- Actions
- Workflows
- Ko build
- Docker build
- Dockerfile lint
- Container image scan
- Terraform management
- Presubmit Actions workflow require commit digest vet
- Presubmit Go code lint
- Go vet
- Go fmt
- Go test
- Go vulnerability check
- Go build smoke test
- goimports
- Presubmit commit policy conformance
- Go container apps
- Go apps
- Bash shellcheck
- Presubmit README table of contents
- Presubmit GitHub Actions workflow validator
- GitHub Actions action validator
- Markdown lint
- Copy to S3
- Clean container versions
- Composite Actions
- Other documentation
- Workflows
reusable GitHub actions across several projects
This repo is for reusable workflows to run in GitHub Actions for the GeoNet program. The workflows are not publicly supported and come with absolutely no warranty.
There are three types of workflows in this repo
- reusable: GeoNet downstream implementations of existing actions or common patterns
- reusable apps: combined function workflows which include several other reusable workflows
- GeoNet/Actions maintainability: workflows which support the consistency of the workflows in this repo
the workflows are intended to work with and around the maintainers of GeoNet software for automations which are valuable to the project.
STATUS: stable
Generic build for containerised Go applications with Ko.
Example:
name: build
on:
push: {}
release:
types: [published]
workflow_dispatch: {}
permissions:
packages: write
id-token: write
jobs:
build:
uses: GeoNet/Actions/.github/workflows/reusable-ko-build.yml@main
# with:
# paths: ./cmd/coolapp
# registryOverride: registry.example.com
# registryGhcrUsernameOverride: ${{ secrets.GHCR_USERNAME }}
# registryGhcrPasswordOverride: ${{ secrets.GHCR_PASSWORD }}
# push: true
# aws-region: ap-southeast-2
# aws-role-arn-to-assume: arn:aws:iam::ACCOUNT_ID:role/github-actions-ROLE_NAME
# aws-role-duration-seconds: "3600"
# setup: |
# sudo apt install -y something-needed-for-build
# configPath: .ko.yaml- dynamic build of images based on entrypoints (where there is a
package main), unless if inputs.paths is set - fast!
Pushing to ECR example:
name: build
on:
push: {}
release:
types: [published]
workflow_dispatch: {}
permissions:
packages: write
id-token: write
jobs:
build:
uses: GeoNet/Actions/.github/workflows/reusable-ko-build.yml@main
with:
registryOverride: $ACCOUNT.dkr.ecr.$REGION.amazonaws.com
aws-region: ap-southeast-2
aws-role-arn-to-assume: arn:aws:iam::$ACCOUNT:role/$ROLE_NAME
aws-role-duration-seconds: "3600"for configuration see on.workflow_call.inputs in .github/workflows/reusable-ko-build.yml.
STATUS: stable
Generic container image build with Docker.
Single use example:
name: build
on:
push: {}
release:
types: [published]
workflow_dispatch: {}
permissions:
packages: write
id-token: write
jobs:
build:
uses: GeoNet/Actions/.github/workflows/reusable-docker-build.yml@main
with:
context: .
dockerfile: ./Dockerfile
imageName: cool
platforms: 'linux/amd64,linux/arm64'
push: ${{ github.ref == 'refs/heads/main' }}
buildArgs: |
VERSION=${{ github.sha }}to add more, copy the block like jobs.build and replace values in next block where desired.
