GitHub - itisopen/github-actions-workflows: General purpose reusable Github Action workflows

General purpose reusable Github Action workflows

Introduction

Use provided GitHub Actions reusable workflows to implement consistent release workflow for Github Actions repositories across your organization. Avoid duplication and simplify maintain of the workflows.

Workflows

Name	Description
CD - Deploy to EKS with ArgoCD and Helmfile	Deploy Docker image to EKS with ArgoCD and Helmfile
CD - Atmos stack deploy	Deploy atmos stack
CD - Deploy to ECS with Ecspresso	Deploy Docker image to ECS with Ecspresso
CD - Deploy to ECS with Spacelift	Deploy Docker image to ECS with Spacelift
CD - Deploy to EKS with Helmfile	Deploy Docker image to EKS with Helmfile
CD - Deploy to EKS Preview envs with Helmfile	Deploy Docker image to ECS Preview envs with Helmfile
CD - Deploy to ECS QA/Preview envs with Ecspresso	Deploy Docker image to ECS QA/Preview envs with Ecspresso
CD - Deploy to ECS QA/Preview envs with Spacelift	Deploy Docker image to ECS QA/Preview envs with Spacelift
CD - Deploy to EKS Preview envs with Helmfile	Deploy Docker image to ECS Preview envs with Helmfile
CI - Atmos stack plan	Plan atmos stack
CI - Codeowners	Validate CODEOWNERS and suggest changes
CI - Build Docker image	Build Docker image and push it to ECR
CI - Promote or build Docker image	Promote or build Docker image and push it to ECR
CI - Promote Docker image	Promote Docker image to specific version tag and push it to ECR
CI - Verify Docker image exists	Verify Docker image exists on ECR
CI - GitHub Action	Lint and test github action
CI - Readme	Validate README.yaml, README.md and suggest changes
CI - Terraform ChatOps	Trigger terraform tests using ChatOps
CI - Terraform	Lint, format and validate terraform code
CI - Check dist Directory	This workflow helps ensure that generated contents of the `dist` directory matches the output of the `yarn build`
Controller - Atmos affected stacks	Get stacks affected in the commit
Controller - Atmos affected stacks	Get stacks affected in the commit
Controller - Draft release	Create or update draft release
Controller - Reingtegrate hotfix branch	Create PR into `target\_branch` to reintegrate hotfix from current branch
Controller - Create Release branch	Create `release/{version}` branch for the release
Controller - Create hotfix release	Create next patch version release
Controller - Labels	Label a pull request with one or more labels
Controller - Monorepo Controller	Mocked monorepo controller that outputs list of applications, lists of apps with and without changes.
Controller - Managing Release Branches and Tags	Manages long-living release branches and their releases
Controller - Release	Create a github release
Scheduled Context	Scheduled update of context.tf and related docs
Scheduled Readme	Scheduled update of readme.md

CD - Deploy to EKS with ArgoCD and Helmfile

Deploy Docker image to EKS with ArgoCD and Helmfile

Usage

  name: Deploy
  on:
    push:
      branches: [ main ]

  jobs:
    cd:
      uses: itisopen/github-actions-workflows/.github/workflows/cd-argocd.yml@itisopen
      with:
        image: registry.hub.docker.com/library/nginx
        tag: latest
        repository: ${{ github.event.repository.name }}
        environment: dev
      secrets:
        secret-outputs-passphrase: ${{ secrets.secret-outputs-passphrase }}
        github-private-actions-pat: ${{ secrets.github-private-actions-pat }}

Inputs

Name	Description	Type	Default	Required
environment	Environment name deploy to	string	N/A	true
image	Docker Image to deploy	string	N/A	true
organization	Repository owner organization (ex. acme for repo acme/example)	string	N/A	true
path	The path where lives the helmfile or helm chart.	string	N/A	true
repository	Repository name (ex. example for repo acme/example)	string	N/A	true
runs-on	Overrides job runs-on setting (json-encoded list)	string	["ubuntu-latest"]	false
synchronously	Wait until ArgoCD successfully apply the changes	boolean	false	false
tag	Docker Image tag to deploy	string	N/A	true
toolchain	Toolchain ('helm', 'helmfile')	string	helmfile	false
values_file	Helmfile values file	string		false

Secrets

Name	Description	Required
github-private-actions-pat	Github PAT allow to pull private repos	true
secret-outputs-passphrase	Passphrase to encrypt/decrypt secret outputs with gpg. For more information read	true

CD - Atmos stack deploy

Deploy atmos stack

Usage

  name: Feature Branch
  on:
    pull_request:
      branches: [ 'master' ]
      types: [opened, synchronize, reopened, closed, labeled, unlabeled]

  jobs:
    cd:
      uses: itisopen/github-actions-workflows/.github/workflows/cd-atmos-stack-deploy.yaml@itisopen

Inputs

Name	Description	Type	Default	Required
component	The component name.	string	N/A	true
environment	Environment.	string	N/A	true
runs-on	Overrides job runs-on setting (json-encoded list)	string	["ubuntu-latest"]	false
stack	The stack name.	string	N/A	true

