https://github.com/openchami/github-actions
Organization Level Github Actions
https://github.com/openchami/github-actions
Last synced: 4 months ago
JSON representation
Organization Level Github Actions
- Host: GitHub
- URL: https://github.com/openchami/github-actions
- Owner: OpenCHAMI
- License: mit
- Created: 2025-08-11T14:33:50.000Z (11 months ago)
- Default Branch: main
- Last Pushed: 2025-08-21T20:42:44.000Z (11 months ago)
- Last Synced: 2025-08-21T21:58:53.987Z (11 months ago)
- Size: 27.3 KB
- Stars: 0
- Watchers: 0
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# GitHub Actions Monorepo for `OpenCHAMI`
Reusable GitHub Actions for CI/CD.
## Structure
- `actions/gpg-ephemeral-key`: Ephemeral key generation for RPM/GPG signing
- `actions/sign-rpm`: RPM signing with ephemeral keys
- `.github/workflows/go-build-release.yml`: Reusable workflow for GoReleaser builds
## Versioning & Usage
Use major version tags for stability:
```yaml
# For actions
- uses: OpenCHAMI/github-actions/actions/gpg-ephemeral-key@v1
- uses: OpenCHAMI/github-actions/actions/sign-rpm@v1
# For reusable workflows
jobs:
release:
uses: OpenCHAMI/github-actions/.github/workflows/go-build-release.yml@v3.3
```
Pin a commit SHA internally for maximum supply‑chain safety if desired.
## Actions and Workflows Overview
### go-build-release (Reusable Workflow)
Standardized GoReleaser workflow for building and releasing Go applications with:
- Multi-architecture builds (linux/amd64, linux/arm64)
- Flexible pre-build setup steps
- Wraps `goreleaser-action` action with all .gorelease.yaml configurations
- Container image builds and publishing
- Binary and container attestation/signing
- Snapshot builds on pull requests
**Usage:**
```yaml
name: GoReleaser
run-name: GoReleaser ${{ startsWith(github.ref, 'refs/tags/v') && 'Release' || 'Snapshot' }}
on:
workflow_dispatch:
pull_request:
push:
tags:
- v*
jobs:
goreleaser:
name: GoReleaser ${{ startsWith(github.ref, 'refs/tags/v') && 'Release' || 'Snapshot' }}
uses: OpenCHAMI/github-actions/.github/workflows/go-build-release.yml@v3.3
with:
pre-build-commands: |
go install github.com/swaggo/swag/cmd/swag@latest
attestation-binary-path: "dist/cloud-init*"
registry-name: ghcr.io/openchami/cloud-init
```
See the [workflow](.github/workflows/go-build-release.yml) for additional input parameters.
### gpg-ephemeral-key
Generates a short‑lived RSA key (default 3072‑bit, 1 day) using an isolated `GNUPGHOME`, signs it with a repo‑scoped subkey you provide, and outputs:
- `ephemeral-fingerprint`
- `ephemeral-public-key` (base64 of armored)
- `gnupg-home` (path for downstream steps)
### sign-rpm
Signs an RPM using a provided GPG fingerprint (works with the ephemeral key output) and exposes signature verification output.
## Security Model
Trust chain: `Ephemeral Key ← Repo Subkey ← Offline Master Key`.
Design principles:
- Ephemeral keys reduce exposure window.
- Repo subkeys are easily revocable & rotated.
- Isolated `GNUPGHOME` avoids polluting runner defaults.
- Optional cleanup to remove secrets post‑sign.
Key expiration limits future signing only; existing signatures remain valid if the trust chain remains intact.
## Example Workflow (Combined)
```yaml
jobs:
build-and-sign:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Generate ephemeral key
id: gpg
uses: OpenCHAMI/github-actions/actions/gpg-ephemeral-key@v1
with:
subkey-armored: ${{ secrets.GPG_SUBKEY_B64 }}
comment: build:${{ github.run_id }}
cleanup: false # keep for subsequent signing
- name: Build RPM
run: ./scripts/build-rpm.sh
- name: Sign RPM
id: sign
uses: OpenCHAMI/github-actions/actions/sign-rpm@v1
with:
rpm-path: dist/my.rpm
gpg-fingerprint: ${{ steps.gpg.outputs.ephemeral-fingerprint }}
gnupg-home: ${{ steps.gpg.outputs.gnupg-home }}
- name: (Optional) Cleanup GNUPGHOME
if: always()
run: rm -rf "${{ steps.gpg.outputs.gnupg-home }}"
```
## Continuous Integration
A future CI workflow will:
- Lint action metadata (actionlint)
- Perform a matrix test invoking each action
- Validate RPM signing round‑trip
## Rotation & Revocation
1. Revoke and replace repo subkeys periodically.
2. Update `GPG_SUBKEY_B64` secret.
3. Tag a new release if behavior changes.
## Contributing
- Open issues for feature requests.
- Submit PRs with accompanying test workflow updates.
## License
MIT