Multiple dynamic parallel builds based on directory subfolders:
name: build
on:
push: {}
release:
types: [published]
workflow_dispatch: {}
permissions:
packages: write
id-token: write
env:
FOLDER: apps
jobs:
prepare:
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.set.outputs.matrix }}
steps:
- uses: actions/checkout@v3
- uses: GeoNet/yq@bbe305500687a5fe8498d74883c17f0f06431ac4 # master
- id: set
run: |
echo "matrix=$(find $FOLDER -mindepth 1 -maxdepth 1 -type d | xargs -n 1 basename | xargs | yq 'split(" ")|.[]|{"target":.}' -ojson | jq -rcM -s .)" >> $GITHUB_OUTPUT
- name: check output
run: |
jq . <<< '${{ steps.set.outputs.matrix }}'
build:
needs: prepare
strategy:
matrix:
include: ${{ fromJSON(needs.prepare.outputs.matrix) }}
uses: GeoNet/Actions/.github/workflows/reusable-docker-build.yml@main
with:
context: apps/${{ fromJSON(toJSON(matrix)).target }}
dockerfile: apps/${{ fromJSON(toJSON(matrix)).target }}/Dockerfile
imageName: ${{ fromJSON(toJSON(matrix)).target }}
platforms: 'linux/amd64,linux/arm64'Pushing to ECR example:
name: build
on:
push: {}
release:
types: [published]
workflow_dispatch: {}
permissions:
packages: write
id-token: write
jobs:
build:
uses: GeoNet/Actions/.github/workflows/reusable-docker-build.yml@main
with:
context: .
dockerfile: ./Dockerfile
imageName: cool
platforms: 'linux/amd64,linux/arm64'
push: ${{ github.ref == 'refs/heads/main' }}
registryOverride: $ACCOUNT.dkr.ecr.$REGION.amazonaws.com
aws-region: ap-southeast-2
aws-role-arn-to-assume: arn:aws:iam::$ACCOUNT:role/$ROLE_NAME
aws-role-duration-seconds: "3600"Pulling in a GitHub artifact for a build:
name: build
on:
push: {}
release:
types: [published]
workflow_dispatch: {}
permissions:
packages: write
id-token: write
jobs:
prepare:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- run: |
mkdir -p ./apps/cool-ng/assets
echo 'hello!' > ./apps/cool-ng/assets/index.html
- name: upload the cool numbers
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: cool-ng
path: ./apps/cool-ng/assets
retention-days: 1
build:
needs: prepare
uses: GeoNet/Actions/.github/workflows/reusable-docker-build.yml@main
with:
context: ./apps/cool-ng
dockerfile: ./apps/cool-ng/Dockerfile
imageName: cool-ng
platforms: 'linux/amd64,linux/arm64'
push: ${{ github.ref == 'refs/heads/main' }}
artifact-name: cool-ng
artifact-path: ./apps/cool-ng/assetsPulling in things from S3 in a build:
name: build
on:
push: {}
release:
types: [published]
workflow_dispatch: {}
permissions:
packages: write
id-token: write
jobs:
copy-from-s3:
uses: GeoNet/Actions/.github/workflows/reusable-copy-to-s3.yml@main
with:
aws-region: ap-southeast-2
aws-role-arn-to-assume: arn:aws:iam::ACCOUNT_ID:role/github-actions-ROLE_NAME
aws-role-duration-seconds: 3600
artifact-name: cool-ng
artifact-path: ./apps/cool-ng/assets
s3-bucket: s3:https://some-really-really-cool-s3-bucket/assets
cp-or-sync: cp
direction: from # 'to' or 'from'
build:
needs: copy-from-s3
uses: GeoNet/Actions/.github/workflows/reusable-docker-build.yml@main
with:
context: ./apps/cool-ng
dockerfile: ./apps/cool-ng/Dockerfile
imageName: cool-ng
platforms: 'linux/amd64,linux/arm64'
push: ${{ github.ref == 'refs/heads/main' }}
artifact-name: cool-ng
artifact-path: ./apps/cool-ng/assetsnote: $registryOverride + '/' + $imageName must be an existing ECR
Override auth to ghcr.io
name: build
on:
push: {}
release:
types: [published]
workflow_dispatch: {}
permissions:
packages: write
id-token: write
jobs:
build:
uses: GeoNet/Actions/.github/workflows/reusable-docker-build.yml@main
with:
context: .
