This repository acts as a central catalog of reusable workflows for:
- Standardised linting
- Security scanning
- Workflow hardening
- Release preparation & tagging
- Dependency automation
- Slack notifications
- Check-jobs validation
- Code quality enforcement
There are two layers:
-
Reusable workflows
- Live in this repo:
.github/workflows/reusable-*.yml - Called by other repos via
uses: the-lupaxa-project/workflows/.github/workflows/<reusable-workflow>@master
- Live in this repo:
-
Local workflows
- Live in this repo:
.github/workflows/local-*.yml - Use
uses: ./.github/workflows/reusable-*.ymlto call the shared logic.
- Live in this repo:
A complete description of each reusable workflow is available in the workflow catalogue which also includes input tables, behaviour notes, and consumer examples.
Across ALL Lupaxa Project repositories, we require ALL 3rd party actions to be pinned to a specific commit SHA NOT a version tag.
To help enforce this, we provide:
- reusable-github-actions-security.yml to check and validate ALL actions are pinned correctly.
- Local security-hardening workflows in consuming repos that call this reusable workflow.
These security-hardening workflows:
- Scan all workflow files under .github/workflows/.
- Fail the build if they detect uses: entries that:
- Point to 3rd actions without @<SHA>, or
- Use @<BRANCH>, or version tags (@<TAG>) that are not allow-listed.
Note
There is one deliberate exception:
Calls to the-lupaxa-project/workflows/.github/workflows/*.yml are explicitly allow-listed in the security-hardening configuration.
This allows all Lupaxa Project repos to reference organisation workflows using @master, for example:
uses: the-lupaxa-project/workflows/.github/workflows/reusable-github-actions-security.yml@masterThis provides:
- Automatic updates to shared workflows via the this repo.
- Strong SHA pinning for all other third-party actions.
- Location: the-lupaxa-project/workflows/.github/workflows/
- Naming pattern: reusable-<NAME>.yml
- Purpose: reusable primitives and bundles that other repos call.
- reusable-code-analysis.yml
- reusable-markdown-linter.yml
- reusable-secrets-scanner.yml
- reusable-yaml-linter.yml
- Location: .github/workflows/ in a consuming repository.
- Naming pattern: <NAME>.yml
- Purpose: thin orchestration wrappers that:
- Define triggers (on:),
- Group jobs logically,
- Call one or more reusable-*.yml workflows via uses:.
- code-analysis.yml
- markdown-linter.yml
- security-scanner.yml
- yaml-linter.yml
© The Lupaxa Project.
Where exploration meets precision.
Where the untamed meets the engineered.