Skip to content

dceoy/gh-actions-for-devops

Repository files navigation

gh-actions-for-devops

A comprehensive collection of reusable GitHub Actions workflows for DevOps automation, covering Docker operations, AWS deployments, security scanning, code quality checks, and more.

CI

Table of Contents

Overview

This repository provides production-ready, reusable GitHub Actions workflows that can be called from other repositories to standardize and simplify your CI/CD pipelines. These workflows are designed to be modular, secure, and easy to integrate into your existing projects.

Key Features

  • Docker Operations: Build, scan, push, and deploy Docker images
  • AWS Integration: Deploy to AWS using Terraform, CodeBuild, CloudFormation, and more
  • Security Scanning: Automated security checks for dependencies, containers, and infrastructure
  • Code Quality: Linting and formatting for multiple languages and file types
  • Automation: Dependabot auto-merge, PR management, and release automation

Prerequisites

To use these reusable workflows, you'll need:

  • GitHub repository with Actions enabled
  • Appropriate secrets configured in your repository (e.g., AWS_ACCESS_KEY_ID, DOCKER_HUB_TOKEN)
  • Required permissions for the specific workflow you're using

Usage

To use a reusable workflow in your repository, create a workflow file (e.g., .github/workflows/my-workflow.yml) and reference the desired workflow:

name: My Workflow
on:
  push:
    branches: [main]

jobs:
  docker-build-and-push:
    uses: dceoy/gh-actions-for-devops/.github/workflows/docker-build-and-push.yml@main
    with:
      registry: docker.io
      registry-user: myusername
      image-name: my-app
      context: .
      # Non-sensitive BuildKit secret env/file mappings only (names and paths).
      secret-envs: GIT_AUTH_TOKEN=GIT_AUTH_TOKEN
    secrets:
      DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
      # Masked BuildKit secret lines such as `GIT_AUTH_TOKEN=...` (breaking change: `with.secrets` input removed).
      BUILD_SECRETS: ${{ secrets.DOCKER_BUILD_SECRETS }}

  aws-parameter-store-update:
    uses: dceoy/gh-actions-for-devops/.github/workflows/aws-parameter-store-update.yml@main
    with:
      aws-iam-role-to-assume: arn:aws:iam::123456789012:role/github-actions
      aws-region: us-east-1
    secrets:
      # Masked parameter values (breaking change: `parameters-from-json` input removed).
      PARAMETERS_JSON: ${{ secrets.SSM_PARAMETERS_JSON }}

Breaking changes (secret handling)

Sensitive values must be passed through the secrets: keyword of workflow_call, not with: inputs. This keeps values masked in logs.

Dependency caches

The Bats workflow uses bats-core/bats-action's built-in Bats binary cache. The Python, TypeScript, HTML, JSON, YAML, Shell, and GitHub Actions workflows listed below cache dependency or pinned-tool downloads by default. This includes formatting, PR creation, build, deployment, and release workflows because their caches contain downloads only; caches never include the working tree, generated build/release artifacts, deployment output, or credentials.

  • Set enable-cache: false where offered to avoid restoring or saving caches.
  • Set cache-dependency-path to a repository-relative dependency file when the default lockfile or requirements file is elsewhere. Defaults are resolved under package-path, so nested projects use keys based on their own uv.lock, poetry.lock, requirements-txt, package-lock.json, or pnpm-lock.yaml.
  • Change cache-salt where offered to force a fresh uv or pinned-tool cache. actions/setup-python and actions/setup-node caches are busted by changing the dependency-file content or path.

Keys are scoped by runner OS, architecture where relevant, runtime/tool version, package manager, nested package/dependency path, dependency-file content, and optional salt. Cache-configurable workflows are python-package-lint-and-scan.yml, python-package-test.yml, python-package-format-and-pr.yml, python-pyinstaller.yml, python-package-mkdocs-gh-deploy.yml, python-package-release-on-pypi-and-github.yml, typescript-package-lint-and-scan.yml, typescript-package-format-and-pr.yml, typescript-package-script.yml, html-lint-and-scan.yml, json-lint.yml, yaml-lint.yml, shell-lint.yml, and github-actions-lint-and-scan.yml.