CD - Deploy to ECS with Ecspresso

Deploy Docker image to ECS with Ecspresso

Usage

  name: Deploy
  on:
    push:
      branches: [ main ]

  jobs:
    cd:
      uses: itisopen/github-actions-workflows/.github/workflows/cd-ecspresso.yml@itisopen
      with:
        image: registry.hub.docker.com/library/nginx
        tag: latest
        repository: ${{ github.event.repository.name }}
        environment: dev
        enable-migration: ${{ inputs.enable-migration }}
        support-rollback: ${{ inputs.support-rollback }}
      secrets:
        secret-outputs-passphrase: "${{ secrets.secret-outputs-passphrase }}"
        github-private-actions-pat: ${{ secrets.github-private-actions-pat }}

Inputs

Name	Description	Type	Default	Required
app	Application name. Used with monorepo pattern when there are several applications in the repo	string	N/A	false
enable-migration	Run DB migration	boolean	false	false
environment	Environment name deploy to	string	N/A	true
image	Docker Image to deploy	string	N/A	true
matrix-key	Matrix key - matrix output workaround. Read more	string	N/A	false
matrix-step-name	Matrix step name - matrix output workaround. Read more	string	N/A	false
path	The path tp task definition template json file.	string	./deploy/taskdef.json	false
repository	Repository name (ex. example for repo acme/example)	string	N/A	true
runs-on	Overrides job runs-on setting (json-encoded list)	string	["ubuntu-latest"]	false
support-rollback	Perform rollback on failure	boolean	false	false
tag	Docker Image tag to deploy	string	N/A	true

Secrets

Name	Description	Required
github-private-actions-pat	Github PAT allow to pull private repos	true
secret-outputs-passphrase	Passphrase to encrypt/decrypt secret outputs with gpg. For more information read	true

CD - Deploy to ECS with Spacelift

Deploy Docker image to ECS with Spacelift

Usage

  name: Deploy
  on:
    push:
      branches: [ main ]

  jobs:
    cd:
      uses: itisopen/github-actions-workflows/.github/workflows/cd-ecs.yml@itisopen
      with:
        image: registry.hub.docker.com/library/nginx
        tag: latest
        repository: ${{ github.event.repository.name }}
        environment: dev
        spacelift-organization: ${{ inputs.spacelift-organization }}
      secrets:
        secret-outputs-passphrase: "${{ secrets.secret-outputs-passphrase }}"
        github-private-actions-pat: "${{ secrets.github-private-actions-pat }}"
        spacelift-api-key-id: "${{ secrets.spacelift-api-key-id }}"
        spacelift-api-key-secret: "${{ secrets.spacelift-api-key-secret }}"

Inputs

Name	Description	Type	Default	Required
app	Application name. Used with monorepo pattern when there are several applications in the repo	string	N/A	false
environment	Environment name deploy to	string	N/A	true
image	Docker Image to deploy	string	N/A	true
matrix-key	Matrix key - matrix output workaround. Read more	string	N/A	false
matrix-step-name	Matrix step name - matrix output workaround. Read more	string	N/A	false
repository	Repository name (ex. example for repo acme/example)	string	N/A	true
runs-on	Overrides job runs-on setting (json-encoded list)	string	["ubuntu-latest"]	false
spacelift-organization	Spacelift organization name	string	N/A	true
tag	Docker Image tag to deploy	string	N/A	true

Secrets

Name	Description	Required
github-private-actions-pat	Github PAT allow to pull private repos	true
secret-outputs-passphrase	Passphrase to encrypt/decrypt secret outputs with gpg. For more information read	true
spacelift-api-key-id	Spacelift API Key ID	true
spacelift-api-key-secret	Spacelift API Key Secret	true

CD - Deploy to EKS with Helmfile

Deploy Docker image to EKS with Helmfile

Usage

  name: Deploy
  on:
    push:
      branches: [ main ]

  jobs:
    cd:
      uses: itisopen/github-actions-workflows/.github/workflows/cd-helmfile.yml@itisopen
      with:
        image: registry.hub.docker.com/library/nginx
        tag: latest
        repository: ${{ github.event.repository.name }}
        environment: dev
      secrets:
        secret-outputs-passphrase: ${{ secrets.secret-outputs-passphrase }}
        github-private-actions-pat: ${{ secrets.github-private-actions-pat }}

Inputs

Name	Description	Type	Default	Required
environment	Environment name deploy to	string	N/A	true
image	Docker Image to deploy	string	N/A	true
repository	Repository name (ex. example for repo acme/example)	string	N/A	true
runs-on	Overrides job runs-on setting (json-encoded list)	string	["self-hosted"]	false
tag	Docker Image tag to deploy	string	N/A	true

Secrets

Name	Description	Required
github-private-actions-pat	Github PAT allow to pull private repos	true
secret-outputs-passphrase	Passphrase to encrypt/decrypt secret outputs with gpg. For more information read	true