dockerfile: ./Dockerfile
imageName: cool
platforms: 'linux/amd64,linux/arm64'
push: ${{ github.ref == 'refs/heads/main' }}
buildArgs: |
VERSION=${{ github.sha }}
registryGhcrUsernameOverride: example
secrets: inheritCopy an image to a different container registry:
name: build
on:
push: {}
release:
types: [published]
workflow_dispatch: {}
permissions:
packages: write
id-token: write
env:
VERSION_CRANE: v0.16.1
jobs:
build:
uses: GeoNet/Actions/.github/workflows/reusable-docker-build.yml@main
with:
context: .
dockerfile: ./Dockerfile
imageName: cool
platforms: 'linux/amd64,linux/arm64'
push: ${{ github.ref == 'refs/heads/main' }}
copy-image-to-registry:
needs: build
runs-on: ubuntu-latest
steps:
- uses: GeoNet/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # main
with:
version: ${{ env.VERSION_CRANE }}
- name: authenticate to registry
run: |
echo SOME_PASSWORD | crane auth login -u some-user --password-stdin
- name: copy image
env:
SOURCE: ${{ needs.build.outputs.image }}
DESTINATION: ghcr.io/someorg/someimage:sometag
run: |
crane cp "$SOURCE" "$DESTINATION"this may be useful for things like image promotion or staging.
for configuration see on.workflow_call.inputs in .github/workflows/reusable-docker-build.yml.
STATUS: stable
name: dockerfile lint
on:
pull_request: {}
workflow_dispatch: {}
jobs:
dockerfile-lint:
uses: GeoNet/Actions/.github/workflows/reusable-dockerfile-lint.yml@main
with:
# dockerfiles: |
# ...STATUS: stable
Scan a (set of) container image(s) and upload the results to GitHub's Security code scanning center
Basic usage (non-integrated):
name: scan
on:
push: {}
workflow_dispatch: {}
permissions:
security-events: write
jobs:
scan:
uses: GeoNet/Actions/.github/workflows/reusable-container-image-scan.yml@main
with:
imageRefs: alpine:3.17,postgres:15inputs.imageRefs is a comma separated list of container image refs.
STATUS: stable
Trigger a terraform plan (and optionally terraform apply) against Terraform located in the repo, starting at the repo root
Example:
name: terraform
on:
pull_request: {}
workflow_dispatch: {}
jobs:
terraform:
uses: GeoNet/Actions/.github/workflows/reusable-terraform-management.yml@main
secrets: inherit
# with:
# allowApply: truefor Terraform Cloud, set TF_API_TOKEN in the repo's Actions Secrets
for configuration see on.workflow_call.inputs in .github/workflows/reusable-terraform-management.yml.
STATUS: stable
Require Actions to use external actions by their commit digest on presubmit pull requests
name: Presubmit Actions workflow require commit digest vet
on:
pull_request:
branches:
- main
workflow_dispatch: {}
jobs:
presubmit-workflow:
uses: GeoNet/Actions/.github/workflows/reusable-presubmit-actions-workflow-require-commit-digest-vet.yml@mainSTATUS: stable
Require pull requests for Go projects to have no linting errors
name: Presubmit golangci lint
on:
workflow_dispatch: {}
push:
branches:
- main
- master
- canon
pull_request: {}
jobs:
golangci:
uses: GeoNet/Actions/.github/workflows/reusable-golangci-lint.yml@main
# with:
# config: |
# linters:
# enable:
# - gosec
# - funlen
# - depguard
# - whitespaceStandard golangci-lint config comes from the .golangc-lint.yml file, which is located at the root of a repo and is pulled in with this action.
Whilst not generally recommend, this config can be override per action use, with the config input.
for configuration see on.workflow_call.inputs in .github/workflows/reusable-golangci-lint.yml.
