A collection of reusable GitHub Actions for standardizing CI/CD workflows across NVIDIA projects.
| Action | Description | Use Case |
|---|---|---|
| codeql-scan | Static code analysis with CodeQL | Security vulnerability detection |
| trivy-scan | Vulnerability scanning with Trivy | Dependency and container scanning |
| trufflehog-scan | Secret scanning with TruffleHog | Leaked credentials detection |
| semantic-release | Automated versioning and releases | Semantic versioning and changelog |
| resource-push-ngc | Push resources to NGC | Artifact publishing |
| docker-build | Docker Buildx build/push wrapper | Build/push multi-arch OCI images |
| git-tag | Create and push git tag | Tagging releases |
| slack-notify | Send notifications to Slack | CI/CD status notifications |
| Workflow | Description | Use Case |
|---|---|---|
| promote-image | Re-tag and re-publish multi-arch images via skopeo |
Promote OCI images across registries |
| docker-build | Reusable workflow wrapper for Docker build/push | Share Docker build logic across repos |
The security scanning actions (codeql-scan and trivy-scan) upload results to GitHub's Code Scanning feature, which requires GitHub Advanced Security (GHAS) to be enabled:
- β Public repositories: Free and automatically available
β οΈ Private repositories: Requires GHAS license
Without GHAS enabled, scans will run successfully but uploads will fail. See individual action documentation for workarounds and details:
name: Security Checks
on: [push, pull_request]
permissions:
contents: read
security-events: write
jobs:
security:
runs-on: linux-amd64-cpu4
steps:
- uses: actions/checkout@v4
- name: CodeQL Analysis
uses: NVIDIA/dsx-github-actions/.github/actions/codeql-scan@main
with:
languages: "rust"
build-command: "cargo build --workspace"
- name: Vulnerability Scan
uses: NVIDIA/dsx-github-actions/.github/actions/trivy-scan@main
with:
severity: "HIGH,CRITICAL"
skip-dirs: "target,vendor"- name: CodeQL Analysis
uses: NVIDIA/dsx-github-actions/.github/actions/codeql-scan@main
with:
languages: "go"
build-command: "go build ./..."
- name: Vulnerability Scan
uses: NVIDIA/dsx-github-actions/.github/actions/trivy-scan@main- name: Scan Container Image
uses: NVIDIA/dsx-github-actions/.github/actions/trivy-scan@main
with:
scan-type: "image"
scan-ref: "nvcr.io/myorg/myapp:v1.0.0"
severity: "CRITICAL,HIGH"name: Promote OCI Image
on:
workflow_dispatch:
inputs:
new-tag:
type: string
required: true
jobs:
promote:
uses: NVIDIA/dsx-github-actions/.github/workflows/promote-image.yml@main
with:
source: nvcr.io/acme/dev/service
source_tag: faf3d1
destination: nvcr.io/acme/stg/service
destination_tag: ${{ github.event.inputs.new-tag }}
secrets:
SOURCE_USERNAME: ${{ secrets.NVCR_DEV_USER }}
SOURCE_PASSWORD: ${{ secrets.NVCR_DEV_TOKEN }}
DEST_USERNAME: ${{ secrets.NVCR_STG_USER }}
DEST_PASSWORD: ${{ secrets.NVCR_STG_TOKEN }}This reusable workflow wraps skopeo copy, so it copies the entire manifest list (multi-arch) by default, supports tag-to-tag retagging, and also allows pinning a specific digest by supplying the optional digest input. Pass GitHub Container Registry (GHCR) or NVIDIA Container Registry (NGC) credentials through the required secrets block to authenticate against different registries, and consume the resulting ${{ needs.promote.outputs.destination_digest }} output if downstream jobs need the promoted digest.
- CodeQL Scan Action
- Trivy Scan Action
- TruffleHog Secret Scan Action
- Semantic Release Action
- Resource Push NGC Action
- Docker Build Action
- Slack Notify Action
- Workflows Guide
- β Composite Actions: Lightweight, reusable, and flexible
- β Multi-language Support: Go, Rust, Python, JavaScript, C++, Java, C#
- β Comprehensive Security: CodeQL, Trivy, and TruffleHog scanning
- β Secret Detection: 700+ credential types with verification
- β Security Integration: Automatic SARIF upload to GitHub Security tab
- β PR Comments: Automated security findings on pull requests
- β Configurable: Extensive input parameters for customization
- β Well-documented: Comprehensive README for each action
- β Automatic Versioning: Semantic releases on every commit
This repository uses automatic semantic versioning. Tags are automatically created on every push to main using Conventional Commits.