CD - Deploy to EKS Preview envs with Helmfile

Deploy Docker image to ECS Preview envs with Helmfile

Usage

  name: Feature Branch
  on:
    pull_request:
      branches: [ 'master' ]
      types: [opened, synchronize, reopened, closed, labeled, unlabeled]

  jobs:
    cd:
      uses: itisopen/github-actions-workflows/.github/workflows/cd-preview-helmfile.yml@itisopen
      if: ${{ always() }}
      with:
        image: registry.hub.docker.com/library/nginx
        tag: latest
        repository: ${{ github.event.repository.name }}
        open: ${{ github.event.pull_request.state == 'open' }}
        labels: ${{ toJSON(github.event.pull_request.labels.*.name) }}
        ref: ${{ github.event.pull_request.head.ref }}
        exclusive: false
        env-label: |
          preview: deploy
      secrets:
        secret-outputs-passphrase: ${{ secrets.secret-outputs-passphrase }}
        github-private-actions-pat: ${{ secrets.github-private-actions-pat }}

Inputs

Name	Description	Type	Default	Required
env-label	YAML formatted {environment}: {label} map	string	preview: deploy	false
exclusive	Deactivate previous GitHub deployments	boolean	true	false
image	Docker Image to deploy	string	N/A	true
labels	Pull Request labels	string	{}	false
open	Pull Request open/close state. Set true if opened	boolean	N/A	true
organization	Repository owner organization (ex. acme for repo acme/example)	string	N/A	true
path	The path where lives the helmfile or helm chart.	string	N/A	true
ref	The fully-formed ref of the branch or tag that triggered the workflow run	string	N/A	true
repository	Repository name (ex. example for repo acme/example)	string	N/A	true
runs-on	Overrides job runs-on setting (json-encoded list)	string	["ubuntu-latest"]	false
synchronously	Wait until ArgoCD successfully apply the changes	boolean	false	false
tag	Docker Image tag to deploy	string	N/A	true
toolchain	Toolchain ('helm', 'helmfile')	string	helmfile	false
values_file	Helmfile values file, or helm chart values file	string		false

Secrets

Name	Description	Required
github-private-actions-pat	Github PAT allow to pull private repos	true
secret-outputs-passphrase	Passphrase to encrypt/decrypt secret outputs with gpg. For more information read	true

CD - Deploy to ECS QA/Preview envs with Ecspresso

Deploy Docker image to ECS QA/Preview envs with Ecspresso

Usage

  name: Feature Branch
  on:
    pull_request:
      branches: [ 'main' ]
      types: [opened, synchronize, reopened, closed, labeled, unlabeled]

  jobs:
    cd:
      uses: itisopen/github-actions-workflows/.github/workflows/cd-preview-ecspresso.yml@itisopen
      if: ${{ always() }}
      with:
        image: registry.hub.docker.com/library/nginx
        tag: latest
        repository: ${{ github.event.repository.name }}
        open: ${{ github.event.pull_request.state == 'open' }}
        labels: ${{ toJSON(github.event.pull_request.labels.*.name) }}
        ref: ${{ github.event.pull_request.head.ref }}
        exclusive: true
        env-label: |
          qa1: deploy/qa1
          qa2: deploy/qa2  
      secrets:
        secret-outputs-passphrase: ${{ secrets.secret-outputs-passphrase }}
        github-private-actions-pat: ${{ secrets.github-private-actions-pat }}

Inputs

Name	Description	Type	Default	Required
app	Application name. Used with monorepo pattern when there are several applications in the repo	string	N/A	false
enable-migration	Run DB migration	boolean	false	false
env-label	YAML formatted {environment}: {label} map	string	preview: deploy	false
exclusive	Deactivate previous GitHub deployments	boolean	true	false
image	Docker Image to deploy	string	N/A	true
labels	Pull Request labels	string	{}	false
matrix-key	Matrix key - matrix output workaround. Read more	string	N/A	false
matrix-step-name	Matrix step name - matrix output workaround. Read more	string	N/A	false
open	Pull Request open/close state. Set true if opened	boolean	N/A	true
path	The path to task definition template json file.	string	./deploy/taskdef.json	false
ref	The fully-formed ref of the branch or tag that triggered the workflow run	string	N/A	true
repository	Repository name (ex. example for repo acme/example)	string	N/A	true
runs-on	Overrides job runs-on setting (json-encoded list)	string	["ubuntu-latest"]	false
support-rollback	Perform rollback on failure	boolean	false	false
tag	Docker Image tag to deploy	string	N/A	true

Secrets

Name	Description	Required
github-private-actions-pat	Github PAT allow to pull private repos	true
secret-outputs-passphrase	Passphrase to encrypt/decrypt secret outputs with gpg. For more information read	true

