GitHub Actions

GitHub Actions master template & GitHub Actions Reusable Workflows library.

main.yaml - GitHub Actions master workflow template
.github/workflows/ - GitHub Actions Reusable Workflows Library

See Documentation for how to call these workflows directly from your own GitHub Actions workflow.

Fork this repo to have full control over all updates via Pull Requests. Create environment branches to stage updates across dev / staging / production.

Forked from HariSekhon/Templates, for which this is now a submodule.

To see GitHub Contexts available, including undocumented fields, see HariSekhon/GitHub-Actions-Contexts.

Examples

In your GitHub repo, import these workflows by adding small yaml files to the .github/workflows/ directory.

These are slightly simplified for clarify, see the .github/workflows/README.md for a few more details like only running when relevant files have changed.

Lint YAML
Lint JSON
Lint XML
Lint Bash / Shell Scripts
Lint Python
- PyLint
- Flake8
Lint README / Markdown documentation
Lint GitHub CODEOWNERS
Security - Scan for Secrets and issues
- Semgrep Local
- Semgrep Cloud
- Trivy Filesystem Scan
- Trivy Docker Image Scan
- Grype Filesystem Scan
Analyze your Terraform code security & best practices
- tfsec
- tflint
- Checkov
Terraform Plan & Apply
Lint Ansible Playbooks
Lint Packer HCL
Lint Redhat Kickstart
Lint Debian Preseed
Lint Ubuntu AutoInstaller Cloud Init
Lint Jenkinsfiles
Lint Groovy
Lint Javascript
Docker Build and push to DockerHub
Docker Build and push to AWS ECR
Docker Build and push to multiple registries
Check for Broken URL Links
Auto-Merge Production hotfixes back to Staging
Mirror Repos to GitLab for DR Backups
AWS CodeArtifact - Publish a Python Package
Kubernetes - Pluto - Check for Outdated APIs
Kubernetes - Polaris - Security & Best Practices Check
Production
- Option 1 - Hashref
- Option 2 - Public Fork (fully automated)
- Option 3 - Private Copy (manual)
Star History
More Core Repos
- Knowledge
- DevOps Code
- Containerization
- CI/CD
- DBA - SQL
- DevOps Reloaded
- Templates
- Misc

Lint YAML

Finds all YAML in your repo and lints it.

Copy this into .github/workflows/yaml.yaml:

on: [push]
jobs:
  check_yaml:
    uses: HariSekhon/GitHub-Actions/.github/workflows/yaml.yaml@master

Lint JSON

Finds all JSON in your repo and lints it.

Copy this into .github/workflows/json.yaml:

on: [push]
jobs:
  check_json:
    uses: HariSekhon/GitHub-Actions/.github/workflows/json.yaml@master

Lint XML

Finds all XML in your repo and lints it.

Copy this into .github/workflows/xml.yaml:

on: [push]
jobs:
  check_xml:
    uses: HariSekhon/GitHub-Actions/.github/workflows/xml.yaml@master

Lint Bash / Shell Scripts

Finds all *.sh scripts in your repo and lints them.

Copy this into .github/workflows/shellcheck.yaml:

on: [push]
jobs:
  shellcheck:
    uses: HariSekhon/GitHub-Actions/.github/workflows/shellcheck.yaml@master

Lint Python

PyLint

Finds all *.py code in your repo and lints it.

Copy this into .github/workflows/pylint.yaml:

on: [push]
jobs:
  pylint:
    uses: HariSekhon/GitHub-Actions/.github/workflows/pylint.yaml@master

Flake8

Finds all *.py code in your repo and lints it.

Copy this into .github/workflows/flake8.yaml:

on: [push]
jobs:
  flake8:
    uses: HariSekhon/GitHub-Actions/.github/workflows/flake8.yaml@master

Lint README / Markdown documentation

Finds all markdown files in your repo and lints them.

Copy this into .github/workflows/markdown.yaml:

on: [push]
jobs:
  check_markdown:
    uses: HariSekhon/GitHub-Actions/.github/workflows/markdown.yaml@master

Lint GitHub CODEOWNERS

Lints the GitHub CODEOWNERS / .github/CODEOWNERS files.

