GitHub Actions composite actions for the Elvia organization.
These actions are mainly intended for internal use at Elvia, but are open-source and can be used by anyone! They encapsulate common tasks that we perform using GitHub Actions, such as building and deploying applications, running tests, and scanning for vulnerabilities.
Note that some actions are specifically tailored to our infrastructure and will not work outside our organization, see here for more information.
- Examples
- Elvia runners
- Actions Documentation
- Development
The files beginning with example- in the folder .github/workflows are working examples of how to use these actions.
Both of these examples require you to have added your system/application to the list in the github-repositories-terraform repository.
This is needed for the Build and Deploy actions to work correctly.
You can also click on the 'Actions' tab on your repository and click 'New workflow' to get a selection of Elvia templates.
Some values in these templates are placeholders and need to be replaced with your own values; anything resembling <your xxx here> should be replaced.
See the GitHub docs for more detailed information.
We strongly recommend using Elvia's self-hosted GitHub Actions runners for all actions.
Several of our actions use optimizations only available on Elvia runners, and will run slower on GitHub-hosted runners.
To use the Elvia runners, simply replace runs-on: ubuntu-latest with runs-on: elvia-runner in your workflow file.
See core-github-actions-runner for more information about the Elvia runners.
Builds a Docker image, signs it using Cosign, scans it for vulnerabilities using Trivy and pushes to either Azure Container Registry or GitHub Container Registry.
This action is a wrapper around the 3lv CLI build command (3lv build).
To use the Build and Deploy actions with Elvias container registry and runtime services,
you must first add your GitHub repository to github-repositories-terraform.
| Name | Description | Required | Default |
| --------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | --------------------------- | --- | -------------------------------------------- |
| ACR_NAME | Name of the Azure Container Registry to push to. Only required if using your own ACR. | no | |
| AZURE_CLIENT_ID | Client ID of a service principal that can push to Azure Container Registry. | no | |
| AZURE_TENANT_ID | Tenant ID of the Azure Container Registry to push to. Only required if using your own ACR. | no | |
| checkout | If true, the action will check out the repository. If false, the action will assume the repository has already been checked out. | no | true |
| docker-additional-tags | Comma-separated list of additional tags to add to the image, e.g. latest,v1.0.0. | no | |
| docker-build-args | Comma-separated list of build arguments to pass to Docker when building, e.g. ARG1=value1,ARG2=value2. | no | |
| docker-build-context | Docker build context, which is the working directory needed to build the Docker image. This is relative to the root of the repository. Defaults to the directory of project-file. | no | |
| docker-cache-tag | Tag used for getting build cache from registry. This tag is also pushed on every build, together with github.sha-github.run_number. This action will not push a latest tag; if you want a latest tag, you can use this input or docker-additional-tags. | no | latest-cache |
| docker-disable-cache | Disable Docker layer caching. When true, the build will not use cached layers from the registry. Defaults to true on re-runs and manual workflow dispatches, ensuring fresh builds pick up security patches. | no | ${{ github.run_attempt > 1 | | github.event_name == 'workflow_dispatch' }} |
| go-main-package-directory | Where the main package directory for Go projects is located, e.g. ./cmd/my-app. Defaults to ./ | no | |
| name | Name of application. This will be used as the image name. For Elvia applications, do not include the namespace. | yes | |
| namespace | Namespace or system of the application. Required for Elvia applications. | no | |
| project-file | Path to a .csproj-file for .NET, a go.mod file for Go, a pyproject.toml file for Python or a Dockerfile for any other project. E.g. applications/my-app/my-app.csproj, pkg/my-app/go.mod, pyproject.toml or src/Dockerfile. If you require files outside the directory of the project-file to build your application, you will need to set docker-build-context. | no | |
| push | If true, the action will push the Docker image to the registry. | no | true |
| registry | What container registry to use, we support Azure Container Registry (ACR) and GitHub Container Registry (GHCR). You should set this to the URL of the registry you want to use, e.g. ghcr.io/3lvia or myregistry.azurecr.io. The action will authenticate with the registry depending on the value of the URL, i.e. if the URL contains azurecr.io or ghcr.io. If set to an ACR registry, Elvia's private Azure Container Registry will be used by default. You can also set these explictly to point to your own ACR. Using ACR requires the permissions id-token: write to access the registry using OIDC. If set to a GHCR registry, the action will push to the GitHub Container Registry of the repository. Using GHCR requires the packages: write permission to push to the registry. | no | |
| severity | Severity levels to scan for. See Trivy documentation for more information. | no | CRITICAL |
| sign-image | If true, the action will sign the Docker image with Cosign. | no | true |
| trivy-cve-ignores | Comma-separated list of CVEs for Trivy to ignore. See Trivy documentation for syntax. | no | |
| trivy-post-comment | If true, the action will post a comment to the PR with the Trivy scan results. The comment will only be posted if the action is ran on a pull request. This action requires the permission pull-requests: write to be set for the job. | no | false |
| trivy-upload-report | If true, the action will upload Trivy scan results to GitHub Advanced Security. This actions requires GitHub Advanced Security to be enabled for the repository, and the permissions actions: read and security-events: write to be set for the job. | no | false |
| Name | Description |
|---|---|
image |
Same as image-name-with-digest. |
image-digest |
Digest of the Docker image that was built. |
image-name-with-digest |
Name of the Docker image that was built, including the digest. |
image-name-with-tag |
Name of the Docker image that was built, including the tag. |
image-repository |
Repository name of the Docker image that was built. |
This action requires the following base permissions:
actions: readcontents: readid-token: writepull-requests: writesecurity-events: write
More permissions might be required depending on the inputs set, see the actions documentation for more information.