CD - Deploy to ECS QA/Preview envs with Spacelift

Deploy Docker image to ECS QA/Preview envs with Spacelift

Usage

  name: Feature Branch
  on:
    pull_request:
      branches: [ 'master' ]
      types: [opened, synchronize, reopened, closed, labeled, unlabeled]

  jobs:
    cd:
      uses: itisopen/github-actions-workflows/.github/workflows/cd-preview-ecs.yml@itisopen
      if: ${{ always() }}
      with:
        image: registry.hub.docker.com/library/nginx
        tag: latest
        repository: ${{ github.event.repository.name }}
        spacelift-organization: ${{ inputs.spacelift-organization }}
        open: ${{ github.event.pull_request.state == 'open' }}
        labels: ${{ toJSON(github.event.pull_request.labels.*.name) }}
        ref: ${{ github.event.pull_request.head.ref }}
        exclusive: true
        env-label: |
          qa1: deploy/qa1
          qa2: deploy/qa2
          qa3: deploy/qa3
          qa4: deploy/qa4
      secrets:
        secret-outputs-passphrase: ${{ secrets.secret-outputs-passphrase }}
        github-private-actions-pat: ${{ secrets.github-private-actions-pat }}
        spacelift-api-key-id: "${{ secrets.spacelift-api-key-id }}"
        spacelift-api-key-secret: "${{ secrets.spacelift-api-key-secret }}"

Inputs

Name	Description	Type	Default	Required
app	Application name. Used with monorepo pattern when there are several applications in the repo	string	N/A	false
env-label	YAML formatted {environment}: {label} map	string	preview: deploy	false
exclusive	Deactivate previous GitHub deployments	boolean	true	false
image	Docker Image to deploy	string	N/A	true
labels	Pull Request labels	string	{}	false
matrix-key	Matrix key - matrix output workaround. Read more	string	N/A	false
matrix-step-name	Matrix step name - matrix output workaround. Read more	string	N/A	false
open	Pull Request open/close state. Set true if opened	boolean	N/A	true
ref	The fully-formed ref of the branch or tag that triggered the workflow run	string	N/A	true
repository	Repository name (ex. example for repo acme/example)	string	N/A	true
runs-on	Overrides job runs-on setting (json-encoded list)	string	["ubuntu-latest"]	false
spacelift-organization	Spacelift organization name	string	N/A	true
tag	Docker Image tag to deploy	string	N/A	true

Secrets

Name	Description	Required
github-private-actions-pat	Github PAT allow to pull private repos	true
secret-outputs-passphrase	Passphrase to encrypt/decrypt secret outputs with gpg. For more information read	true
spacelift-api-key-id	Spacelift API Key ID	true
spacelift-api-key-secret	Spacelift API Key Secret	true

CD - Deploy to EKS Preview envs with Helmfile

Deploy Docker image to ECS Preview envs with Helmfile

Usage

  name: Feature Branch
  on:
    pull_request:
      branches: [ 'master' ]
      types: [opened, synchronize, reopened, closed, labeled, unlabeled]

  jobs:
    cd:
      uses: itisopen/github-actions-workflows/.github/workflows/cd-preview-helmfile.yml@itisopen
      if: ${{ always() }}
      with:
        image: registry.hub.docker.com/library/nginx
        tag: latest
        repository: ${{ github.event.repository.name }}
        open: ${{ github.event.pull_request.state == 'open' }}
        labels: ${{ toJSON(github.event.pull_request.labels.*.name) }}
        ref: ${{ github.event.pull_request.head.ref }}
        exclusive: false
        env-label: |
          preview: deploy
      secrets:
        secret-outputs-passphrase: ${{ secrets.secret-outputs-passphrase }}
        github-private-actions-pat: ${{ secrets.github-private-actions-pat }}

Inputs

Name	Description	Type	Default	Required
env-label	YAML formatted {environment}: {label} map	string	preview: deploy	false
exclusive	Deactivate previous GitHub deployments	boolean	true	false
image	Docker Image to deploy	string	N/A	true
labels	Pull Request labels	string	{}	false
open	Pull Request open/close state. Set true if opened	boolean	N/A	true
ref	The fully-formed ref of the branch or tag that triggered the workflow run	string	N/A	true
repository	Repository name (ex. example for repo acme/example)	string	N/A	true
runs-on	Overrides job runs-on setting (json-encoded list)	string	["self-hosted"]	false
tag	Docker Image tag to deploy	string	N/A	true

Secrets

Name	Description	Required
github-private-actions-pat	Github PAT allow to pull private repos	true
secret-outputs-passphrase	Passphrase to encrypt/decrypt secret outputs with gpg. For more information read	true

CI - Atmos stack plan

Plan atmos stack

Usage

  name: Feature Branch
  on:
    pull_request:
      branches: [ 'master' ]
      types: [opened, synchronize, reopened, closed, labeled, unlabeled]

  jobs:
    cd:
      uses: itisopen/github-actions-workflows/.github/workflows/ci-atmos-stack-plan.yaml@itisopen

Inputs

Name	Description	Type	Default	Required
component	The component name.	string	N/A	true
runs-on	Overrides job runs-on setting (json-encoded list)	string	["ubuntu-latest"]	false
stack	The stack name.	string	N/A	true

CI - Codeowners

Validate CODEOWNERS and suggest changes

Usage

  name: Validate CODEOWNERS
  on:
    workflow_call:
    
  jobs:
    ci-codeowners:
      uses: itisopen/github-actions-workflows/.github/workflows/ci-codeowners-full.yml@itisopen
      with:
        is_fork: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
      secrets: inherit

