RaBe GitHub Actions
These are the reusable workflows that RaBe uses for CI/CD ♻️
Usage
See below for copy-pasteable examples of the provided actions.
The examples use @v0.0.0 as the target version of the action. You NEED to replace that with the current tag of this repository and also create the following .github/dependabot.yaml.
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "daily"
commit-message:
prefix: "ci: "
If you need multiple actions to happen then it's up to you to combine them as needed. Please add an example if you use the same combo more than once.
Ansible Collections
We have workflows for testing Ansible collections on GitHub Actions and for releasing your Ansible collections to Galaxy.
Ansible: Release
Create the main .github/workflows/release.yaml file for an ansible collection repo:
name: Release
on:
release:
types:
- published
jobs:
release-ansible-collection:
uses: radiorabe/actions/.github/workflows/release-ansible-collection.yaml@v0.0.0
secrets:
GALAXY_API_KEY: ${{ secrets.GALAXY_API_KEY }} # (1)
- The
GALAXY_API_KEYis shared across our repos and can be enabled for your repo by a GitHub organisation admin.
The collections we publish with this can be found on our Galaxy page.
Ansible: Test
Create the main .github/workflows/test.yaml file for an ansible collection repo:
name: Lint and Test
on:
pull_request:
branches:
- main
jobs:
test-ansible-collection:
uses: radiorabe/actions/.github/workflows/test-ansible-collection.yaml@v0.0.0
Container Images
There are actions to cover the full lifecycle of a typical container image.
Container: Release
To build, scan, and sign a container image , create this .github/workflows/release.yaml:
name: Release
on:
pull_request:
push:
branches:
- main
tags:
- '*'
jobs:
release-container:
uses: radiorabe/actions/.github/workflows/release-container.yaml@v0.0.0
with:
image: 'ghcr.io/radiorabe/<name>' # (1)
name: <name> # (2)
display-name: <display-name> # (3)
tags: <tags> # (4)
cosign-verify: true # (5)
cosign-certificate-oidc-issuer: [issues] # (6)
cosign-certificate-identity-regexp: [regexp] # (7)
cosign-base-image-only: [true] # (8)
- Replace this with the actual name of the image, usually something like the
name of your repo with maybe a
container-image-prefix removed. - Replace the name with the stem of the image
- Put a human friendly string into display-name.
- Tags are usually
minimal rhel9 rabeplus additional tags for the image at hand. - Enable image scanning. This only needs to be disabled for base image that we don't sign ourself.
- Defaults to GitHub as an issuer and only needs tuning in special cases.
- The default
https://github.com/radiorabe/.*allows signatures from all of our orga, add a more specific regexp if you feel the need. - Pass
--base-image-onlyto cosign if you are copying binaries from a source image that isn't signed with cosign.
As a last step, it is recommended to add trivy.* to both your .gitignore
and .dockerignore files so trivy can't interfere with multi-stage builds.
Container: Schedule
To scan the latest container image with trivy at regular intervals, create this .github/workflows/schedule.yaml:
name: Scheduled tasks
on:
schedule:
- cron: '13 12 * * *'
workflow_dispatch:
jobs:
schedule-trivy:
uses: radiorabe/actions/.github/workflows/schedule-trivy.yaml@v0.0.0
with:
image-ref: 'ghcr.io/radiorabe/<name>:latest' # (1)
- Replace this with the actual name of the image, usually something like the
name of your repo with maybe a
container-image-prefix removed.
Pre Commit
Create the main .github/workflows/test.yaml file for a project that supports pre-commit:
name: Lint and Test
on:
pull_request:
branches:
- main
jobs:
pre-commit:
uses: radiorabe/actions/.github/workflows/test-pre-commit.yaml@v0.0.0
This runs pre-commit with black and isort installed. If you need more tools you can install them with pip.
jobs:
pre-commit:
uses: radiorabe/actions/.github/workflows/test-pre-commit.yaml@v0.0.0
with:
requirements: black isort
Python
Our Python workflows use Poetry for installing dependencies, pytest for testing, and Poetry for publishing to pypi.
Python: Poetry Pytest
Create the main .github/workflows/test.yaml file for an ansible collection repo:
name: Lint and Test
on:
pull_request:
branches:
- main
jobs:
test-python-poetry:
uses: radiorabe/actions/.github/workflows/test-python-poetry.yaml@v0.0.0
Configure your pyproject.toml to run pytest and you are good to go.
Python: Poetry Release
Create this `.github/workflows/release.yaml
name: Release
on:
pull_request:
push:
branches: [main]
release:
types: [created]
jobs:
python-poetry:
uses: radiorabe/actions/.github/workflows/release-python-poetry.yaml@v0.0.0
secrets:
RABE_PYPI_TOKEN: ${{ secrets.RABE_PYPI_TOKEN }} # (1)
- The
RABE_PYPI_TOKENis shared across our repos and can be enabled for your repo by a GitHub organisation admin.
Configure your pyproject.toml for releasing and your mkdocs.yml to generate proper documentation and you are good to go.
Mkdocs
For repos that contain documentation built with mkdocs that do not use the poetry action.
Create a .github/workflows/release.yaml file with the following content:
name: Release
on:
push:
main
pull_request:
jobs:
release-mkdocs:
uses: radiorabe/actions/.github/workflows/release-mkdocs.yaml@v0.0.0
Add a mkdocs.yaml config and docs/ directory and you are good to go.
Semantic Release
For repos that want to use go-semantic-release:
Create this .github/workflows/semantic-release.yaml:
name: Semantic Release
on:
push:
branches:
- main
- release/*
jobs:
semantic-release:
uses: radiorabe/actions/.github/workflows/semantic-release.yaml@v0.0.0
secrets:
RABE_ITREAKTION_GITHUB_TOKEN: ${{ secrets.RABE_ITREAKTION_GITHUB_TOKEN }} # (1)
- The
RABE_ITREAKTION_GITHUB_TOKENis shared across our repos and can be enabled for your repo by a GitHub organisation admin.
License
These reuseable workflows are free software: you can redistribute them and/or modify them under the terms of the GNU Affero General Public License as published by the Free Software Foundation, version 3 of the License.
Copyright
Copyright (c) 2022 Radio Bern RaBe