A comprehensive collection of reusable GitHub Actions workflows for DevOps automation, covering Docker operations, AWS deployments, security scanning, code quality checks, and more.
This repository provides production-ready, reusable GitHub Actions workflows that can be called from other repositories to standardize and simplify your CI/CD pipelines. These workflows are designed to be modular, secure, and easy to integrate into your existing projects.
- Docker Operations: Build, scan, push, and deploy Docker images
- AWS Integration: Deploy to AWS using Terraform, CodeBuild, CloudFormation, and more
- Security Scanning: Automated security checks for dependencies, containers, and infrastructure
- Code Quality: Linting and formatting for multiple languages and file types
- Automation: Dependabot auto-merge, PR management, and release automation
To use these reusable workflows, you'll need:
- GitHub repository with Actions enabled
- Appropriate secrets configured in your repository (e.g.,
AWS_ACCESS_KEY_ID,DOCKER_HUB_TOKEN) - Required permissions for the specific workflow you're using
To use a reusable workflow in your repository, create a workflow file (e.g., .github/workflows/my-workflow.yml) and reference the desired workflow:
name: My Workflow
on:
push:
branches: [main]
jobs:
docker-build-and-push:
uses: dceoy/gh-actions-for-devops/.github/workflows/docker-build-and-push.yml@main
with:
registry: docker.io
registry-user: myusername
image-name: my-app
context: .
# Non-sensitive BuildKit secret env/file mappings only (names and paths).
secret-envs: GIT_AUTH_TOKEN=GIT_AUTH_TOKEN
secrets:
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
# Masked BuildKit secret lines such as `GIT_AUTH_TOKEN=...` (breaking change: `with.secrets` input removed).
BUILD_SECRETS: ${{ secrets.DOCKER_BUILD_SECRETS }}
aws-parameter-store-update:
uses: dceoy/gh-actions-for-devops/.github/workflows/aws-parameter-store-update.yml@main
with:
aws-iam-role-to-assume: arn:aws:iam::123456789012:role/github-actions
aws-region: us-east-1
secrets:
# Masked parameter values (breaking change: `parameters-from-json` input removed).
PARAMETERS_JSON: ${{ secrets.SSM_PARAMETERS_JSON }}Sensitive values must be passed through the secrets: keyword of workflow_call, not with: inputs. This keeps values masked in logs.
The Bats workflow uses bats-core/bats-action's built-in Bats binary cache. The Python, TypeScript, HTML, JSON, YAML, Shell, and GitHub Actions workflows listed below cache dependency or pinned-tool downloads by default. This includes formatting, PR creation, build, deployment, and release workflows because their caches contain downloads only; caches never include the working tree, generated build/release artifacts, deployment output, or credentials.
- Set
enable-cache: falsewhere offered to avoid restoring or saving caches. - Set
cache-dependency-pathto a repository-relative dependency file when the default lockfile or requirements file is elsewhere. Defaults are resolved underpackage-path, so nested projects use keys based on their ownuv.lock,poetry.lock,requirements-txt,package-lock.json, orpnpm-lock.yaml. - Change
cache-saltwhere offered to force a fresh uv or pinned-tool cache.actions/setup-pythonandactions/setup-nodecaches are busted by changing the dependency-file content or path.
Keys are scoped by runner OS, architecture where relevant, runtime/tool version, package manager, nested package/dependency path, dependency-file content, and optional salt. Cache-configurable workflows are python-package-lint-and-scan.yml, python-package-test.yml, python-package-format-and-pr.yml, python-pyinstaller.yml, python-package-mkdocs-gh-deploy.yml, python-package-release-on-pypi-and-github.yml, typescript-package-lint-and-scan.yml, typescript-package-format-and-pr.yml, typescript-package-script.yml, html-lint-and-scan.yml, json-lint.yml, yaml-lint.yml, shell-lint.yml, and github-actions-lint-and-scan.yml.
| Workflow | Removed input | Replacement secret |
|---|---|---|
docker-build-and-push.yml |
secrets |
BUILD_SECRETS |
docker-build-with-multi-targets.yml |
secrets |
BUILD_SECRETS |
docker-save-and-terraform-deploy-to-aws.yml |
docker-build-secrets |
BUILD_SECRETS |
aws-parameter-store-update.yml |
parameters-from-json |
PARAMETERS_JSON |
secret-envs and secret-files inputs remain for non-sensitive BuildKit secret names and file paths.
