Master Template
- Host: GitHub
- URL: https://github.com/harisekhon/github-actions
- Owner: HariSekhon
- License: mit
- Created: 2022-01-17T12:27:41.000Z (over 3 years ago)
- Default Branch: master
- Last Pushed: 2024-09-04T15:18:10.000Z (10 months ago)
- Last Synced: 2024-09-05T21:23:21.483Z (10 months ago)
- Topics: checkov, ci-cd, ci-cd-pipeline, cicd, github, github-actions, github-actions-ci, hacktoberfest, jenkins, jenkinsfile, library, semgrep, tfsec, tfsec-checks, validation, validation-library, validations
- Language: Shell
- Homepage: https://www.linkedin.com/in/HariSekhon
- Size: 944 KB
- Stars: 38
- Watchers: 3
- Forks: 12
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Codeowners: .github/CODEOWNERS
Awesome Lists containing this project
README
# GitHub Actions
[](https://github.com/HariSekhon/GitHub-Actions/stargazers)
[](https://github.com/HariSekhon/GitHub-Actions/network)
[](https://github.com/boyter/scc/)
[](https://github.com/boyter/scc/)
[](https://github.com/HariSekhon/GitHub-Actions/blob/master/LICENSE)
[](https://www.linkedin.com/in/HariSekhon/)
[](https://github.com/HariSekhon/GitHub-Actions/commits/master)
[](https://harisekhon.github.io/CI-CD/)
[](https://github.com/HariSekhon/GitHub-Actions/actions/workflows/yaml.yaml)
[](https://github.com/HariSekhon/GitHub-Actions/actions/workflows/markdown.yaml)
[](https://github.com/HariSekhon/GitHub-Actions/actions/workflows/validate.yaml)
[](https://github.com/HariSekhon/GitHub-Actions/actions/workflows/grype.yaml)
[](https://github.com/HariSekhon/GitHub-Actions/actions/workflows/kics.yaml)
[](https://github.com/HariSekhon/GitHub-Actions/actions/workflows/sonarcloud.yaml)
[](https://github.com/HariSekhon/GitHub-Actions/actions/workflows/semgrep.yaml)
[](https://github.com/HariSekhon/GitHub-Actions/actions/workflows/semgrep-cloud.yaml)
[](https://github.com/HariSekhon/GitHub-Actions/actions/workflows/url_links.yaml)
[](https://github.com/HariSekhon/GitHub-Actions/actions/workflows/trivy.yaml)
[](https://github.com/HariSekhon/GitHub-Actions)
[](https://gitlab.com/HariSekhon/GitHub-Actions)
[](https://dev.azure.com/harisekhon/GitHub/_git/GitHub-Actions)
[](https://bitbucket.org/HariSekhon/GitHub-Actions)
GitHub Actions master template & GitHub Actions Reusable Workflows library.
- [main.yaml](https://github.com/HariSekhon/GitHub-Actions/blob/master/main.yaml) - GitHub Actions master workflow template
- [.github/workflows/](https://github.com/HariSekhon/GitHub-Actions/tree/master/.github/workflows) - GitHub Actions Reusable Workflows Library
See [Documentation](https://docs.github.com/en/actions/using-workflows/reusing-workflows#calling-a-reusable-workflow) for how to call these workflows directly from your own GitHub Actions workflow.
Fork this repo to have full control over all updates via Pull Requests.
Create environment branches to stage updates across dev / staging / production.
Forked from [HariSekhon/Templates](https://github.com/HariSekhon/Templates), for which this is now a submodule.
To see GitHub Contexts available, including undocumented fields, see [HariSekhon/GitHub-Actions-Contexts](https://github.com/HariSekhon/GitHub-Actions-Contexts).
## Examples
In your GitHub repo, import these workflows by adding small yaml files to the `.github/workflows/` directory.
These are slightly simplified for clarify, see the [.github/workflows/README.md](.github/workflows/README.md) for a
few more details like only running when relevant files have changed.