STATUS: stable
Run go vet against the codebase for static code analysis
name: go vet
on:
push: {}
pull_request: {}
workflow_dispatch: {}
jobs:
go-vet:
uses: GeoNet/Actions/.github/workflows/reusable-go-vet.yml@mainSTATUS: stable
Run gofmt against the codebase to format the Go code
name: gofmt
on:
push: {}
pull_request: {}
workflow_dispatch: {}
jobs:
gofmt:
uses: GeoNet/Actions/.github/workflows/reusable-gofmt.yml@mainSTATUS: stable
Run go test against the codebase to run unit tests
name: go test
on:
push: {}
pull_request: {}
workflow_dispatch: {}
jobs:
go-test:
uses: GeoNet/Actions/.github/workflows/reusable-go-test.yml@maintest coverage results upload to job artifacts, found at the bottom of a job summary page.
STATUS: stable
Run govulncheck against the codebase to scan and report vulnerable packages in use
name: govulncheck
on:
push: {}
pull_request: {}
workflow_dispatch: {}
jobs:
govulncheck:
uses: GeoNet/Actions/.github/workflows/reusable-govulncheck.yml@mainSTATUS: stable
Performs go build -o /dev/null $PATH to ensure that the programs compile
Example:
name: go build smoke test
on:
push: {}
workflow_dispatch: {}
jobs:
go-build-smoke-test:
uses: GeoNet/Actions/.github/workflows/reusable-go-build-smoke-test.yml@main
# with:
# paths: ./cmd/coolappNote: does not cache or push the binary artifacts anywhere.
for configuration see on.workflow_call.inputs in .github/workflows/reusable-go-build-smoke-test.yml.
STATUS: stable
Run goimports against the codebase to ensure that the imports are structured correctly
name: goimports
on:
push: {}
pull_request: {}
workflow_dispatch: {}
jobs:
goimports:
uses: GeoNet/Actions/.github/workflows/reusable-goimports.yml@mainSTATUS: stable
Checks commits in PRs for agreed qualities, such as conventionalcommits and style
name: policy conformance
on:
pull_request:
branches:
- main
permissions:
statuses: write
checks: write
contents: read
jobs:
conform:
uses: GeoNet/Actions/.github/workflows/reusable-policy-conformance.yml@maineach repo where this action is applied must contain a .conform.yaml in the root of the repo.
Conform configuration examples:
- https://github.com/siderolabs/talos/blob/main/.conform.yaml
- https://github.com/siderolabs/conform/blob/main/.conform.yaml
- https://github.com/BobyMCbobs/sample-ko-monorepo/blob/main/.conform.yaml
here's an in-line example
policies:
- type: commit
spec:
dco: true
gpg:
required: true
githubOrganization: GeoNet
spellcheck:
locale: US
maximumOfOneCommit: true
header:
length: 89
imperative: true
case: lower
invalidLastCharacters: .
body:
required: true
conventional:
types:
- chore
- docs
- perf
- refactor
- style
- test
- release
scopes: [".*"]common useful types of requirements:
- commit signed
- single commit
- commit contains body
notes:
- the conventional types include the following types by default and are not needed to be specified
- feat
- fix
links:
STATUS: stable
a workflow which combines the following workflows
- ko-build
- go-build-smoke-test
- container-image-scan
- gofmt
- golangci-lint
- go-test
- go-vet
- govulncheck
name: go container apps
on:
push: {}
pull_request: {}
schedule:
- cron: "0 0 * * *"
release:
types: [published]
workflow_dispatch: {}
permissions:
actions: read
packages: write
contents: write
pull-requests: write
id-token: write
security-events: write
statuses: write
checks: write
jobs:
go-container-apps:
uses: GeoNet/Actions/.github/workflows/reusable-go-container-apps.yml@main
# with:
# registryOverride: string
# paths: string
# imagePromotionConfigLiteral: |
# string
# imagePromotionConfigPath: string
# updateGoVersionAutoMerge: boolean
# containerScanningEnabled: boolean
# containerBuildEnabled: boolean
# registryOverride: $ACCOUNT.dkr.ecr.$REGION.amazonaws.com
# aws-region: ap-southeast-2
# aws-role-arn-to-assume: arn:aws:iam::$ACCOUNT:role/$ROLE_NAME
# aws-role-duration-seconds: "3600"
# buildSetup: |
# sudo apt install -y something-needed-for-build
# koBuildConfigPath: .ko.yamlfor configuration see on.workflow_call.inputs in .github/workflows/reusable-go-container-apps.yml.