Copy this into .github/workflows/codeowners.yaml:

on: [push]
jobs:
  check_codeowners:
    uses: HariSekhon/GitHub-Actions/.github/workflows/codeowners.yaml@master

Security - Scan for Secrets and issues

Semgrep Local

Create .github/workflows/semgrep.yaml containing:

on: [push]
jobs:
  semgrep:
    uses: HariSekhon/GitHub-Actions/.github/workflows/semgrep.yaml@master

Alerts for the above badge appear under the GitHub repo's Security tab -> Code scanning alerts.

The badge will go red if there are any alerts.

Semgrep Cloud

Create .github/workflows/semgrep-cloud.yaml containing:

on: [push]
jobs:
  semgrep:
    uses: HariSekhon/GitHub-Actions/.github/workflows/semgrep-cloud.yaml@master
    secrets:
      SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}

Alerts for the above badge appears in the Semgrep dashboard at:

https://semgrep.dev

The badge will go red only if failing to run and publish to Semgrep Cloud, whether there are any alerts of not. You must check the dashboard.

Trivy Filesystem Scan

Alerts for the above badge appear under the GitHub repo's Security tab -> Code scanning alerts.

on: [push]
jobs:
  trivy:
    uses: HariSekhon/GitHub-Actions/.github/workflows/trivy.yaml@master

Trivy Docker Image Scan

Alerts for the above badge appear under the GitHub repo's Security tab -> Code scanning alerts.

on: [push]
jobs:
  trivy:
    uses: HariSekhon/GitHub-Actions/.github/workflows/trivy_image.yaml@master
    with:
      docker_image: harisekhon/bash-tools
      severity: ''

Grype Filesystem Scan

Alerts for the above badge appear under the GitHub repo's Security tab -> Code scanning alerts.

on: [push]
jobs:
  grype:
    uses: HariSekhon/GitHub-Actions/.github/workflows/grype.yaml@master

Analyze your Terraform code security & best practices

tfsec

Alerts appear under Security -> Code scanning alerts.

Create .github/workflows/tfsec.yaml containing:

on: [push]
jobs:
  tfsec:
    uses: HariSekhon/GitHub-Actions/.github/workflows/tfsec.yaml@master

tflint

Create .github/workflows/tflint.yaml containing:

on: [push]
jobs:
  tfsec:
    uses: HariSekhon/GitHub-Actions/.github/workflows/tflint.yaml@master

Checkov

Alerts appear under Security -> Code scanning alerts.

Create .github/workflows/checkov.yaml containing:

on: [push]
jobs:
  checkov:
    uses: HariSekhon/GitHub-Actions/.github/workflows/checkov.yaml@master

Terraform Plan & Apply

Plans - updates Pull Requests with the results of validation, format check and full Change Plan outputs

Apply - applies when merged to default branch, eg. master or main

on: [push, pull_request]
jobs:
  terraform:
    uses: HariSekhon/GitHub-Actions/.github/workflows/terraform.yaml@master
    with:
      dir: path/to/terraform/code
    secrets:
      ...

For more sophisticated examples including approvals, secrets, branch and path selection etc. see my Terraform repo's templates for terraform-plan.yaml and terraform-apply.yaml

Lint Ansible Playbooks

Finds all Ansible playbook.y*ml in your repo and lints them.

Copy this into .github/workflows/ansible-playbook-syntax.yaml:

on: [push]
jobs:
  check_ansible_playbook_syntax:
    uses: HariSekhon/GitHub-Actions/.github/workflows/ansible-playbook-syntax.yaml@master

Lint Packer HCL

Finds all *.pkr.hcl Packer code in your repo and lints them.

Copy this into .github/workflows/packer.yaml:

on: [push]
jobs:
  check_packer_hcl:
    uses: HariSekhon/GitHub-Actions/.github/workflows/packer.yaml@master

Lint Redhat Kickstart

Lints Redhat Kickstart automated installer files.

Copy this into .github/workflows/kickstart.yaml:

on: [push]
jobs:
  check_kickstart:
    uses: HariSekhon/GitHub-Actions/.github/workflows/kickstart.yaml@master
    with:
      files: installers/anaconda-ks.cfg

Lint Debian Preseed

Lints Debian Preseed automated installer files.

Copy this into .github/workflows/preseed.yaml:

on: [push]
jobs:
  check_preseed:
    uses: HariSekhon/GitHub-Actions/.github/workflows/preseed.yaml@master
    with:
      files: installers/preseed.cfg

Lint Ubuntu AutoInstaller Cloud Init

Lints Ubuntu AutoInstaller Cloud Init automated installer files.