- [Lint YAML](#lint-yaml)
- [Lint JSON](#lint-json)
- [Lint XML](#lint-xml)
- [Lint Bash / Shell Scripts](#lint-bash--shell-scripts)
- [Lint Python](#lint-python)
- [PyLint](#pylint)
- [Flake8](#flake8)
- [Lint README / Markdown documentation](#lint-readme--markdown-documentation)
- [Lint GitHub CODEOWNERS](#lint-github-codeowners)
- [Security - Scan for Secrets and issues](#security---scan-for-secrets-and-issues)
- [SonarCloud](#sonarcloud)
- [Semgrep Local](#semgrep-local)
- [Semgrep Cloud](#semgrep-cloud)
- [Trivy Filesystem Scan](#trivy-filesystem-scan)
- [Trivy Docker Image Scan](#trivy-docker-image-scan)
- [Grype Filesystem Scan](#grype-filesystem-scan)
- [Analyze your Terraform code security & best practices](#analyze-your-terraform-code-security--best-practices)
- [tfsec](#tfsec)
- [tflint](#tflint)
- [Checkov](#checkov)
- [Terraform Plan & Apply](#terraform-plan--apply)
- [Lint Ansible Playbooks](#lint-ansible-playbooks)
- [Lint Packer HCL](#lint-packer-hcl)
- [Lint Redhat Kickstart](#lint-redhat-kickstart)
- [Lint Debian Preseed](#lint-debian-preseed)
- [Lint Ubuntu AutoInstaller Cloud Init](#lint-ubuntu-autoinstaller-cloud-init)
- [Lint Jenkinsfiles](#lint-jenkinsfiles)
- [Lint Groovy](#lint-groovy)
- [Lint Javascript](#lint-javascript)
- [Docker Build and push to DockerHub](#docker-build-and-push-to-dockerhub)
- [Docker Build and push to AWS ECR](#docker-build-and-push-to-aws-ecr)
- [Docker Build and push to multiple registries](#docker-build-and-push-to-multiple-registries)
- [Check for Broken URL Links](#check-for-broken-url-links)
- [Auto-Merge Production hotfixes back to Staging](#auto-merge-production-hotfixes-back-to-staging)
- [Mirror Repos to GitLab for DR Backups](#mirror-repos-to-gitlab-for-dr-backups)
- [AWS CodeArtifact - Publish a Python Package](#aws-codeartifact---publish-a-python-package)
- [Kubernetes - Pluto - Check for Outdated APIs](#kubernetes---pluto---check-for-outdated-apis)
- [Kubernetes - Polaris - Security & Best Practices Check](#kubernetes---polaris---security--best-practices-check)
- [Production](#production)
- [Option 1 - Hashref](#option-1---hashref)
- [Option 2 - Public Fork (fully automated)](#option-2---public-fork-fully-automated)
- [Option 3 - Private Copy (manual)](#option-3---private-copy-manual)
- [Star History](#star-history)
- [More Core Repos](#more-core-repos)
- [Knowledge](#knowledge)
- [DevOps Code](#devops-code)
- [Containerization](#containerization)
- [CI/CD](#cicd)
- [DBA - SQL](#dba---sql)
- [DevOps Reloaded](#devops-reloaded)
- [Templates](#templates)
- [Misc](#misc)
## Lint YAML
Finds all YAML in your repo and lints it.
[](https://github.com/HariSekhon/GitHub-Actions/actions/workflows/yaml.yaml)
Copy this into `.github/workflows/yaml.yaml`:
```yaml
on: [push]
jobs:
check_yaml:
uses: HariSekhon/GitHub-Actions/.github/workflows/yaml.yaml@master
```
## Lint JSON
Finds all JSON in your repo and lints it.
[](https://github.com/HariSekhon/Templates/actions/workflows/json.yaml)
Copy this into `.github/workflows/json.yaml`:
```yaml
on: [push]
jobs:
check_json:
uses: HariSekhon/GitHub-Actions/.github/workflows/json.yaml@master
```
## Lint XML
Finds all XML in your repo and lints it.
[](https://github.com/HariSekhon/Templates/actions/workflows/xml.yaml)
Copy this into `.github/workflows/xml.yaml`:
```yaml
on: [push]
jobs:
check_xml:
uses: HariSekhon/GitHub-Actions/.github/workflows/xml.yaml@master
```
## Lint Bash / Shell Scripts
Finds all `*.sh` scripts in your repo and lints them.
[](https://github.com/HariSekhon/DevOps-Bash-tools/actions/workflows/shellcheck.yaml)
Copy this into `.github/workflows/shellcheck.yaml`:
```yaml
on: [push]
jobs:
shellcheck:
uses: HariSekhon/GitHub-Actions/.github/workflows/shellcheck.yaml@master
```
## Lint Python
### PyLint
Finds all `*.py` code in your repo and lints it.