Inputs

Name	Description	Type	Default	Required
is_fork	Run workflow in fork mode (decreased permissions and features)	boolean	N/A	true
runs-on	Overrides job runs-on setting (json-encoded list)	string	["ubuntu-latest"]	false

CI - Build Docker image

Build Docker image and push it to ECR

Usage

  name: Deploy
  on:
    push:
      branches: [ main ]

  jobs:
    ci:
      uses: itisopen/github-actions-workflows/.github/workflows/ci-dockerized-app-build.yml@itisopen
      with:
        organization: ${{ github.event.repository.owner.login }}
        repository: ${{ github.event.repository.name }}
      secrets:
        ecr-region: ${{ secrets.ecr-region }}
        ecr-iam-role: ${{ secrets.ecr-iam-role }}
        registry: ${{ secrets.registry }}
        secret-outputs-passphrase: ${{ secrets.secret-outputs-passphrase }}

Inputs

Name	Description	Type	Default	Required
organization	Repository owner organization (ex. acme for repo acme/example)	string	N/A	true
repository	Repository name (ex. example for repo acme/example)	string	N/A	true
runs-on	Overrides job runs-on setting (json-encoded list)	string	["ubuntu-latest"]	false
tests_enabled	Enable CI Test Stage	boolean	true	false

Secrets

Name	Description	Required
ecr-iam-role	IAM Role ARN provide ECR write/read access	true
ecr-region	ECR AWS region	true
registry	ECR Docker registry	true
secret-outputs-passphrase	Passphrase to encrypt/decrypt secret outputs with gpg. For more information read	true

Outputs

Name	Description
image	Docker Image
tag	Docker image tag

CI - Promote or build Docker image

Promote or build Docker image and push it to ECR

Usage

  name: Deploy
  on:
    push:
      branches: [ main ]

  jobs:
    ci:
      uses: itisopen/github-actions-workflows/.github/workflows/ci-dockerized-app-promote-or-build.yml@itisopen
      with:
        organization: ${{ github.event.repository.owner.login }}
        repository: ${{ github.event.repository.name }}
        force-build: false
      secrets:
        ecr-region: ${{ secrets.ecr-region }}
        ecr-iam-role: ${{ secrets.ecr-iam-role }}
        registry: ${{ secrets.registry }}
        secret-outputs-passphrase: ${{ secrets.secret-outputs-passphrase }}

Inputs

Name	Description	Type	Default	Required
app	Application name. Used with monorepo pattern when there are several applications in the repo	string	N/A	true
force-build	Force build (skip promotion)	boolean	false	true
matrix-key	Matrix key - matrix output workaround. Read more	string	N/A	false
matrix-step-name	Matrix step name - matrix output workaround. Read more	string	N/A	false
organization	Repository owner organization (ex. acme for repo acme/example)	string	N/A	true
repository	Repository name (ex. example for repo acme/example)	string	N/A	true
runs-on	Overrides job runs-on setting (json-encoded list)	string	["ubuntu-latest"]	false

Secrets

Name	Description	Required
ecr-iam-role	IAM Role ARN provide ECR write/read access	true
ecr-region	ECR AWS region	true
registry	ECR Docker registry	true
secret-outputs-passphrase	Passphrase to encrypt/decrypt secret outputs with gpg. For more information read	true

Outputs

Name	Description
image	Docker Image
tag	Docker image tag

CI - Promote Docker image

Promote Docker image to specific version tag and push it to ECR

Usage

  name: Release
  on:
    release:
      types: [published]

  jobs:
    ci:
      uses: itisopen/github-actions-workflows/.github/workflows/ci-dockerized-app-promote.yml@itisopen
      with:
        organization: ${{ github.event.repository.owner.login }}
        repository: ${{ github.event.repository.name }}
        version: ${{ github.event.release.tag_name }}
      secrets:
        ecr-region: ${{ secrets.ecr-region }}
        ecr-iam-role: ${{ secrets.ecr-iam-role }}
        registry: ${{ secrets.registry }}
        secret-outputs-passphrase: ${{ secrets.secret-outputs-passphrase }}

Inputs

Name	Description	Type	Default	Required
app	Application name. Used with monorepo pattern when there are several applications in the repo	string	N/A	false
matrix-key	Matrix key - matrix output workaround. Read more	string	N/A	false
matrix-step-name	Matrix step name - matrix output workaround. Read more	string	N/A	false
organization	Repository owner organization (ex. acme for repo acme/example)	string	N/A	true
repository	Repository name (ex. example for repo acme/example)	string	N/A	true
runs-on	Overrides job runs-on setting (json-encoded list)	string	["ubuntu-latest"]	false
version	New version tag	string	N/A	true

Secrets

Name	Description	Required
ecr-iam-role	IAM Role ARN provide ECR write/read access	true
ecr-region	ECR AWS region	true
registry	ECR Docker registry	true
secret-outputs-passphrase	Passphrase to encrypt/decrypt secret outputs with gpg. For more information read	true