STATUS: stable
a workflow which combines the following workflows
- go-build-smoke-test
- gofmt
- golangci-lint
- go-test
- go-vet
- update-go-version
- govulncheck
name: go apps
on:
push: {}
pull_request: {}
schedule:
- cron: "0 0 * * *"
release:
types: [published]
workflow_dispatch: {}
permissions:
actions: read
contents: write
pull-requests: write
id-token: write
security-events: write
statuses: write
checks: write
jobs:
go-apps:
uses: GeoNet/Actions/.github/workflows/reusable-go-apps.yml@main
# with:
# paths: string
# updateGoVersionAutoMerge: booleanfor configuration see on.workflow_call.inputs in .github/workflows/reusable-go-container-apps.yml.
STATUS: stable
Runs shellcheck against all known shell scripts
name: bash shellcheck
on:
workflow_dispatch: {}
push: {}
pull_request: {}
jobs:
bash-shellcheck:
uses: GeoNet/Actions/.github/workflows/reusable-bash-shellcheck.yml@mainSTATUS: stable
Ensure that the table of contents is updated in README.md, when sections and titles are modified
name: presubmit README table of contents
on:
pull_request: {}
workflow_dispatch: {}
jobs:
presubmit-readme-toc:
uses: GeoNet/Actions/.github/workflows/reusable-presubmit-readme-toc.yml@mainimportant to note: a markdown file must contain the following
<!-- generate TOC using `go run sigs.k8s.io/mdtoc@latest --inplace README.md` -->
<!-- toc -->
<!-- /toc -->
given a markdown file (e.g: README.md) and the contents above included
in the markdown file, the table of contents can be generated with the command
in that comment:
go run sigs.k8s.io/mdtoc@latest --inplace README.mdnote: requires Go to be installed
STATUS: stable
A workflow to validate all the workflows in the repo
name: presubmit GitHub Actions workflow validator
on:
pull_request: {}
workflow_dispatch: {}
jobs:
presubmit-github-actions-workflow-validator:
uses: GeoNet/Actions/.github/workflows/reusable-presubmit-github-actions-workflow-validator.yml@mainSTATUS: stable
A workflow to validate a GitHub action (not reusable workflow)
name: presubmit GitHub Actions action validator
on:
pull_request: {}
workflow_dispatch: {}
jobs:
presubmit-github-actions-action-validator:
uses: GeoNet/Actions/.github/workflows/reusable-github-actions-action-validator.yml@main
with:
actionPaths: ./action.ymlSTATUS: stable
Lints markdown files
name: lint markdown
on:
pull_request: {}
workflow_dispatch: {}
jobs:
lint-markdown:
uses: GeoNet/Actions/.github/workflows/reusable-markdown-lint.yml@main
# with:
# ignore: some-folderSTATUS: stable
A workflow to copy or sync a local directory to an S3 bucket
name: copy to s3
on:
push:
branches:
- main
workflow_dispatch: {}
permissions:
id-token: write
contents: read
jobs:
copy-to-s3:
uses: GeoNet/Actions/.github/workflows/reusable-copy-to-s3.yml@main
with:
aws-region: ap-southeast-2
aws-role-arn-to-assume: arn:aws:iam::ACCOUNT_ID:role/github-actions-ROLE_NAME
aws-role-duration-seconds: 3600
# aws-role-session-name:
local-source-dir: ./result/
destination-s3-bucket: s3:https://some-really-really-cool-s3-bucket
cp-or-sync: sync # 'cp' or 'sync'
direction: to # 'to' or 'from'it is also chainable with other jobs
name: copy to s3
on:
push:
branches:
- main
workflow_dispatch: {}
permissions:
id-token: write
contents: read
jobs:
generate-cool-numbers:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
- name: generate
run: |