[](https://github.com/HariSekhon/pylib/actions/workflows/pylint.yaml)
Copy this into `.github/workflows/pylint.yaml`:
```yaml
on: [push]
jobs:
pylint:
uses: HariSekhon/GitHub-Actions/.github/workflows/pylint.yaml@master
```
### Flake8
Finds all `*.py` code in your repo and lints it.
[](https://github.com/HariSekhon/pylib/actions/workflows/flake8.yaml)
Copy this into `.github/workflows/flake8.yaml`:
```yaml
on: [push]
jobs:
flake8:
uses: HariSekhon/GitHub-Actions/.github/workflows/flake8.yaml@master
```
## Lint README / Markdown documentation
Finds all markdown files in your repo and lints them.
[](https://github.com/HariSekhon/Templates/actions/workflows/markdown.yaml)
Copy this into `.github/workflows/markdown.yaml`:
```yaml
on: [push]
jobs:
check_markdown:
uses: HariSekhon/GitHub-Actions/.github/workflows/markdown.yaml@master
```
## Lint GitHub CODEOWNERS
Lints the GitHub `CODEOWNERS` / `.github/CODEOWNERS` files.
[](https://github.com/HariSekhon/GitHub-Actions/actions/workflows/codeowners.yaml)
Copy this into `.github/workflows/codeowners.yaml`:
```yaml
on: [push]
jobs:
check_codeowners:
uses: HariSekhon/GitHub-Actions/.github/workflows/codeowners.yaml@master
```
## Security - Scan for Secrets and issues
### SonarCloud
[](https://github.com/HariSekhon/GitHub-Actions/actions/workflows/sonarcloud.yaml)
```yaml
on: [push]
jobs:
SonarCloud:
name: SonarCloud
uses: HariSekhon/GitHub-Actions/.github/workflows/sonarcloud.yaml@master
secrets:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
```
Alerts for the above badge appears in the SonarCloud dashboard at:
The badge will go red only if failing to run and publish to SonarCloud, whether there are any alerts of not.
You must check the dashboard.
### Semgrep Local
[](https://github.com/HariSekhon/GitHub-Actions/actions/workflows/semgrep.yaml)
Create `.github/workflows/semgrep.yaml` containing:
```yaml
on: [push]
jobs:
semgrep:
uses: HariSekhon/GitHub-Actions/.github/workflows/semgrep.yaml@master
```
Alerts for the above badge appear under the GitHub repo's `Security` tab -> `Code scanning alerts`.
The badge will go red if there are any alerts.
### Semgrep Cloud
[](https://github.com/HariSekhon/GitHub-Actions/actions/workflows/semgrep-cloud.yaml)
Create `.github/workflows/semgrep-cloud.yaml` containing:
```yaml
on: [push]
jobs:
semgrep:
uses: HariSekhon/GitHub-Actions/.github/workflows/semgrep-cloud.yaml@master
secrets:
SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
```
Alerts for the above badge appears in the Semgrep dashboard at:
The badge will go red only if failing to run and publish to Semgrep Cloud, whether there are any alerts of not.
You must check the dashboard.
### Trivy Filesystem Scan
[](https://github.com/HariSekhon/GitHub-Actions/actions/workflows/trivy.yaml)
Alerts for the above badge appear under the GitHub repo's `Security` tab -> `Code scanning alerts`.
```yaml
on: [push]
jobs:
trivy:
uses: HariSekhon/GitHub-Actions/.github/workflows/trivy.yaml@master
```
### Trivy Docker Image Scan
[](https://github.com/HariSekhon/DevOps-Bash-tools/actions/workflows/trivy_image.yaml)
Alerts for the above badge appear under the GitHub repo's `Security` tab -> `Code scanning alerts`.
```text
on: [push]
jobs:
trivy:
uses: HariSekhon/GitHub-Actions/.github/workflows/trivy_image.yaml@master
with:
docker_image: harisekhon/bash-tools
severity: ''
```
### Grype Filesystem Scan
[](https://github.com/HariSekhon/GitHub-Actions/actions/workflows/grype.yaml)
Alerts for the above badge appear under the GitHub repo's `Security` tab -> `Code scanning alerts`.
```yaml
on: [push]
jobs:
grype:
uses: HariSekhon/GitHub-Actions/.github/workflows/grype.yaml@master
```
## Analyze your Terraform code security & best practices
### tfsec
[](https://github.com/HariSekhon/Terraform/actions/workflows/tfsec.yaml)
Alerts appear under `Security` -> `Code scanning alerts`.
