Skip to content

Latest commit

 

History

History
106 lines (77 loc) · 3.28 KB

File metadata and controls

106 lines (77 loc) · 3.28 KB

The Lupaxa Project Logo

The Lupaxa Project: Reusable Workflows

This repository acts as a central catalog of reusable workflows for:

  • Standardised linting
  • Security scanning
  • Workflow hardening
  • Release preparation & tagging
  • Dependency automation
  • Slack notifications
  • Check-jobs validation
  • Code quality enforcement

There are two layers:

  1. Reusable workflows

    • Live in this repo: .github/workflows/reusable-*.yml
    • Called by other repos via uses: the-lupaxa-project/workflows/.github/workflows/<reusable-workflow>@master
  2. Local workflows

    • Live in this repo: .github/workflows/local-*.yml
    • Use uses: ./.github/workflows/reusable-*.yml to call the shared logic.

A complete description of each reusable workflow is available in the workflow catalogue which also includes input tables, behaviour notes, and consumer examples.

General policy

Across ALL Lupaxa Project repositories, we require ALL 3rd party actions to be pinned to a specific commit SHA NOT a version tag.

To help enforce this, we provide:

  • reusable-github-actions-security.yml to check and validate ALL actions are pinned correctly.
  • Local security-hardening workflows in consuming repos that call this reusable workflow.

These security-hardening workflows:

  • Scan all workflow files under .github/workflows/.
  • Fail the build if they detect uses: entries that:
    • Point to 3rd actions without @<SHA>, or
    • Use @<BRANCH>, or version tags (@<TAG>) that are not allow-listed.

Note

There is one deliberate exception:

Calls to the-lupaxa-project/workflows/.github/workflows/*.yml are explicitly allow-listed in the security-hardening configuration.

This allows all Lupaxa Project repos to reference organisation workflows using @master, for example:

  uses: the-lupaxa-project/workflows/.github/workflows/reusable-github-actions-security.yml@master

This provides:

  • Automatic updates to shared workflows via the this repo.
  • Strong SHA pinning for all other third-party actions.

Naming Conventions

Reusable workflows

  • Location: the-lupaxa-project/workflows/.github/workflows/
  • Naming pattern: reusable-<NAME>.yml
  • Purpose: reusable primitives and bundles that other repos call.

Examples

  • reusable-code-analysis.yml
  • reusable-markdown-linter.yml
  • reusable-secrets-scanner.yml
  • reusable-yaml-linter.yml

Consuming workflows

  • Location: .github/workflows/ in a consuming repository.
  • Naming pattern: <NAME>.yml
  • Purpose: thin orchestration wrappers that:
  • Define triggers (on:),
  • Group jobs logically,
  • Call one or more reusable-*.yml workflows via uses:.

Consumption Example

  • code-analysis.yml
  • markdown-linter.yml
  • security-scanner.yml
  • yaml-linter.yml

© The Lupaxa Project.
Where exploration meets precision.
Where the untamed meets the engineered.