Copy this into .github/workflows/autoinstall-user-data.yaml:

on: [push]
jobs:
  check_cloudinit:
    uses: HariSekhon/GitHub-Actions/.github/workflows/autoinstall-user-data.yaml@master
    with:
      files: installers/autoinstall-user-data

Lint Jenkinsfiles

Finds all files named Jenkinsfile in the repo and lints them using a live Jenkins in docker.

Create .github/workflows/jenkinsfile.yaml:

on: [push]
jobs:
  jenkinsfile:
    uses: HariSekhon/GitHub-Actions/.github/workflows/jenkinsfile.yaml@master

Lint Groovy

Finds all Groovy files named *.groovy in the repo and lints them using groovyc.

This is a basic check but good for a Jenkins Groovy Shared Library.

Create .github/workflows/groovyc.yaml:

on: [push]
jobs:
  check_groovyc:
    uses: HariSekhon/GitHub-Actions/.github/workflows/groovyc.yaml@master

Lint Javascript

Finds all Javascript files named *.js in the repo and lints them using eslint.

Create .github/workflows/eslint.yaml:

on: [push]
jobs:
  check_eslint:
    uses: HariSekhon/GitHub-Actions/.github/workflows/eslint.yaml@master

Docker Build and push to DockerHub

Create .github/workflows/dockerhub_build.yaml:

on: [push]
jobs:
  docker_build:
    uses: HariSekhon/GitHub-Actions/.github/workflows/dockerhub_build.yaml@master
    with:
      repo: user/repo  # your DockerHub user/repo
      tags: latest v1.1
    secrets:
      DOCKERHUB_USER: ${{ secrets.DOCKERHUB_USER }}
      DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}

Docker Build and push to AWS ECR

Create .github/workflows/docker_build_aws_ecr.yaml:

on: [push]
jobs:
  docker_build:
    uses: HariSekhon/GitHub-Actions/.github/workflows/docker_build_aws_ecr.yaml@master
    with:
      repo: MY_ECR_REPO
    secrets:
      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
      AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}

Creates several useful tags, supports multi-stage build caching, see README for details.

Docker Build and push to multiple registries

Supports building + pushing to any combination of the following, just add the relevant secrets, see docker_build.yaml for details:

ACR - Azure Container Registry
ECR - AWS Elastic Container Registry
GCR - Google Container Registry
GAR - Google Artifact Registry
GHCR - GitHub Container Registry
GitLab Registry
Quay.io Registry
DockerHub

Create .github/workflows/docker_build.yaml:

on: [push]
jobs:
  docker_build:
    uses: HariSekhon/GitHub-Actions/.github/workflows/docker_build.yaml@master
    with:
      repo_tags: |
        harisekhon/bash-tools:latest
        ghcr.io/harisekhon/bash-tools:latest
      context: devops-bash-tools-ubuntu  # path to dir containing the source and Dockerfile
    # GHCR uses the local github.token, for other registries, add secrets, see docker_build.yaml for details
    secrets:
      DOCKERHUB_USER: ${{ secrets.DOCKERHUB_USER }}
      DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}

Check for Broken URL Links

Create .github/workflows/url_links.yaml:

on: [push]
jobs:
  url_links:
    uses: HariSekhon/GitHub-Actions/.github/workflows/url_links.yaml@master

See README for details on ignoring inaccessible / partially constructed links or those containing variables

Auto-Merge Production hotfixes back to Staging

Merges via a Pull Request for full auditing.

Create .github/workflows/merge_production_to_staging.yaml:

on: [push]
jobs:
  merge:
    if: github.ref_name == 'production'
    uses: HariSekhon/GitHub-Actions/.github/workflows/merge-branch.yaml@master
    with:
      head: production  # from
      base: staging     # to

Mirror Repos to GitLab for DR Backups

Mirrors all/given GitHub repos to GitLab - including all branches and tags, and GitHub repo description

on:
  schedule:
    # mirror to GitLab hourly
    - cron: '0 0 * * *'

jobs:
  gitlab_mirror:
    uses: HariSekhon/GitHub-Actions/.github/workflows/gitlab-mirror.yaml@master
    with:
      #organization: my-org    # optional: mirror your company's repos instead of your personal repos
      #repos: repo1 repo2 ...  # list of repos to mirror, space separated, rather than all repos
    secrets:
      GH_TOKEN: ${{ secrets.GH_TOKEN }}
      GITLAB_TOKEN: ${{ secrets.GITLAB_TOKEN }}