Create `.github/workflows/tfsec.yaml` containing:
```yaml
on: [push]
jobs:
tfsec:
uses: HariSekhon/GitHub-Actions/.github/workflows/tfsec.yaml@master
```
### tflint
[](https://github.com/HariSekhon/Terraform/actions/workflows/tflint.yaml)
Create `.github/workflows/tflint.yaml` containing:
```yaml
on: [push]
jobs:
tfsec:
uses: HariSekhon/GitHub-Actions/.github/workflows/tflint.yaml@master
```
### Checkov
[](https://github.com/HariSekhon/Terraform/actions/workflows/checkov.yaml)
Alerts appear under `Security` -> `Code scanning alerts`.
Create `.github/workflows/checkov.yaml` containing:
```yaml
on: [push]
jobs:
checkov:
uses: HariSekhon/GitHub-Actions/.github/workflows/checkov.yaml@master
```
## Terraform Plan & Apply
Plans - updates Pull Requests with the results of validation, format check and full Change Plan outputs
Apply - applies when merged to default branch, eg. `master` or `main`
```yaml
on: [push, pull_request]
jobs:
terraform:
uses: HariSekhon/GitHub-Actions/.github/workflows/terraform.yaml@master
with:
dir: path/to/terraform/code
secrets:
...
```
For more sophisticated examples including approvals, secrets, branch and path selection etc. see my
[Terraform repo](https://github.com/HariSekhon/Terraform)'s templates for
[terraform-plan.yaml](https://github.com/HariSekhon/Terraform/blob/master/.github/workflows/terraform-plan.yaml.template) and
[terraform-apply.yaml](https://github.com/HariSekhon/Terraform/blob/master/.github/workflows/terraform-apply.yaml.template)
## Lint Ansible Playbooks
Finds all Ansible `playbook.y*ml` in your repo and lints them.
[](https://github.com/HariSekhon/Ansible/actions/workflows/ansible-playbook-syntax.yaml)
Copy this into `.github/workflows/ansible-playbook-syntax.yaml`:
```yaml
on: [push]
jobs:
check_ansible_playbook_syntax:
uses: HariSekhon/GitHub-Actions/.github/workflows/ansible-playbook-syntax.yaml@master
```
## Lint Packer HCL
Finds all `*.pkr.hcl` Packer code in your repo and lints them.
[](https://github.com/HariSekhon/Packer/actions/workflows/packer.yaml)
Copy this into `.github/workflows/packer.yaml`:
```yaml
on: [push]
jobs:
check_packer_hcl:
uses: HariSekhon/GitHub-Actions/.github/workflows/packer.yaml@master
```
## Lint Redhat Kickstart
Lints Redhat Kickstart automated installer files.
[](https://github.com/HariSekhon/Packer/actions/workflows/kickstart.yaml)
Copy this into `.github/workflows/kickstart.yaml`:
```yaml
on: [push]
jobs:
check_kickstart:
uses: HariSekhon/GitHub-Actions/.github/workflows/kickstart.yaml@master
with:
files: installers/anaconda-ks.cfg
```
## Lint Debian Preseed
Lints Debian Preseed automated installer files.
[](https://github.com/HariSekhon/Packer/actions/workflows/preseed.yaml)
Copy this into `.github/workflows/preseed.yaml`:
```yaml
on: [push]
jobs:
check_preseed:
uses: HariSekhon/GitHub-Actions/.github/workflows/preseed.yaml@master
with:
files: installers/preseed.cfg
```
## Lint Ubuntu AutoInstaller Cloud Init
Lints Ubuntu AutoInstaller Cloud Init automated installer files.
[](https://github.com/HariSekhon/Packer/actions/workflows/autoinstall-user-data.yaml)
Copy this into `.github/workflows/autoinstall-user-data.yaml`:
```yaml
on: [push]
jobs:
check_cloudinit:
uses: HariSekhon/GitHub-Actions/.github/workflows/autoinstall-user-data.yaml@master
with:
files: installers/autoinstall-user-data
```
## Lint Jenkinsfiles
Finds all files named `Jenkinsfile` in the repo and lints them using a live Jenkins in docker.
[](https://github.com/HariSekhon/Jenkins/actions/workflows/jenkinsfile.yaml)
Create `.github/workflows/jenkinsfile.yaml`:
```yaml
on: [push]
jobs:
jenkinsfile:
uses: HariSekhon/GitHub-Actions/.github/workflows/jenkinsfile.yaml@master
```
## Lint Groovy
Finds all Groovy files named `*.groovy` in the repo and lints them using `groovyc`.
