A repository for shared github workflows and actions, best practice for new and existing repositories. We welcome contributions. See Contributing to get started.
Shared workflows and actions:
- Automation
- Compliance
- actions
- Security
This is a workflow
Creates a Github Release on push to master. Automatically tags the release and create release notes from git log. Change the semantic versioning by applying labels, release:patch, release:minor, release:major. Works best in conjuction with Enforce PR labels.
How to invoke this workflow:
name: Auto release
on:
push:
branches: ["master", "main"]
jobs:
shared:
uses: dfds/shared-workflows/.github/workflows/automation-auto-release.yml@master
# Note, make sure to use `secrets: inherit` if utilizing the organizational secret `GH_RELEASE`
# secrets: inherit
# In order to add prefix to the tag:
with:
tag_prefix: "your_prefix"
This is a workflow
This workflow builds lambda code and uploads the zip file to S3 bucket. The instructions for building the zip package need to be specified in a Makefile. The workflow works with Go and Python lambdas.
How to invoke this workflow:
name: Build lambda and upload to S3
on:
pull_request:
branches: [ "master", "main" ]
jobs:
build-and-upload-to-s3:
name: build-and-upload-to-s3
uses: dfds/shared-workflows/.github/workflows/automation-build-and-upload-to-s3.yml@master
with:
role-session-name: upload-crl-importer-lambda #Session name
working-directory: ./crl-importer-lambda #The working directory that includes the Makefile
lambda-package-name: crl-importer-lambda.zip #The lambda package name
s3-location: dfds-ce-shared-artifacts/iam-rolesanywhere-lambdas
go-version: "1.20" #Should be specified only for Go lambdas
cache-dependency-path: ./crl-importer-lambda/go.mod/go.sum #Should be specified only for Go lambdas
arguments: PACKAGE_NAME=${{ matrix.lambda-name }} #The arguments to be passed to make
secrets:
role-to-assume: ${{ secrets.ROLE_TO_ASSUME }} #Repository secret with the AWS role to be assumed
This is a workflow
Enforce assigning labels before merging PR's. Useful for governing the use of semantic versioning labels for Auto release.
How to invoke this workflow:
name: Enforce PR labels
on:
pull_request:
types: [labeled, unlabeled, opened, edited, synchronize]
branches: [ "master", "main" ]
jobs:
shared:
uses: dfds/shared-workflows/.github/workflows/automation-enforce-release-labels.yml@master
This is a workflow
Sets repository settings to a standard that is used across the organization.
How to invoke this workflow:
name: Housekeeping
on:
schedule:
- cron: "0 6 * * *"
jobs:
shared:
uses: dfds/shared-workflows/.github/workflows/automation-housekeeping.yml@master
secrets: inherit
with:
# Optional, Enable delete head branch after merge
delete_head_branch: true
# Optional, Enable merging pull requests via squashed commit
squash_merge: true
# Optional, Enable branch protection on default branch
branch_protection: true
# Optional, Enable mandatory checking-labels status check on PRs
status_checks: true
This is a workflow
All-in-one package that builds, tests, beautify and publishes a docker image for multiple architectures. This workflow uses the Auto release workflow to create a Github Release on push to master. You have to add DOCKERHUB_USERNAME and DOCKERHUB_TOKEN secrets to your repository to use this workflow. To use the slack integration you will also have to add the SLACK_WEBHOOK secret.
How to invoke this workflow:
name: Multi architecture docker build
on:
push:
branches: [ "master", "main" ]
jobs:
shared:
uses: dfds/shared-workflows/.github/workflows/automation-multi-build.yml@master
secrets: inherit
with:
# Required
image-repo: dfdsdk/repo-name
# Required, options: linux/amd64,linux/arm64,linux/arm/v7,windows/amd64
os-archs: "linux/amd64,linux/arm64,linux/arm/v7"
# Optional, path to the test script to run inside the container
test-script-path: ./app/test.py
# Optional, the command to run the test script inside the container
test-script-cmd: "python test.py"
# Optional, the path to the readme file to use for the docker image
# It is recommended that if you do not have a specific file for the docker image,
# that you use the same readme as the repository
docker-readme-path: "./DockerREADME.md"