AWS CodeArtifact - Publish a Python Package

on:
  tags:
    - v*

jobs:
  aws_codeartifact_python_publish:
    uses: HariSekhon/GitHub-Actions/.github/workflows/codeartifact_python_publish.yaml@master
    with:
      domain: mycompany     # your AWS CodeArtifact service domain name
      repo: mycompany-core  # your CodeArtifact repo name
      #command: make publish_package  # default. Can be any command using CODEARTIFACT_AUTH_TOKEN and CODEARTIFACT_REPO_URL
    secrets:
      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
      AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}

Kubernetes - Pluto - Check for Outdated APIs

Checks all Kubernetes YAML files for outdated API objects using Pluto.

Create .github/workflows/pluto.yaml:

on: [push]
jobs:
  pluto:
    uses: HariSekhon/GitHub-Actions/.github/workflows/pluto.yaml@master

Kubernetes - Polaris - Security & Best Practices Check

Checks all Kubernetes YAML files for security issues and best practices.

Polaris currently fails on very advanced patches such as found in my Kubernetes-configs repo.

Create .github/workflows/polaris.yaml:

on: [push]
jobs:
  polaris:
    uses: HariSekhon/GitHub-Actions/.github/workflows/polaris.yaml@master

Production

Option 1 - Hashref

Import the reusable workflows from this repo as shown above, replacing @master with @<hashref> to fix to an immutable version (tags are not immutable). This is GitHub Actions Security Best Practice.

Option 2 - Public Fork (fully automated)

Fork this repo for more control and visibility over all updates.

Enable the fork-sync github actions workflow in your fork to keep the master branch sync'd every few hours.

You can then create tags or environment branches in your forked repo to stage updates across dev/staging/production.

If using environment branches enable the fork-update-pr github actions workflow to automatically raise GitHub Pull Requests from master to your environment branches to audit, authorize & control updates.

Option 3 - Private Copy (manual)

Copy .github/workflows to a private repo. Not recommended as it's the most manual legacy approach.

You will be responsible for committing and reconciling any divergences in your local copies.

Name		Name	Last commit message	Last commit date
Latest commit History 1,908 Commits
.github		.github
generate-docker-tags		generate-docker-tags
.checkov.yaml		.checkov.yaml
.cspell.json		.cspell.json
.editorconfig		.editorconfig
.envrc		.envrc
.envrc-python		.envrc-python
.gitallowed		.gitallowed
.jscpd.json		.jscpd.json
.mdl.rb		.mdl.rb
.mdlrc		.mdlrc
.mega-linter.yml		.mega-linter.yml
.pre-commit-config.yaml		.pre-commit-config.yaml
.yamllint		.yamllint
LICENSE		LICENSE
Makefile		Makefile
README.md		README.md
action.yaml		action.yaml
main.yaml		main.yaml

License

HariSekhon/GitHub-Actions

Folders and files

Latest commit

History

Repository files navigation

GitHub Actions

Examples

Lint YAML

Lint JSON

Lint XML

Lint Bash / Shell Scripts

Lint Python

PyLint

Flake8

Lint README / Markdown documentation

Lint GitHub CODEOWNERS

Security - Scan for Secrets and issues

Semgrep Local

Semgrep Cloud

Trivy Filesystem Scan

Trivy Docker Image Scan

Grype Filesystem Scan

Analyze your Terraform code security & best practices

tfsec

tflint

Checkov

Terraform Plan & Apply

Lint Ansible Playbooks

Lint Packer HCL

Lint Redhat Kickstart

Lint Debian Preseed

Lint Ubuntu AutoInstaller Cloud Init

Lint Jenkinsfiles

Lint Groovy

Lint Javascript

Docker Build and push to DockerHub

Docker Build and push to AWS ECR

Docker Build and push to multiple registries

Check for Broken URL Links

Auto-Merge Production hotfixes back to Staging

Mirror Repos to GitLab for DR Backups

AWS CodeArtifact - Publish a Python Package

Kubernetes - Pluto - Check for Outdated APIs

Kubernetes - Polaris - Security & Best Practices Check

Production

Option 1 - Hashref

Option 2 - Public Fork (fully automated)

Option 3 - Private Copy (manual)

Star History

More Core Repos

Knowledge

DevOps Code

Containerization

CI/CD

DBA - SQL

DevOps Reloaded

Templates

Misc

About

Topics

Resources

License

Stars

Watchers

Forks

Contributors 2

Languages