Outputs

Name	Description
image	Docker Image
tag	Docker image tag

CI - Verify Docker image exists

Verify Docker image exists on ECR

Usage

  name: Release
  on:
    release:
      types: [published]

  jobs:
    ci:
      uses: itisopen/github-actions-workflows/.github/workflows/ci-dockerized-app-verify.yml@itisopen
      with:
        organization: ${{ github.event.repository.owner.login }}
        repository: ${{ github.event.repository.name }}
        version: ${{ github.event.release.tag_name }}
      secrets:
        ecr-region: ${{ secrets.ecr-region }}
        ecr-iam-role: ${{ secrets.ecr-iam-role }}
        registry: ${{ secrets.registry }}
        secret-outputs-passphrase: ${{ secrets.secret-outputs-passphrase }}

Inputs

Name	Description	Type	Default	Required
app	Application name. Used with monorepo pattern when there are several applications in the repo	string	N/A	true
organization	Repository owner organization (ex. acme for repo acme/example)	string	N/A	true
repository	Repository name (ex. example for repo acme/example)	string	N/A	true
runs-on	Overrides job runs-on setting (json-encoded list)	string	["self-hosted"]	false
version	Release version tag	string	N/A	true

Secrets

Name	Description	Required
ecr-iam-role	IAM Role ARN provide ECR write/read access	true
ecr-region	ECR AWS region	true
registry	ECR Docker registry	true
secret-outputs-passphrase	Passphrase to encrypt/decrypt secret outputs with gpg. For more information read	true

Outputs

Name	Description
image	Docker Image
tag	Docker image tag

CI - GitHub Action

Lint and test github action

Usage

  name: Validate Terraform
  on:
    workflow_call:
  
  permissions:
    pull-requests: write
    id-token: write
    contents: read

  jobs:
    ci-terraform:
      uses: itisopen/github-actions-workflows/.github/workflows/ci-terraform.yml@itisopen
      with:
        suggestions: true
        filter-mode: diff_context

Inputs

Name	Description	Type	Default	Required
organization	Repository owner organization (ex. acme for repo acme/example)	string	${{ github.event.repository.owner.login }}	false
ref	The fully-formed ref of the branch or tag that triggered the workflow run	string	${{ github.ref }}	false
repository	Repository name (ex. example for repo acme/example)	string	${{ github.event.repository.name }}	false
runs-on	Overrides job runs-on setting (json-encoded list)	string	["ubuntu-latest"]	false
tests-prefix	Workflows file name prefix to run as tests	string	test-*	false

CI - Readme

Validate README.yaml, README.md and suggest changes

Usage

  name: Validate Readme
  on:
    workflow_call:
  
  permissions:
    pull-requests: write
    id-token: write
    contents: read
    
  jobs:
    ci-readme:
      uses: itisopen/github-actions-workflows/.github/workflows/ci-readme.yml@itisopen
      with:
        suggestions: true
        filter-mode: diff_context

Inputs

Name	Description	Type	Default	Required
ref	Checkout ref	string	${{ github.ref_name }}	false
repository	Checkout repository	string	${{ github.repository }}	false
runs-on	Overrides job runs-on setting (json-encoded list)	string	["ubuntu-latest"]	false

CI - Terraform ChatOps

Trigger terraform tests using ChatOps

Usage

  name: Terraform ChatOps
  on:
    workflow_call:
  
  permissions:
    pull-requests: write
    id-token: write
    contents: read

  jobs:
    ci-terraform-chatops:
      uses: itisopen/github-actions-workflows/.github/workflows/ci-terraform-chatops.yml@itisopen
      secrets:
        github_access_token: ${{ secrets.REPO_ACCESS_TOKEN }}

Inputs

Name	Description	Type	Default	Required
runs-on	Overrides job runs-on setting (json-encoded list)	string	["ubuntu-latest"]	false

Secrets

Name	Description	Required
github_access_token	GitHub API token	true

CI - Terraform

Lint, format and validate terraform code

Usage

  name: Validate Terraform
  on:
    workflow_call:
  
  permissions:
    pull-requests: write
    id-token: write
    contents: read

  jobs:
    ci-terraform:
      uses: itisopen/github-actions-workflows/.github/workflows/ci-terraform.yml@itisopen
      with:
        suggestions: true
        filter-mode: diff_context

Inputs

Name	Description	Type	Default	Required
filter-mode	Reviewdog filter mode	string	N/A	true
runs-on	Overrides job runs-on setting (json-encoded list)	string	["ubuntu-latest"]	false
suggestions	Enable Reviewdog suggestions (pull request only)	boolean	N/A	true

CI - Check dist Directory

This workflow helps ensure that generated contents of the dist directory matches the output of the yarn build command. The dist directory has special meaning in GitHub Actions in that it that contains the runnable JS files.

In ITisOpen's TypeScript actions, the dist directory is generated through a build process from the TypeScript source files by running the yarn build command.