# Optional, sends a slack notification to the channel specified in the repository secrets
slack-notification: true
# Optional, the path to the Dockerfile you wish to build. Defaults to Dockerfile at the repository root.
docker-dockerfile-path: "./path/to/Dockerfile"
This is a workflow
Status check that fails if a PR is on-hold, works in conjunction with status_checks housekeeping
How to invoke this workflow:
name: Block on-hold PRs
on:
pull_request:
branches: [ master, main ]
types: [ opened, labeled, unlabeled, synchronize ]
jobs:
shared:
uses: dfds/shared-workflows/.github/workflows/automation-on-hold-prs.yml@master
This is a workflow
Enables using PR template on pull requests generated from RenovateBot
How to invoke this workflow:
name: Add comment from PR template on Renovate pull requests
on:
pull_request:
branches: [ "master", "main" ]
jobs:
shared:
uses: dfds/shared-workflows/.github/workflows/automation-renovate-pr-commenter.yml@master
with:
pr-template-filepath: .github/pull_request_template.md
This is an action
Alerts to a slack channel. Create your webhook on our Slack Bot here. Add the webhook as a secret in your repository with the key SLACK_WEBHOOK
.
How to invoke this action:
name: Slack Notifier
on:
workflow_dispatch:
jobs:
slack-notifier:
runs-on: ubuntu-latest
steps:
- name: Notify
if: failure()
uses: dfds/shared-workflows/.github/actions/automation-slack-notifier@master
with:
slack_webhook: ${{ secrets.SLACK_WEBHOOK }}
slack_message: 'Hmm something is wrong'
This is an action
A Github Action step that runs Checkov against a Terraform plan file. Policies are defined in dfds/iac-terraform-policies repo.
How to invoke this action:
name: Checkov Github Actions Step
on:
pull_request:
branches: [ "master", "main" ]
jobs:
run_tfplan_and_validate:
runs-on: ubuntu-latest
name: A job to call the shared workflow
steps:
- uses: actions/checkout@v3
- name: Terraform Plan and validate
run: |
cd terraform
terraform init
terraform plan -out tfplan
terraform show -json tfplan > ../tfplan.json
- uses: dfds/shared-workflows/.github/actions/compliance-checkov-tfplan@master
with:
tf-policy-repo-token: ${{ secrets.GH_REPO_READ_IAC_TERRAFORM_POLICIES }}
This is a workflow
Gitleaks is a SAST tool for detecting and preventing hardcoded secrets like passwords, API keys, and tokens in git repos. You have to add GITLEAKS_LICENSE secret to your repository, it does not work with organization secrets. The license key is stored in 1Password.
How to invoke this workflow:
name: Gitleaks
on:
pull_request:
branches: [ "master", "main" ]
jobs:
shared:
uses: dfds/shared-workflows/.github/workflows/security-gitleaks.yml@master
secrets: inherit
This is a workflow
Add comments to pull requests where tfsec checks have failed.
How to invoke this workflow:
name: Run tfsec on pull requests
on:
pull_request:
branches: [ "master", "main" ]
jobs:
shared:
uses: dfds/shared-workflows/.github/workflows/security-tfsec-pr-commenter.yml@master
This is a workflow
This Github Action will run the tfsec sarif check then add the report to the repo for upload.
How to invoke this workflow:
name: Run tfsec and upload
on:
push:
branches: [ "master", "main" ]
jobs:
shared:
uses: dfds/shared-workflows/.github/workflows/security-tfsec-upload.yml@master
This is a workflow
This Github Action will run the trivy IAC check and block if High or Critical issues are found.
How to invoke this workflow:
name: Run Trivy IAC with Quality GAte
on:
push:
branches: [ "master", "main" ]
pull_request:
branches: [ "master", "main" ]
jobs:
shared:
uses: dfds/shared-workflows/.github/workflows/security-trivy-iac-check.yaml@master