Maximum stability and security - the target action never changes:
uses: NVIDIA/dsx-github-actions/.github/actions/codeql-scan@55d1e0af17fb4431edaca19fbd5c78fecd29d18aβ
Best for: Production, CI/CD pipelines
Maximum stability - version never changes:
uses: NVIDIA/dsx-github-actions/.github/actions/codeql-scan@v1.2.3β
Best for: Production, CI/CD pipelines
Get patches and features, avoid breaking changes:
uses: NVIDIA/dsx-github-actions/.github/actions/codeql-scan@v1β
Best for: Most use cases
π¦ Updates: Automatically gets v1.x.x updates
π‘οΈ Safety: Won't update to v2.0.0 (breaking changes)
Always use latest code:
uses: NVIDIA/dsx-github-actions/.github/actions/codeql-scan@mainVersion format: vMAJOR.MINOR.PATCH
- MAJOR (
v2.0.0): Breaking changes - update your workflows - MINOR (
v1.1.0): New features - backward compatible - PATCH (
v1.0.1): Bug fixes - backward compatible
View all releases: GitHub Releases
# List all tags
git ls-remote --tags https://github.com/NVIDIA/dsx-github-actions.gitThis repository uses automatic semantic versioning:
- π€ Automated: Tags are created automatically on push to
main - π Conventional Commits: Version bumps based on commit messages
- π¦ Dual Tags: Both specific (
v1.2.3) and major (v1) tags are created
See: Release Workflow Documentation for details.
name: Security
on: [push, pull_request]
permissions:
contents: read
security-events: write
pull-requests: write
jobs:
scan:
runs-on: linux-amd64-cpu4
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Required for TruffleHog
# Secret scanning
- uses: NVIDIA/dsx-github-actions/.github/actions/trufflehog-scan@55d1e0af17fb4431edaca19fbd5c78fecd29d18a
with:
post-pr-comment: "true"
# Code analysis
- uses: NVIDIA/dsx-github-actions/.github/actions/codeql-scan@55d1e0af17fb4431edaca19fbd5c78fecd29d18a
with:
languages: "go"
post-pr-comment: "true"
# Vulnerability scanning
- uses: NVIDIA/dsx-github-actions/.github/actions/trivy-scan@55d1e0af17fb4431edaca19fbd5c78fecd29d18a
with:
post-pr-comment: "true"jobs:
codeql:
runs-on: linux-amd64-cpu4
timeout-minutes: 360
permissions:
security-events: write
contents: read
steps:
- uses: actions/checkout@v4
- uses: NVIDIA/dsx-github-actions/.github/actions/codeql-scan@main
with:
languages: "rust"
build-command: "cargo build --workspace"
trivy-scan:
runs-on: linux-amd64-cpu4
permissions:
security-events: write
contents: read
steps:
- uses: actions/checkout@v4
- uses: NVIDIA/dsx-github-actions/.github/actions/trivy-scan@mainjobs:
build-and-scan:
runs-on: linux-amd64-cpu4
permissions:
contents: read
security-events: write
pull-requests: write
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
# Scan for secrets in source code
- name: Secret Scan
uses: NVIDIA/dsx-github-actions/.github/actions/trufflehog-scan@main
with:
post-pr-comment: "true"
- name: Build Container
run: docker build -t myapp:${{ github.sha }} .
# Scan container for vulnerabilities
- name: Scan Container
uses: NVIDIA/dsx-github-actions/.github/actions/trivy-scan@main
with:
scan-type: "image"
scan-ref: "myapp:${{ github.sha }}"
post-pr-comment: "true"This repository ships with a pre-commit configuration to lint YAML, trim whitespace, run ShellCheck on shell scripts, and execute actionlint against GitHub workflows before every commit.
- Install
pre-commit(pick one)pipx install pre-commitpip install pre-commitbrew install pre-commit
- Run
pre-commit installat the repository root to enable the git hook. - Run
pre-commit run --all-filesonce to ensure every workflow and shell script passes ShellCheck/actionlint.
If CI still fails, execute pre-commit run actionlint --all-files or pre-commit run shellcheck --all-files locally to focus on the failing hook.
- Create action in
.github/actions/my-action/ - Add
action.ymlandREADME.md - Test with multiple projects
- Update this README
- Create version tag
.github/
βββ actions/
β βββ codeql-scan/ # Static code analysis (CodeQL)
β βββ trivy-scan/ # Vulnerability scanning (Trivy)
β βββ trufflehog-scan/ # Secret scanning (TruffleHog)
β βββ docker-build/ # Docker build/push wrapper
β βββ semantic-release/ # Automated versioning and releases
β βββ resource-push-ngc/ # NGC resources publishing
β βββ git-tag/ # Create and push git tag
β βββ slack-notify/ # Send Slack notifications
βββ workflows/
βββ release.yml # Automatic semantic versioning
βββ promote-image.yml # Promote image across registries
βββ docker-build.yml # Reusable Docker build/push wrapper
βββ README.md # Workflows documentation
CONTRIBUTING.md # Contribution guidelines
LICENSE # Apache 2.0
SECURITY.md # Security policy
README.md # This file
Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved.
Licensed under the Apache License, Version 2.0. See LICENSE for details.