This is a basic check but good for a Jenkins Groovy Shared Library.
[](https://github.com/HariSekhon/Jenkins/actions/workflows/groovyc.yaml)
Create `.github/workflows/groovyc.yaml`:
```yaml
on: [push]
jobs:
check_groovyc:
uses: HariSekhon/GitHub-Actions/.github/workflows/groovyc.yaml@master
```
## Lint Javascript
Finds all Javascript files named `*.js` in the repo and lints them using `eslint`.
[](https://github.com/HariSekhon/TamperMonkey/actions/workflows/eslint.yaml)
Create `.github/workflows/eslint.yaml`:
```yaml
on: [push]
jobs:
check_eslint:
uses: HariSekhon/GitHub-Actions/.github/workflows/eslint.yaml@master
```
## Docker Build and push to DockerHub
[](https://github.com/HariSekhon/Dockerfiles/actions/workflows/docker_build_devops_bash_tools_ubuntu.yaml)
Create `.github/workflows/dockerhub_build.yaml`:
```yaml
on: [push]
jobs:
docker_build:
uses: HariSekhon/GitHub-Actions/.github/workflows/dockerhub_build.yaml@master
with:
repo: user/repo # your DockerHub user/repo
tags: latest v1.1
secrets:
DOCKERHUB_USER: ${{ secrets.DOCKERHUB_USER }}
DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
```
## Docker Build and push to AWS ECR
Create `.github/workflows/docker_build_aws_ecr.yaml`:
```yaml
on: [push]
jobs:
docker_build:
uses: HariSekhon/GitHub-Actions/.github/workflows/docker_build_aws_ecr.yaml@master
with:
repo: MY_ECR_REPO
secrets:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
```
Creates several useful tags, supports multi-stage build caching, see [README](https://github.com/HariSekhon/GitHub-Actions/blob/master/.github/workflows/README.md) for details.
## Docker Build and push to multiple registries
Supports building + pushing to any combination of the following, just add the relevant secrets, see [docker_build.yaml](https://github.com/HariSekhon/GitHub-Actions/blob/master/.github/workflows/docker_build.yaml) for details:
- ACR - Azure Container Registry
- ECR - AWS Elastic Container Registry
- GCR - Google Container Registry
- GAR - Google Artifact Registry
- GHCR - GitHub Container Registry
- GitLab Registry
- Quay.io Registry
- DockerHub
Create `.github/workflows/docker_build.yaml`:
```yaml
on: [push]
jobs:
docker_build:
uses: HariSekhon/GitHub-Actions/.github/workflows/docker_build.yaml@master
with:
repo_tags: |
harisekhon/bash-tools:latest
ghcr.io/harisekhon/bash-tools:latest
context: devops-bash-tools-ubuntu # path to dir containing the source and Dockerfile
# GHCR uses the local github.token, for other registries, add secrets, see docker_build.yaml for details
secrets:
DOCKERHUB_USER: ${{ secrets.DOCKERHUB_USER }}
DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
```
## Check for Broken URL Links
[](https://github.com/HariSekhon/GitHub-Actions/actions/workflows/url_links.yaml)
Create `.github/workflows/url_links.yaml`:
```yaml
on: [push]
jobs:
url_links:
uses: HariSekhon/GitHub-Actions/.github/workflows/url_links.yaml@master
```
See [README](https://github.com/HariSekhon/GitHub-Actions/blob/master/.github/workflows/README.md) for details on ignoring inaccessible / partially constructed links or those containing variables
## Auto-Merge Production hotfixes back to Staging
Merges via a Pull Request for full auditing.
Create `.github/workflows/merge_production_to_staging.yaml`:
```yaml
on: [push]
jobs:
merge:
if: github.ref_name == 'production'
uses: HariSekhon/GitHub-Actions/.github/workflows/merge-branch.yaml@master
with:
head: production # from
base: staging # to
```
## Mirror Repos to GitLab for DR Backups
Mirrors all/given GitHub repos to GitLab - including all branches and tags, and GitHub repo description
```yaml
on:
schedule:
# mirror to GitLab hourly
- cron: '0 0 * * *'
jobs:
gitlab_mirror:
uses: HariSekhon/GitHub-Actions/.github/workflows/gitlab-mirror.yaml@master
with:
#organization: my-org # optional: mirror your company's repos instead of your personal repos
#repos: repo1 repo2 ... # list of repos to mirror, space separated, rather than all repos
secrets:
GH_TOKEN: ${{ secrets.GH_TOKEN }}
GITLAB_TOKEN: ${{ secrets.GITLAB_TOKEN }}
```
## AWS CodeArtifact - Publish a Python Package
```yaml
on:
tags:
- v*
jobs:
aws_codeartifact_python_publish:
uses: HariSekhon/GitHub-Actions/.github/workflows/codeartifact_python_publish.yaml@master
with:
domain: mycompany # your AWS CodeArtifact service domain name
repo: mycompany-core # your CodeArtifact repo name
#command: make publish_package # default. Can be any command using CODEARTIFACT_AUTH_TOKEN and CODEARTIFACT_REPO_URL
secrets:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
```
## Kubernetes - Pluto - Check for Outdated APIs
Checks all Kubernetes YAML files for outdated API objects using Pluto.