Usage

  name: Build
  on:
    push:
      branches: [ main ]

  jobs:
    check-dist:
      uses: itisopen/github-actions-workflows/.github/workflows/ci-typescript-app-check-dist.yml@itisopen

Inputs

Name	Description	Type	Default	Required
commit-message	Optional input to set a commit message. If it's not set, it defaults to 'Update the contents of dist directory'	string	Update contents of the dist directory	false
dist-path	Optional input to set a path to the dist folder. If it's not set, it defaults to './dist'	string	./dist	false
node-caching	Optional input to set up caching for the setup-node action. The input syntax corresponds to the setup-node's one. Set to an empty string if caching isn't needed	string	yarn	false
node-version	Optional input to set the version of Node.js used to build a project. The input syntax corresponds to the setup-node's one	string	16.x	false
runs-on	Overrides job runs-on setting (json-encoded list)	string	["ubuntu-latest"]	false

Controller - Atmos affected stacks

Get stacks affected in the commit

Usage

  name: Stacks affected
  on:
    push:
      branches: [ main ]

  jobs:
    do:
      uses:  itisopen/github-actions-workflows/.github/workflows/controller-atmos-affected-stacks.yml@itisopen

Inputs

Name	Description	Type	Default	Required
head-ref	The head ref to checkout. If not provided, the head default branch is used.	string	N/A	false
runs-on	Overrides job runs-on setting (json-encoded list)	string	["ubuntu-latest"]	false

Outputs

Name	Description
has-affected-stacks	Has affected stacks
stacks	Affected stacks

Controller - Atmos affected stacks

Get stacks affected in the commit

Usage

  name: Stacks affected
  on:
    push:
      branches: [ main ]

  jobs:
    do:
      uses:  itisopen/github-actions-workflows/.github/workflows/controller-atmos-affected-stacks.yml@itisopen

Inputs

Name	Description	Type	Default	Required
runs-on	Overrides job runs-on setting (json-encoded list)	string	["ubuntu-latest"]	false
stacks	Stacks	string	N/A	false

Controller - Draft release

Create or update draft release

Usage

  name: Draft release
  on:
    push:
      branches: [ main ]

  jobs:
    do:
      uses:  itisopen/github-actions-workflows/.github/workflows/controller-draft-release.yml@itisopen
      with:
        ref: ${{ github.sha }}
      secrets:
        github-private-actions-pat: ${{ secrets.github-private-actions-pat }}

Inputs

Name	Description	Type	Default	Required
ref	The release target, i.e. branch or commit it should point to	string	${{ github.sha }}	false
runs-on	Overrides job runs-on setting (json-encoded list)	string	["ubuntu-latest"]	false

Secrets

Name	Description	Required
github-private-actions-pat	Github PAT allow to create release	true

Controller - Reingtegrate hotfix branch

Create PR into target_branch to reintegrate hotfix from current branch

Usage

  name: Release
  on:
    release:
      types: [published]

  jobs:
    do:
      uses: itisopen/github-action-workflows/.github/workflows/controller-hotfix-reintegrate.yml@itisopen
      with:
        ref: ${{ github.ref }}
        target_branch: main
      secrets:
        github-private-actions-pat: ${{ secrets.github-private-actions-pat }}

Inputs

Name	Description	Type	Default	Required
ref	The fully-formed ref of the branch or tag that triggered the workflow run	string	N/A	true
runs-on	Overrides job runs-on setting (json-encoded list)	string	["ubuntu-latest"]	false
target_branch	Target branch to reintegrate hotfix	string	main	false

Secrets

Name	Description	Required
github-private-actions-pat	Github PAT allow to create a pull request	true

Controller - Create Release branch

Create release/{version} branch for the release

Usage

  name: Main branch
  on:
    release:
      types: [published]

  jobs:
    do:
      uses: itisopen/github-action-workflows/.github/workflows/controller-hotfix-release-branch.yml@itisopen
      with:
        version: ${{ github.event.release.tag_name }}

Inputs

Name	Description	Type	Default	Required
runs-on	Overrides job runs-on setting (json-encoded list)	string	["ubuntu-latest"]	false
version	Release version	string	N/A	true

Controller - Create hotfix release

Create next patch version release

Usage

  on:
    push:
      branches: [ 'release/**' ]

  jobs:
    do:
      uses: itisopen/github-action-workflows/.github/workflows/controller-hotfix-release.yml@itisopen
      with:
        ref: ${{ github.ref }}

Inputs

Name	Description	Type	Default	Required
ref	The fully-formed ref of the branch or tag that triggered the workflow run	string	N/A	true
runs-on	Overrides job runs-on setting (json-encoded list)	string	["ubuntu-latest"]	false

Outputs

Name	Description
version	Release version

Controller - Labels

Label a pull request with one or more labels

Usage

  name: Label pull request
  on:
    workflow_call:

  jobs:
    label:
      uses:  itisopen/github-actions-workflows/.github/workflows/controller-labels.yml@itisopen
      with:
        labels: ['ready-for-review']

Inputs

Name	Description	Type	Default	Required
labels	The labels' name to be added. Must be separated with line breaks if there are multiple labels.	string	N/A	true
runs-on	Overrides job runs-on setting (json-encoded list)	string	["ubuntu-latest"]	false

Controller - Monorepo Controller

Mocked monorepo controller that outputs list of applications, lists of apps with and without changes.

