These are the reusable workflows that RaBe uses for CI/CD β»οΈ
See below for copy-pasteable examples of the provided actions.
The examples use @v0.0.0
as the target version of the action. You NEED to replace that with the current tag of this repository and also create the following .github/dependabot.yaml
.
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "daily"
commit-message:
prefix: "ci: "
If you need multiple actions to happen then it's up to you to combine them as needed. Please add an example if you use the same combo more than once.
We have workflows for testing Ansible collections on GitHub Actions and for releasing your Ansible collections to Galaxy.
Create the main .github/workflows/release.yaml
file for an ansible collection repo:
name: Release
on:
release:
types:
- published
jobs:
release-ansible-collection:
uses: radiorabe/actions/.github/workflows/release-ansible-collection.yaml@v0.0.0
secrets:
GALAXY_API_KEY: ${{ secrets.GALAXY_API_KEY }} # (1)
- The
GALAXY_API_KEY
is shared across our repos and can be enabled for your repo by a GitHub organisation admin.
The collections we publish with this can be found on our Galaxy page.
Create the main .github/workflows/test.yaml
file for an ansible collection repo:
name: Lint and Test
on:
pull_request:
branches:
- main
jobs:
test-ansible-collection:
uses: radiorabe/actions/.github/workflows/test-ansible-collection.yaml@v0.0.0
There are actions to cover the full lifecycle of a typical container image.
To build, scan, and sign a container image , create this .github/workflows/release.yaml
:
name: Release
on:
pull_request:
push:
branches:
- main
tags:
- '*'
jobs:
release-container:
uses: radiorabe/actions/.github/workflows/release-container.yaml@v0.0.0
with:
image: 'ghcr.io/radiorabe/<name>' # (1)
name: <name> # (2)
display-name: <display-name> # (3)
tags: <tags> # (4)
cosign-verify: true # (5)
cosign-certificate-oidc-issuer: [issues] # (6)
cosign-certificate-identity-regexp: [regexp] # (7)
cosign-base-image-only: [true] # (8)
- Replace this with the actual name of the image, usually something like the
name of your repo with maybe a
container-image-
prefix removed. - Replace the name with the stem of the image
- Put a human friendly string into display-name.
- Tags are usually
minimal rhel9 rabe
plus additional tags for the image at hand. - Enable image scanning. This only needs to be disabled for base image that we don't sign ourself.
- Defaults to GitHub as an issuer and only needs tuning in special cases.
- The default
https://github.com/radiorabe/.*
allows signatures from all of our orga, add a more specific regexp if you feel the need. - Pass
--base-image-only
to cosign if you are copying binaries from a source image that isn't signed with cosign.
As a last step, it is recommended to add trivy.*
to both your .gitignore
and .dockerignore
files so trivy can't interfere with multi-stage builds.
To scan the latest container image with trivy at regular intervals, create this .github/workflows/schedule.yaml
:
name: Scheduled tasks
on:
schedule:
- cron: '13 12 * * *'
workflow_dispatch:
jobs:
schedule-trivy:
uses: radiorabe/actions/.github/workflows/schedule-trivy.yaml@v0.0.0
with:
image-ref: 'ghcr.io/radiorabe/<name>:latest' # (1)
- Replace this with the actual name of the image, usually something like the
name of your repo with maybe a
container-image-
prefix removed.
Create the main .github/workflows/test.yaml
file for a project that supports pre-commit:
name: Lint and Test
on:
pull_request:
branches:
- main
jobs:
pre-commit:
uses: radiorabe/actions/.github/workflows/test-pre-commit.yaml@v0.0.0
This runs pre-commit with black and isort installed. If you need more tools you can install them with pip
.
jobs:
pre-commit:
uses: radiorabe/actions/.github/workflows/test-pre-commit.yaml@v0.0.0
with:
requirements: black isort
Our Python workflows use Poetry for installing dependencies, pytest for testing, and Poetry for publishing to pypi.
Create the main .github/workflows/test.yaml
file for an ansible collection repo:
name: Lint and Test
on:
pull_request:
branches:
- main
jobs:
test-python-poetry:
uses: radiorabe/actions/.github/workflows/test-python-poetry.yaml@v0.0.0
Configure your pyproject.toml
to run pytest and you are good to go.
Create this `.github/workflows/release.yaml
name: Release
on:
pull_request:
push:
branches: [main]
release:
types: [created]
jobs:
python-poetry:
uses: radiorabe/actions/.github/workflows/release-python-poetry.yaml@v0.0.0
secrets:
RABE_PYPI_TOKEN: ${{ secrets.RABE_PYPI_TOKEN }} # (1)
- The
RABE_PYPI_TOKEN
is shared across our repos and can be enabled for your repo by a GitHub organisation admin.
Configure your pyproject.toml
for releasing and your mkdocs.yml
to generate proper documentation and you are good to go.
For repos that contain documentation built with mkdocs that do not use the poetry action.
Create a .github/workflows/release.yaml
file with the following content:
name: Release
on:
push:
main
pull_request:
jobs:
release-mkdocs:
uses: radiorabe/actions/.github/workflows/release-mkdocs.yaml@v0.0.0
Add a mkdocs.yaml
config and docs/
directory and you are good to go.
For repos that want to use go-semantic-release:
Create this .github/workflows/semantic-release.yaml
:
name: Semantic Release
on:
push:
branches:
- main
- release/*
jobs:
semantic-release:
uses: radiorabe/actions/.github/workflows/semantic-release.yaml@v0.0.0
secrets:
RABE_ITREAKTION_GITHUB_TOKEN: ${{ secrets.RABE_ITREAKTION_GITHUB_TOKEN }} # (1)
- The
RABE_ITREAKTION_GITHUB_TOKEN
is shared across our repos and can be enabled for your repo by a GitHub organisation admin.
These reuseable workflows are free software: you can redistribute them and/or modify them under the terms of the GNU Affero General Public License as published by the Free Software Foundation, version 3 of the License.
Copyright (c) 2022 Radio Bern RaBe