mkdir -p ./outputs/
echo "$RANDOM" >> ./outputs/1.txt
echo "$RANDOM" >> ./outputs/1.txt
echo "$RANDOM" >> ./outputs/1.txt
echo "$RANDOM" >> ./outputs/1.txt
echo "$RANDOM" >> ./outputs/2.txt
echo "$RANDOM" >> ./outputs/2.txt
echo "$RANDOM" >> ./outputs/2.txt
echo "$RANDOM" >> ./outputs/2.txt
- name: upload the cool numbers
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: cool-numbers
path: ./outputs/**
retention-days: 1
copy-to-s3:
needs: generate-cool-numbers
uses: GeoNet/Actions/.github/workflows/reusable-copy-to-s3.yml@main
with:
aws-region: ap-southeast-2
aws-role-arn-to-assume: arn:aws:iam::ACCOUNT_ID:role/github-actions-ROLE_NAME
aws-role-duration-seconds: 3600
# aws-role-session-name:
artifact-name: cool-numbers
artifact-path: ./output
destination-s3-bucket: s3:https://some-really-really-cool-s3-bucket
cp-or-sync: sync # 'cp' or 'sync'
direction: to # 'to' or 'from'or copying from S3
name: copy from s3
on:
workflow_dispatch: {}
permissions:
id-token: write
contents: read
jobs:
copy-from-s3:
uses: GeoNet/Actions/.github/workflows/reusable-copy-to-s3.yml@main
with:
aws-region: ap-southeast-2
aws-role-arn-to-assume: arn:aws:iam::ACCOUNT_ID:role/github-actions-ROLE_NAME
aws-role-duration-seconds: 3600
# aws-role-session-name:
artifact-name: cool-numbers
artifact-path: ./output
s3-bucket: s3:https://some-really-really-cool-s3-bucket
cp-or-sync: sync # 'cp' or 'sync'
direction: from # 'to' or 'from'
check-out-the-cool-numbers:
needs: copy-from-s3
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: cool-numbers
path: ./output
- run: |
tree ./output/GitHub Actions artifacts are used to bring state between jobs, this is not possible in any other known way.
for configuration see on.workflow_call.inputs in .github/workflows/reusable-copy-to-s3.yml.
STATUS: stable
name: clean-images
permissions:
packages: write
on:
schedule:
- cron: '30 11,23 * * *'
workflow_dispatch: {}
jobs:
clean:
runs-on: ubuntu-latest
uses: GeoNet/Actions/.github/workflows/reusable-clean-containers.yml@main
with:
package-name: base-images/fedora
ignored-regex: '(stable)|(38)'
number-kept: 7STATUS: stable
Generic container tagging.
Generally will be used in the reusable workflows, but if one needed to use the action directly:
on: [push]
jobs:
prepare:
runs-on: ubuntu-latest
outputs:
tag: steps.tagging.outputs.tag
steps:
- uses: actions/checkout@v4
- id: tagging
uses: GeoNet/Actions/.github/actions/tagging@main
build:
needs: prepare
uses: GeoNet/Actions/.github/workflows/reusable-docker-build.yml@main
with:
tag: ${{ needs.prepare.outputs.tag }}Dependabot is enabled for this repo, see the config in .github/dependabot.yml. It will automatically update create PRs to update the Actions workflow imports once a week in a seemingly staggered way.
To force an update of every external import, run hack/update-actions-imports.sh and commit the changes in a new PR.
Container registries utilise content addressed storage, meaning to get some data (blob, image), you must request what it's digest is (the process behind tags). When pushing images using the reusable Docker or Ko builds, the images will always be tagged as latest or their digest. In order to precisely tag a container image, use the image promotion action.
The digests for images are able to be found with:
crane digest IMAGE_REFor in the logs of the workflow run.