Usage

  name: Monorepo
  on:
    push:
      branches: [ main ]

  jobs:
    do:
      uses:  itisopen/github-actions-workflows/.github/workflows/controller-monorepo.yml@itisopen
      with:
        dir: ./apps

Inputs

Name	Description	Type	Default	Required
dir	Directory with applications	string	N/A	true
runs-on	Overrides job runs-on setting (json-encoded list)	string	["ubuntu-latest"]	false

Outputs

Name	Description
apps	Applications
changes	Changed applications
no-changes	Unchanged applications

Controller - Managing Release Branches and Tags

Manages long-living release branches and their releases

Usage

  name: release
  on:
    release:
      types:
        - published
  
  permissions:
    contents: write
    id-token: write
  
  jobs:
    terraform-module:
      uses: itisopen/github-actions-workflows/.github/workflows/controller-release-branches.yml@itisopen

Inputs

Name	Description	Type	Default	Required
runs-on	Overrides job runs-on setting (json-encoded list)	string	["ubuntu-latest"]	false

Controller - Release

Create a github release

Usage

  name: release-branch
  on:
    push:
      branches:
        - main
        - release/**
  
  permissions:
    contents: write
    id-token: write

  jobs:
    release:
      uses:  itisopen/github-actions-workflows/.github/workflows/controller-release.yml@itisopen

Inputs

Name	Description	Type	Default	Required
config-name	Name of the release drafter config file	string	auto-release.yml	false
publish	Publish github release if true and no-release PR label is not set.	boolean	true	false
ref_name	The release target, i.e. branch to release from	string	${{ github.ref_name }}	false
runs-on	Overrides job runs-on setting (json-encoded list)	string	["ubuntu-latest"]	false
sha	Pull request merge commit sha	string	${{ github.sha }}	false

Secrets

Name	Description	Required
github_access_token	GitHub API token	false

Scheduled Context

Scheduled update of context.tf and related docs

Usage

  name: scheduled-context
  on:
    workflow_call:
  
  permissions:
    pull-requests: write
    id-token: write
    contents: read
    
  jobs:
    scheduled-context:
      uses: itisopen/github-actions-workflows/.github/workflows/scheduled-context.yml@itisopen

Inputs

Name	Description	Type	Default	Required
base-branch	Repo default branch	string	main	false
runs-on	Overrides job runs-on setting (json-encoded list)	string	["ubuntu-latest"]	false

Secrets

Name	Description	Required
github_access_token	GitHub API token	true

Scheduled Readme

Scheduled update of readme.md

Usage

  name: scheduled-readme
  on:
    workflow_call:
  
  permissions:
    pull-requests: write
    id-token: write
    contents: read
    
  jobs:
    scheduled-readme:
      uses: itisopen/github-actions-workflows/.github/workflows/scheduled-readme.yml@itisopen

Inputs

Name	Description	Type	Default	Required
base-branch	Repo default branch	string	main	false
runs-on	Overrides job runs-on setting (json-encoded list)	string	["ubuntu-latest"]	false

Related Projects

Check out these related projects.

References

For additional context, refer to some of these links.

github-actions-workflows - Reusable workflows for different types of projects
github-action-docker-build-push - Simple docker build action

✨ Contributing

This project is under active development, and we encourage contributions from our community.

Many thanks to the outstanding contributors to the Cloud Posse upstream contents. We appreciate your hard work and dedication to building scalable enterprise grade solutions.
Many thanks also to the contributors to the ITisOpen upstream contents. We appreciate your hard work and dedication to extending the work of Cloud Posse to other cloud providers.

For 🐛 bug reports & feature requests, please use the issue tracker.

In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.

Review our Code of Conduct and Contributor Guidelines.
Fork the repo on GitHub
Clone the project to your own machine
Commit changes to your own branch
Push your work back up to your fork
Submit a Pull Request so that we can review your changes

NOTE: Be sure to merge the latest changes from "upstream" before making a pull request!

🌎 Slack Community

Join our Open Source Community on Slack. It's FREE for everyone! Our "ITisOpen" community is where you get to talk with others who share a similar vision for how to rollout and manage infrastructure. This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build totally open infrastructure.

Note: ITisOpen is leverages open-source projects from Cloud Posse. We encourage you to also join the Cloud Posse Slack community for even more collaboration and support: slack.cloudposse.com

📰 Newsletter

Sign up for our newsletter and join other DevOps & Platform Engineers, CTOs, and founders who get insider access to the latest DevOps & Platform Engineering trends, so you can always stay in the know. Dropped straight into your Inbox every week — and usually a 5-minute read.

License

Preamble to the Apache License, Version 2.0

Complete license is available in the LICENSE file.

Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements.  See the NOTICE file
distributed with this work for additional information
regarding copyright ownership.  The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License.  You may obtain a copy of the License at

  https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied.  See the License for the
specific language governing permissions and limitations
under the License.

Trademarks

All other trademarks referenced herein are the property of their respective owners.