[](https://github.com/HariSekhon/Kubernetes-configs/actions/workflows/pluto.yaml)
Create `.github/workflows/pluto.yaml`:
```yaml
on: [push]
jobs:
pluto:
uses: HariSekhon/GitHub-Actions/.github/workflows/pluto.yaml@master
```
## Kubernetes - Polaris - Security & Best Practices Check
Checks all Kubernetes YAML files for security issues and best practices.
Polaris currently fails on very advanced patches such as found in my
[Kubernetes-configs](https://github.com/HariSekhon/Kubernetes-configs) repo.
[](https://github.com/HariSekhon/Kubernetes-configs/actions/workflows/polaris.yaml)
Create `.github/workflows/polaris.yaml`:
```yaml
on: [push]
jobs:
polaris:
uses: HariSekhon/GitHub-Actions/.github/workflows/polaris.yaml@master
```
## Production
### Option 1 - Hashref
Import the reusable workflows from this repo as shown above, replacing `@master` with `@` to fix to an immutable version (tags are not immutable). This is [GitHub Actions Security Best Practice](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions).
### Option 2 - Public Fork (fully automated)
Fork this repo for more control and visibility over all updates.
Enable the [fork-sync](https://github.com/HariSekhon/GitHub-Actions/blob/master/.github/workflows/fork-sync.yaml) github actions workflow in your fork to keep the master branch sync'd every few hours.
You can then create tags or environment branches in your forked repo to stage updates across dev/staging/production.
If using environment branches enable the [fork-update-pr](https://github.com/HariSekhon/GitHub-Actions/blob/master/.github/workflows/fork-update-pr.yaml) github actions workflow to automatically raise GitHub Pull Requests from master to your environment branches to audit, authorize & control updates.
### Option 3 - Private Copy (manual)
Copy `.github/workflows` to a private repo. Not recommended as it's the most manual legacy approach.
You will be responsible for committing and reconciling any divergences in your local copies.
## Star History
[](https://star-history.com/#HariSekhon/GitHub-Actions&Date)
## More Core Repos
### Knowledge
[](https://github.com/HariSekhon/Knowledge-Base)
[](https://github.com/HariSekhon/Diagrams-as-Code)
### DevOps Code
[](https://github.com/HariSekhon/DevOps-Bash-tools)
[](https://github.com/HariSekhon/DevOps-Python-tools)
[](https://github.com/HariSekhon/DevOps-Perl-tools)
[](https://github.com/HariSekhon/DevOps-Golang-tools)
### Containerization
[](https://github.com/HariSekhon/Kubernetes-configs)
[](https://github.com/HariSekhon/Dockerfiles)
### CI/CD
[](https://github.com/HariSekhon/GitHub-Actions)
[](https://github.com/HariSekhon/Jenkins)
### DBA - SQL
[](https://github.com/HariSekhon/SQL-scripts)
### DevOps Reloaded
[](https://github.com/HariSekhon/Nagios-Plugins)
[](https://github.com/HariSekhon/HAProxy-configs)
[](https://github.com/HariSekhon/Terraform)
[](https://github.com/HariSekhon/Packer-templates)
[](https://github.com/HariSekhon/Nagios-Plugin-Kafka)
### Templates
[](https://github.com/HariSekhon/Templates)
[](https://github.com/HariSekhon/Template-repo)
### Misc
[](https://github.com/HariSekhon/Spotify-tools)
[](https://github.com/HariSekhon/Spotify-playlists)
The rest of my original source repos are
[here](https://github.com/HariSekhon?tab=repositories&q=&type=source&language=&sort=stargazers).
Pre-built Docker images are available on my [DockerHub](https://hub.docker.com/u/harisekhon/).
