Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/jawaracloud/composite-workflows

This repository contains a collection of GitHub Action Workflows Composite for various purposes. Feel free to explore and use these scripts as needed.
https://github.com/jawaracloud/composite-workflows

ci-cd cicd devops github github-actions

Last synced: 4 days ago
JSON representation

This repository contains a collection of GitHub Action Workflows Composite for various purposes. Feel free to explore and use these scripts as needed.

Awesome Lists containing this project

README 

          
# GitHub Actions Composite Workflows



A curated collection of production-ready, reusable GitHub Actions composite workflows designed with **Developer Experience (DevEx)** at the core — because internal tools deserve the same UX obsession as your consumer product.



Every workflow is:

- **Plug-and-play**: Sensible, safe defaults — works from the first `with:` block

- **Configurable**: Progressive disclosure — simple things are simple, complex things are possible

- **Transparent**: Rich `::notice::`, `::warning::`, and `::error::` annotations in the GitHub Actions UI

- **Safe**: Dry-run modes, opt-in destructive operations, and automatic rollback where relevant

- **Debuggable**: `debug: 'true'` enables `set -x` in any workflow



---



## Available Workflows



| Workflow | Purpose | When to use |

|---|---|---|

| [**build-push-image**](./build-push-image) | Multi-arch image build (Buildah) + push to any registry | You need to build a container image |

| [**deploy-docker**](./deploy-docker) | SSH → `docker compose` rolling deploy + health check + rollback | You deploy to VMs/bare metal |

| [**k8s-deploy**](./k8s-deploy) | `kubectl apply` manifests + rollout verification | You deploy raw manifests to Kubernetes |

| [**helm-deploy**](./helm-deploy) | Helm upgrade + atomic rollback | You use Helm charts |

| [**terraform**](./terraform) | Terraform plan / apply / destroy with workspace support | You manage infrastructure with Terraform |

| [**security-scan**](./security-scan) | Trivy scan — container images and IaC | You want to scan **images or configs** |

| [**osv-scanner**](./osv-scanner) | OSV-Scanner — source code dependency scan | You want to scan **lockfiles or SBOMs** |

| [**semver-bump**](./semver-bump) | Conventional-commit version bumping | You need automated versioning |

| [**slack-notify**](./slack-notify) | Color-coded Slack notifications via webhook | You want deploy/build notifications |



---



## Which security scanner should I use?



| | `security-scan` (Trivy) | `osv-scanner` |

|---|---|---|

| **Scans** | Container images, filesystems, IaC configs | Lockfiles, directories, SBOMs |

| **Language** | Any (scans the image layer) | Go, Node, Python, Rust, Java, etc. |

| **Best for** | Post-build image scanning | Pre-build CI dependency gate |

| **SARIF support** | ✅ | ✅ |



Use **both** for defense-in-depth coverage.



---



## Universal Debug Mode



Every workflow supports `debug: 'true'` to enable `set -x` shell tracing across all steps:



```yaml

- uses: jawaracloud/composite-workflows/k8s-deploy@main

  with:

    kube_config: ${{ secrets.KUBE_CONFIG }}

    deployment_name: api

    debug: 'true'   # ← see exactly what's running

```



---



## Shared DevEx Design Principles



**Safe defaults everywhere:**

- `auto_approve: false` in `terraform` — plan without applying

- `commit_and_push: false` in `semver-bump` — calculate version without touching git

- `dry_run: false` in k8s/helm/semver — always opt-in to real changes



**Checkout toggle to avoid double-checkout:**

```yaml

- uses: actions/checkout@v4



- uses: jawaracloud/composite-workflows/terraform@main

  with:

    checkout: 'false'  # already done above

```



**`image_tag` override to decouple from `VERSIONS` file:**

```yaml

# build-push-image and deploy-docker both accept:

image_tag: ${{ steps.build.outputs.image_tag }}

```



---



## Complete CI/CD Pipeline Example



```yaml

name: CI/CD Pipeline

on:

  push:

    branches: [main]



jobs:

  build:

    runs-on: ubuntu-latest

    permissions:

      id-token: write

      contents: read

    outputs:

      image_tag: ${{ steps.build.outputs.image_tag }}

    steps:

      - uses: actions/checkout@v4



      - name: Bump version

        id: bump

        uses: jawaracloud/composite-workflows/semver-bump@main

        with:

          push_tag: 'true'

          commit_and_push: 'true'

          checkout: 'false'



      - name: Build & push image

        id: build

        uses: jawaracloud/composite-workflows/build-push-image@main

        with:

          img_name: api

          ecr_registry: ${{ secrets.ECR_REGISTRY }}

          aws_region: ap-southeast-1

          aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}

          checkout: 'false'



      - name: Scan image

        uses: jawaracloud/composite-workflows/security-scan@main

        with:

          scan_type: image

          image_ref: ${{ steps.build.outputs.image_tag }}



  deploy:

    needs: build

    runs-on: ubuntu-latest

    steps:

      - name: Deploy to Kubernetes

        id: deploy

        uses: jawaracloud/composite-workflows/k8s-deploy@main

        with:

          kube_config: ${{ secrets.KUBE_CONFIG }}

          namespace: production

          deployment_name: api

          container_name: api

          image_tag: ${{ needs.build.outputs.image_tag }}



      - name: Notify Slack

        if: always()

        uses: jawaracloud/composite-workflows/slack-notify@main

        with:

          webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }}

          status: ${{ job.status }}

          message: 'Deploy ${{ job.status }} — ${{ needs.build.outputs.image_tag }}'

          commit_sha: ${{ github.sha }}

          repo: ${{ github.repository }}

          workflow_url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}

```



---



## Required Secrets Reference



| Workflow | Secrets needed |

|---|---|

| `build-push-image` | `ECR_REGISTRY`, `AWS_ROLE_ARN` |

| `deploy-docker` | `SSH_KEY`, `SSH_HOST`, `ECR_REGISTRY` |

| `k8s-deploy` | `KUBE_CONFIG` |

| `helm-deploy` | `KUBE_CONFIG` |

| `terraform` | Cloud provider credentials (OIDC recommended) |

| `slack-notify` | `SLACK_WEBHOOK_URL` |



---



## Contributing



Each workflow lives in its own directory:

```

/

├── action.yaml   # composite action definition

└── README.md     # full documentation with quick start + examples

```



To add a workflow: create a directory, add `action.yaml` and `README.md` following the existing patterns, then update this README.



---



MIT License — Maintained by **Jawara Cloud**