These are the reusable workflows that RaBe uses for CI/CD β»οΈ
See below for copy-pasteable examples of the provided actions.
The examples use @v0.0.0 as the target version of the action. You NEED to replace that with the current tag of this repository and also create the following .github/dependabot.yaml.
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "daily"
commit-message:
prefix: "ci: "If you need multiple actions to happen then it's up to you to combine them as needed. Please add an example if you use the same combo more than once.
We have workflows for testing Ansible collections on GitHub Actions and for releasing your Ansible collections to Galaxy.
Create the main .github/workflows/release.yaml file for an ansible collection repo:
name: Release
on:
release:
types:
- published
jobs:
release-ansible-collection:
uses: radiorabe/actions/.github/workflows/release-ansible-collection.yaml@v0.0.0
with:
publish: true # (1)
secrets:
GALAXY_API_KEY: ${{ secrets.GALAXY_API_KEY }} # (2)- Set
publishtofalseto skip publishing the collection to Galaxy (defaults totrue). - The
GALAXY_API_KEYis shared across our repos and can be enabled for your repo by a GitHub organisation admin.
The collections we publish with this can be found on our Galaxy page.
Create the main .github/workflows/test.yaml file for an ansible collection repo:
name: Lint and Test
on:
pull_request:
branches:
- main
jobs:
test-ansible-collection:
uses: radiorabe/actions/.github/workflows/test-ansible-collection.yaml@v0.0.0
with:
path: '.' # (1)- Optionally set
pathto run ansible-lint in a specific subdirectory (defaults to., i.e. the repository root).
There are actions to cover the full lifecycle of a typical container image.
To build, scan, and sign a container image, create this .github/workflows/release.yaml:
name: Release
on:
pull_request:
push:
branches:
- main
tags:
- '*'
jobs:
release-container:
uses: radiorabe/actions/.github/workflows/release-container.yaml@v0.0.0
with:
image: 'ghcr.io/radiorabe/<name>' # (1)
name: <name> # (2)
display-name: <display-name> # (3)
tags: <tags> # (4)
cosign-verify: true # (5)
cosign-certificate-oidc-issuer: [issues] # (6)
cosign-certificate-identity-regexp: [regexp] # (7)
cosign-base-image-only: [true] # (8)
dockerfile: [Dockerfile] # (9)
context: [.] # (10)
build-args: "" # (11)
platforms: "linux/amd64,linux/arm64" # (12)
docker-daemon-config: | # (13)
{
"features": {
"containerd-snapshotter": true
}
}
push-default-branch: false # (14)
pre-script: "" # (15)- Replace this with the actual name of the image, usually something like the
name of your repo with maybe a
container-image-prefix removed. - Replace the name with the stem of the image
- Put a human friendly string into display-name.
- Tags are usually
minimal rhel9 rabeplus additional tags for the image at hand. - Enable image scanning. This only needs to be disabled for base image that we don't sign ourself.
- Defaults to GitHub as an issuer and only needs tuning in special cases.
- The default
https://github.com/radiorabe/.*allows signatures from all of our orga, add a more specific regexp if you feel the need. - Pass
--base-image-onlyto cosign if you are copying binaries from a source image that isn't signed with cosign. - Specify the path to the Dockerfile if it isn't in the root of the repository.
- Specify the context directory for Docker build.
- Build ARGs for the container image build, formatted as
KEY=valueand separated by newlines if more than one arg is needed. - Pass a comma separated list of platforms to build multi-platform images.
Used with
linux/amd64,linux/arm64to build arm compatible images. - Required if building multi-platform images with
platformsso the docker daemon can export the built images for further processing. - Push the image when the default branch (typically
main) is pushed to the registry. - Run a script before interacting with the Dockerfile.
As a last step, it is recommended to add trivy.* to both your .gitignore
and .dockerignore files so trivy can't interfere with multi-stage builds.
To scan the latest container image with trivy at regular intervals, create this .github/workflows/schedule.yaml:
name: Scheduled tasks
on:
schedule:
- cron: '13 12 * * *'
workflow_dispatch:
jobs:
schedule-trivy:
uses: radiorabe/actions/.github/workflows/schedule-trivy.yaml@v0.0.0
with:
image-ref: 'ghcr.io/radiorabe/<name>:latest' # (1)
timeout: '5m0s' # (2)- Replace this with the actual name of the image, usually something like the
name of your repo with maybe a
container-image-prefix removed. - Optionally set
timeoutto change the scan timeout duration (defaults to5m0s).
Create the main .github/workflows/test.yaml file for a project that supports pre-commit:
name: Lint and Test
on:
pull_request:
branches:
- main
jobs:
pre-commit:
uses: radiorabe/actions/.github/workflows/test-pre-commit.yaml@v0.0.0This runs pre-commit with black, isort and flake8 installed. If you need more tools you can install them with pip.
jobs:
pre-commit:
uses: radiorabe/actions/.github/workflows/test-pre-commit.yaml@v0.0.0
with:
requirements: black isortOur Python workflows use Poetry for installing dependencies, pytest for testing, and Poetry for publishing to pypi.
Create the main .github/workflows/test.yaml file for a Python poetry repo:
name: Lint and Test
on:
pull_request:
branches:
- main
jobs:
test-python-poetry:
uses: radiorabe/actions/.github/workflows/test-python-poetry.yaml@v0.0.0
with:
version: '3.12' # (1)- The
versioninput specifies the Python version to test against (defaults to3.12). The latest3.xis always tested additionally as an allowed failure.
Configure your pyproject.toml to run pytest and you are good to go.
Create this .github/workflows/release.yaml:
name: Release
on:
pull_request:
push:
branches: [main]
release:
types: [created]
jobs:
python-poetry:
uses: radiorabe/actions/.github/workflows/release-python-poetry.yaml@v0.0.0
secrets:
RABE_PYPI_TOKEN: ${{ secrets.RABE_PYPI_TOKEN }} # (1)- The
RABE_PYPI_TOKENis shared across our repos and can be enabled for your repo by a GitHub organisation admin.
Configure your pyproject.toml for releasing and your mkdocs.yml to generate proper documentation and you are good to go.
For repos that contain documentation built with mkdocs that do not use the poetry action.
Create a .github/workflows/release.yaml file with the following content:
name: Release
on:
push:
branches:
- main
pull_request:
jobs:
release-mkdocs:
uses: radiorabe/actions/.github/workflows/release-mkdocs.yaml@v0.0.0Add a mkdocs.yml config and docs/ directory and you are good to go.
For repos that want to use go-semantic-release:
Create this .github/workflows/semantic-release.yaml:
name: Semantic Release
on:
push:
branches:
- main
- release/*
jobs:
semantic-release:
uses: radiorabe/actions/.github/workflows/semantic-release.yaml@v0.0.0
secrets:
RABE_ITREAKTION_GITHUB_TOKEN: ${{ secrets.RABE_ITREAKTION_GITHUB_TOKEN }} # (1)- The
RABE_ITREAKTION_GITHUB_TOKENis shared across our repos and can be enabled for your repo by a GitHub organisation admin.
These reusable workflows are free software: you can redistribute them and/or modify them under the terms of the GNU Affero General Public License as published by the Free Software Foundation, version 3 of the License.
Copyright (c) 2022 Radio Bern RaBe