The workflows are organized by category for easier navigation. Each workflow is designed to be called from other repositories using the workflow_call trigger.
| Workflow File | Description |
|---|---|
| aws-cloudformation-lint.yml | Lint for AWS CloudFormation |
| aws-codebuild-run.yml | Build using an AWS CodeBuild project |
| aws-parameter-store-update.yml | Update AWS Parameter Store values |
| bats-test.yml | Test for Bats |
| claude-code-bot.yml | Mention bot using Claude Code |
| claude-code-review.yml | Pull request review using Claude Code |
| dependabot-auto-merge.yml | Dependabot auto-merge |
| docker-build-and-push.yml | Docker image build and push |
| docker-build-with-multi-targets.yml | Docker image build and save for multiple build targets |
| docker-buildx-bake.yml | Docker image build from a bake definition file |
| docker-image-scan.yml | Security scan for Docker images |
| docker-lint-and-scan.yml | Lint and security scan for Dockerfile |
| docker-pull-from-aws.yml | Docker image pull from AWS |
| docker-save-and-terraform-deploy-to-aws.yml | Docker image save and resource deployment to AWS using Terraform |
| gcloud-infra-manager-deployments.yml | Deployment of Google Cloud resources using Infrastructure Manager |
| gemini-cli-to-slack.yml | Gemini CLI with Slack notification |
| github-actions-lint-and-scan.yml | Lint and security scan for GitHub Actions workflows |
| github-codeql-analysis.yml | GitHub CodeQL Analysis |
| github-major-version-tag.yml | Major version tag on GitHub |
| github-pr-branch-aggregation.yml | Aggregation of open pull request branches |
| github-release.yml | Release on GitHub |
| go-package-lint-and-scan.yml | Lint and security scan for Go |
| html-lint-and-scan.yml | Lint and scan for HTML/CSS |
| hugo-deploy-to-gh-pages.yml | Build and deployment of Hugo site to GitHub Pages |
| json-lint.yml | Lint for JSON |
| json-schema-validation.yml | Schema validation for JSON |
| markdown-format-and-pr.yml | Formatting for Markdown |
| microsoft-defender-for-devops.yml | Microsoft Defender for Devops |
| opencode-bot.yml | Mention bot using OpenCode |
| opencode-review.yml | Pull request review using OpenCode |
| pr-agent.yml | PR-agent |
| python-package-format-and-pr.yml | Formatting for Python |
| python-package-lint-and-scan.yml | Lint and security scan for Python |
| python-package-mkdocs-gh-deploy.yml | Build and deployment of MkDocs documentation |
| python-package-release-on-pypi-and-github.yml | Python package release on PyPI and GitHub |
| python-package-test.yml | Test for Python Package |
| python-pyinstaller.yml | Build using PyInstaller |
| r-package-format-and-pr.yml | Formatting for R |
| r-package-lint.yml | Lint for R |
| shell-lint.yml | Lint for Shell |
| speckit-init.yml | Spec Kit initialization |
| terraform-deploy-to-aws.yml | Deployment of AWS resources using Terraform |
| terraform-format-and-pr.yml | Formatting for Terraform |
| terraform-lint-and-scan.yml | Lint and security scan for Terraform |
| terraform-lock-files-upgrade-and-pr-merge.yml | Upgrade of Terraform lock files and pull request merge |
| terraform-lock-files-upgrade.yml | Upgrade of Terraform lock files |
| terragrunt-aws-switch-resources.yml | Switcher to apply or destroy AWS resources using Terragrunt |
| toml-lint.yml | Lint for TOML |
| typescript-package-format-and-pr.yml | Formatting for TypeScript |
| typescript-package-lint-and-scan.yml | Lint and security scan for TypeScript |
| typescript-package-script.yml | Package script run for a TypeScript project |
| web-api-monitoring-with-slack.yml | Synthetic web API monitoring with Slack notification |
| yaml-lint.yml | Lint for YAML |
This project is licensed under the MIT License - see the LICENSE file for details.
Copyright (c) 2024 Daichi Narushima