Workflow Removed input Replacement secret
docker-build-and-push.yml secrets BUILD_SECRETS
docker-build-with-multi-targets.yml secrets BUILD_SECRETS
docker-save-and-terraform-deploy-to-aws.yml docker-build-secrets BUILD_SECRETS
aws-parameter-store-update.yml parameters-from-json PARAMETERS_JSON

secret-envs and secret-files inputs remain for non-sensitive BuildKit secret names and file paths.

Reusable Workflows

The workflows are organized by category for easier navigation. Each workflow is designed to be called from other repositories using the workflow_call trigger.

All Reusable Workflows

Workflow File Description
aws-cloudformation-lint.yml Lint for AWS CloudFormation
aws-codebuild-run.yml Build using an AWS CodeBuild project
aws-parameter-store-update.yml Update AWS Parameter Store values
bats-test.yml Test for Bats
claude-code-bot.yml Mention bot using Claude Code
claude-code-review.yml Pull request review using Claude Code
dependabot-auto-merge.yml Dependabot auto-merge
docker-build-and-push.yml Docker image build and push
docker-build-with-multi-targets.yml Docker image build and save for multiple build targets
docker-buildx-bake.yml Docker image build from a bake definition file
docker-image-scan.yml Security scan for Docker images
docker-lint-and-scan.yml Lint and security scan for Dockerfile
docker-pull-from-aws.yml Docker image pull from AWS
docker-save-and-terraform-deploy-to-aws.yml Docker image save and resource deployment to AWS using Terraform
gcloud-infra-manager-deployments.yml Deployment of Google Cloud resources using Infrastructure Manager
gemini-cli-to-slack.yml Gemini CLI with Slack notification
github-actions-lint-and-scan.yml Lint and security scan for GitHub Actions workflows
github-codeql-analysis.yml GitHub CodeQL Analysis
github-major-version-tag.yml Major version tag on GitHub
github-pr-branch-aggregation.yml Aggregation of open pull request branches
github-release.yml Release on GitHub
go-package-lint-and-scan.yml Lint and security scan for Go
html-lint-and-scan.yml Lint and scan for HTML/CSS
hugo-deploy-to-gh-pages.yml Build and deployment of Hugo site to GitHub Pages
json-lint.yml Lint for JSON
json-schema-validation.yml Schema validation for JSON
markdown-format-and-pr.yml Formatting for Markdown
microsoft-defender-for-devops.yml Microsoft Defender for Devops
opencode-bot.yml Mention bot using OpenCode
opencode-review.yml Pull request review using OpenCode
pr-agent.yml PR-agent
python-package-format-and-pr.yml Formatting for Python
python-package-lint-and-scan.yml Lint and security scan for Python
python-package-mkdocs-gh-deploy.yml Build and deployment of MkDocs documentation
python-package-release-on-pypi-and-github.yml Python package release on PyPI and GitHub
python-package-test.yml Test for Python Package
python-pyinstaller.yml Build using PyInstaller
r-package-format-and-pr.yml Formatting for R
r-package-lint.yml Lint for R
shell-lint.yml Lint for Shell
speckit-init.yml Spec Kit initialization
terraform-deploy-to-aws.yml Deployment of AWS resources using Terraform
terraform-format-and-pr.yml Formatting for Terraform
terraform-lint-and-scan.yml Lint and security scan for Terraform
terraform-lock-files-upgrade-and-pr-merge.yml Upgrade of Terraform lock files and pull request merge
terraform-lock-files-upgrade.yml Upgrade of Terraform lock files
terragrunt-aws-switch-resources.yml Switcher to apply or destroy AWS resources using Terragrunt
toml-lint.yml Lint for TOML
typescript-package-format-and-pr.yml Formatting for TypeScript
typescript-package-lint-and-scan.yml Lint and security scan for TypeScript
typescript-package-script.yml Package script run for a TypeScript project
web-api-monitoring-with-slack.yml Synthetic web API monitoring with Slack notification
yaml-lint.yml Lint for YAML

License

This project is licensed under the MIT License - see the LICENSE file for details.

Copyright (c) 2024 Daichi Narushima

Sponsor this project

 

Packages

 
 
 

Contributors