Reusable GitHub Actions for CI/CD.
actions/gpg-ephemeral-key: Ephemeral key generation for RPM/GPG signingactions/sign-rpm: RPM signing with ephemeral keys.github/workflows/go-build-release.yml: Reusable workflow for GoReleaser builds.github/workflows/docker-build-release.yml: Reusable workflow for multi-arch container image builds.github/workflows/lint-workflows.yml: Reusable workflow that lints workflow files (actionlint + zizmor).github/workflows/govulncheck.yml: Reusable workflow that scans Go modules for known CVEs.github/workflows/dependency-review.yml: Reusable workflow that gates PRs introducing CVE-flagged deps.github/workflows/trivy-image-scan.yml: Reusable workflow that scans built container images for CVEs
Use major version tags for stability:
# For actions
- uses: OpenCHAMI/github-actions/actions/gpg-ephemeral-key@v1
- uses: OpenCHAMI/github-actions/actions/sign-rpm@v1
# For reusable workflows
jobs:
release:
uses: OpenCHAMI/github-actions/.github/workflows/go-build-release.yml@v3.3Pin a commit SHA internally for maximum supply‑chain safety if desired.
Standardized GoReleaser workflow for building and releasing Go applications with:
- Multi-architecture builds (linux/amd64, linux/arm64)
- Flexible pre-build setup steps
- Wraps
goreleaser-actionaction with all .gorelease.yaml configurations - Container image builds and publishing
- Binary and container attestation/signing
- Snapshot builds on pull requests
Usage:
name: GoReleaser
run-name: GoReleaser ${{ startsWith(github.ref, 'refs/tags/v') && 'Release' || 'Snapshot' }}
on:
workflow_dispatch:
pull_request:
push:
tags:
- v*
jobs:
goreleaser:
name: GoReleaser ${{ startsWith(github.ref, 'refs/tags/v') && 'Release' || 'Snapshot' }}
uses: OpenCHAMI/github-actions/.github/workflows/go-build-release.yml@v3.3
with:
pre-build-commands: |
go install github.com/swaggo/swag/cmd/swag@latest
attestation-binary-path: "dist/cloud-init*"
registry-name: ghcr.io/openchami/cloud-init
See the workflow for additional input parameters.
Lints the caller repo's GitHub Actions workflow files.
- actionlint — syntax validation, shellcheck on
run:steps, deprecated-action checks. - zizmor — security-focused static analysis (script injection, excessive permissions, unpinned third-party actions). Uploads SARIF findings to the caller's GitHub Advanced Security tab.
Usage:
name: Lint Workflows
on:
pull_request:
push:
branches: [main]
jobs:
lint:
uses: OpenCHAMI/github-actions/.github/workflows/lint-workflows.yml@v3.4Runs the Go team's vulnerability scanner against the caller's module. Detects known CVEs in the import graph (direct and transitive). Reads the Go version from the caller's go.mod by default.
Usage:
name: govulncheck
on:
pull_request:
push:
branches: [main]
schedule:
- cron: '0 6 * * 1' # weekly catch-up for newly-disclosed CVEs
jobs:
govulncheck:
uses: OpenCHAMI/github-actions/.github/workflows/govulncheck.yml@v3.4PR gate that compares the dependency changes between the PR head and base against GitHub's vulnerability database. Fails the check when the PR introduces a dependency at or above fail-on-severity (default: high). Optionally enforces license policy and posts a summary comment on the PR.
Usage:
name: Dependency Review
on:
pull_request:
jobs:
dependency-review:
uses: OpenCHAMI/github-actions/.github/workflows/dependency-review.yml@v3.4
# Optional overrides:
# with:
# fail-on-severity: moderate
# deny-licenses: GPL-3.0,AGPL-3.0Scans an already-pushed container image with Trivy and uploads SARIF findings to GitHub Advanced Security. Designed to chain after docker-build-release with a digest-pinned image reference.
Usage:
jobs:
build:
uses: OpenCHAMI/github-actions/.github/workflows/docker-build-release.yml@v3.4
with:
registry-name: ghcr.io/openchami/foo
scan:
needs: build
uses: OpenCHAMI/github-actions/.github/workflows/trivy-image-scan.yml@v3.4
with:
image-ref: ghcr.io/openchami/foo:${{ github.sha }}Generates a short‑lived RSA key (default 3072‑bit, 1 day) using an isolated GNUPGHOME, signs it with a repo‑scoped subkey you provide, and outputs:
ephemeral-fingerprintephemeral-public-key(base64 of armored)gnupg-home(path for downstream steps)
Signs an RPM using a provided GPG fingerprint (works with the ephemeral key output) and exposes signature verification output.
Trust chain: Ephemeral Key ← Repo Subkey ← Offline Master Key.
Design principles:
- Ephemeral keys reduce exposure window.
- Repo subkeys are easily revocable & rotated.
- Isolated
GNUPGHOMEavoids polluting runner defaults. - Optional cleanup to remove secrets post‑sign.
Key expiration limits future signing only; existing signatures remain valid if the trust chain remains intact.
jobs:
build-and-sign:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Generate ephemeral key
id: gpg
uses: OpenCHAMI/github-actions/actions/gpg-ephemeral-key@v1
with:
subkey-armored: ${{ secrets.GPG_SUBKEY_B64 }}
comment: build:${{ github.run_id }}
cleanup: false # keep for subsequent signing
- name: Build RPM
run: ./scripts/build-rpm.sh
- name: Sign RPM
id: sign
uses: OpenCHAMI/github-actions/actions/sign-rpm@v1
with:
rpm-path: dist/my.rpm
gpg-fingerprint: ${{ steps.gpg.outputs.ephemeral-fingerprint }}
gnupg-home: ${{ steps.gpg.outputs.gnupg-home }}
- name: (Optional) Cleanup GNUPGHOME
if: always()
run: rm -rf "${{ steps.gpg.outputs.gnupg-home }}"A future CI workflow will:
- Lint action metadata (actionlint)
- Perform a matrix test invoking each action
- Validate RPM signing round‑trip
- Revoke and replace repo subkeys periodically.
- Update
GPG_SUBKEY_B64secret. - Tag a new release if behavior changes.
- Open issues for feature requests.
- Submit PRs with accompanying test workflow updates.
MIT