Production-grade, vetted GitHub Actions workflows for Kubernetes GitOps infrastructure.

• 🐳 Docker: Build, scan, sign, and push with multi-platform support
• 🔒 Security: Trivy, Gitleaks, SBOM generation, Cosign signing
• ☸️ Kubernetes: Helm lint, test, publish & Kyverno policy testing
• 🏗️ Infrastructure: Terraform validate, plan, and apply workflows
• 🚀 GitOps: ArgoCD sync and automated manifest updates
• 📦 Supply Chain: SBOM, provenance, and vulnerability tracking
• 🔄 Auto-Updates: Renovate-powered SHA-pinned action updates
• 🧪 Testing: Node.js/TypeScript testing with coverage (coming soon)

• GitHub repository with Actions enabled
• Docker images hosted on GitHub Container Registry (ghcr.io)
• Repository secrets configured (if needed)

# .github/workflows/ci.yml
name: CI Pipeline

on:
  push:
    branches: [main]
  pull_request:

jobs:
  build:
    uses: samuelho-dev/git-flow/.github/workflows/docker-build-push.yml@v1
    with:
      context: .
      dockerfile: ./Dockerfile
      image: my-app
      platforms: linux/amd64,linux/arm64
      scan: true
      sign: true
      sbom: true
    secrets: inherit

jobs:
  scan-code:
    uses: samuelho-dev/git-flow/.github/workflows/trivy-scan.yml@v1
    with:
      scan-type: fs
      scan-ref: .
      severity: HIGH,CRITICAL

  scan-secrets:
    uses: samuelho-dev/git-flow/.github/workflows/gitleaks-scan.yml@v1
    with:
      fail-on-findings: true

jobs:
  sbom:
    uses: samuelho-dev/git-flow/.github/workflows/sbom-generate.yml@v1
    with:
      target-type: directory
      target: .
      format: spdx-json
      scan-sbom: true

• Usage Guide - Detailed usage instructions for all workflows
• Examples - Complete workflow examples and patterns
• Migration Guide - Migrate from inline commands to reusable workflows

This repository uses Renovate to automatically update GitHub Actions. To enable Renovate in your consuming repository:

{
  "extends": [
    "config:recommended",
    "helpers:pinGitHubActionDigests"
  ],
  "packageRules": [
    {
      "matchManagers": ["github-actions"],
      "automerge": true,
      "automergeType": "pr"
    }
  ]
}

We use semantic versioning with git tags:

• @v1 - Latest stable v1.x.x (automatically updates to new minor/patch versions)
• @v1.0.0 - Specific version (pinned, no automatic updates)
• @abc123 - Specific commit SHA (maximum stability)

Recommendation: Use @v1 for latest features and security updates.

All actions are SHA-pinned for security:

uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

Renovate automatically updates these SHAs when new versions are released.

Workflows never log secrets. Use GitHub Secrets or OIDC for authentication:

jobs:
  build:
    uses: samuelho-dev/git-flow/.github/workflows/docker-build-push.yml@v1
    secrets:
      registry-username: ${{ secrets.DOCKER_USERNAME }}
      registry-password: ${{ secrets.DOCKER_TOKEN }}

• SBOM: Software Bill of Materials generated for all images
• Signing: Cosign keyless OIDC signing
• Scanning: Trivy vulnerability scanning
• Provenance: BuildKit provenance attestation

Contributions are welcome! Please:

1. Fork the repository
2. Create a feature branch (git checkout -b feature/amazing-workflow)
3. Commit your changes (git commit -m 'Add amazing workflow')
4. Push to the branch (git push origin feature/amazing-workflow)
5. Open a Pull Request

This project is licensed under the MIT License - see the LICENSE file for details.

• All actions curated from awesome-actions
• Built for Kubernetes GitOps with ArgoCD
• Inspired by CNCF project workflows

• Issues: GitHub Issues
• Discussions: GitHub Discussions

Made with ❤️ by Samuel Ho

🤖 Powered by awesome-actions