- name: Build
uses: 3lvia/core-github-actions-templates/build@trunk
with:
ACR_NAME:
# Name of the Azure Container Registry to push to. Only required if using your own ACR.
#
# Required: no
AZURE_CLIENT_ID:
# Client ID of a service principal that can push to Azure Container Registry.
#
# Required: no
AZURE_TENANT_ID:
# Tenant ID of the Azure Container Registry to push to. Only required if using your own ACR.
#
# Required: no
checkout:
# If `true`, the action will check out the repository. If `false`, the action will assume the repository has already been checked out.
#
# Required: no
# Default: 'true'
docker-additional-tags:
# Comma-separated list of additional tags to add to the image, e.g. `latest,v1.0.0`.
#
# Required: no
docker-build-args:
# Comma-separated list of build arguments to pass to Docker when building, e.g. `ARG1=value1,ARG2=value2`.
#
# Required: no
docker-build-context:
# Docker build context, which is the working directory needed to build the Docker image. This is relative to the root of the repository. Defaults to the directory of `project-file`.
#
# Required: no
docker-cache-tag:
# Tag used for getting build cache from registry. This tag is also pushed on every build, together with `github.sha-github.run_number`. This action will not push a `latest` tag; if you want a `latest` tag, you can use this input or `docker-additional-tags`.
#
# Default: 'latest-cache'
docker-disable-cache:
# Disable Docker layer caching. When `true`, the build will not use cached layers from the registry. Defaults to `true` on re-runs and manual workflow dispatches, ensuring fresh builds pick up security patches.
#
# Required: no
# Default: '${{ github.run_attempt > 1 || github.event_name == 'workflow_dispatch' }}'
go-main-package-directory:
# Where the main package directory for Go projects is located, e.g. `./cmd/my-app`. Defaults to `./`
#
# Required: no
name:
# Name of application. This will be used as the image name. For Elvia applications, do not include the namespace.
#
# Required: yes
namespace:
# Namespace or system of the application. Required for Elvia applications.
#
# Required: no
project-file:
# Path to a `.csproj`-file for .NET, a `go.mod` file for Go, a `pyproject.toml` file for Python or a Dockerfile for any other project. E.g. `applications/my-app/my-app.csproj`, `pkg/my-app/go.mod`, `pyproject.toml` or `src/Dockerfile`. If you require files outside the directory of the `project-file` to build your application, you will need to set `docker-build-context`.
#
# Required: no
push:
# If `true`, the action will push the Docker image to the registry.
#
# Required: no
# Default: 'true'
registry:
# What container registry to use, we support Azure Container Registry (ACR) and GitHub Container Registry (GHCR). You should set this to the URL of the registry you want to use, e.g. `ghcr.io/3lvia` or `myregistry.azurecr.io`. The action will authenticate with the registry depending on the value of the URL, i.e. if the URL contains `azurecr.io` or `ghcr.io`. If set to an ACR registry, Elvia's private Azure Container Registry will be used by default. You can also set these explictly to point to your own ACR. Using ACR requires the permissions `id-token: write` to access the registry using OIDC. If set to a GHCR registry, the action will push to the GitHub Container Registry of the repository. Using GHCR requires the `packages: write` permission to push to the registry.
#
# Required: no
severity:
# Severity levels to scan for. See [Trivy documentation](https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#inputs) for more information.
#
# Required: no
# Default: 'CRITICAL'
sign-image:
# If `true`, the action will sign the Docker image with Cosign.
#
# Required: no
# Default: 'true'
trivy-cve-ignores:
# Comma-separated list of CVEs for Trivy to ignore. See [Trivy documentation](https://aquasecurity.github.io/trivy/v0.49/docs/configuration/filtering/#trivyignore) for syntax.
#
# Required: no
trivy-post-comment:
# If `true`, the action will post a comment to the PR with the Trivy scan results. The comment will only be posted if the action is ran on a pull request. This action requires the permission `pull-requests: write` to be set for the job.
#
# Required: no
# Default: 'false'
trivy-upload-report:
# If `true`, the action will upload Trivy scan results to GitHub Advanced Security. This actions requires GitHub Advanced Security to be enabled for the repository, and the permissions `actions: read` and `security-events: write` to be set for the job.
#
# Required: no
# Default: 'false'Deploys an application to Kubernetes using the Elvia Helm chart.
This action is a wrapper around the 3lv CLI deploy command (3lv deploy).
To use the Build and Deploy actions with Elvias container registry and runtime services,
you must first add your Github repository to github-repositories-terraform.
| Name | Description | Required | Default |
|---|---|---|---|
AKS_CLUSTER_NAME |
Name of the AKS cluster to deploy to. Defaults to Elvias normal clusters. | no | |
AKS_RESOURCE_GROUP |
Resource group of the AKS cluster to deploy to. Defaults to Elvias normal clusters. | no | |
AKS_SUBSCRIPTION_ID |
Subscription ID of AKS to deploy to. Defaults to Elvias normal clusters. | no | |
AZURE_CLIENT_ID |
Client ID of a service principal that has access to AKS. Only required for deploying to AKS. | no | |
AZURE_TENANT_ID |
Tenant ID of AKS to deploy to. Defaults to Elvias normal clusters. | no | |
GC_SERVICE_ACCOUNT |
Service account to use for deploying to GKE. Only required for deploying to GKE. | no | |
GC_WORKLOAD_IDENTITY_PROVIDER |
Workload identity provider to use for deploying to GKE. Only required for deploying to GKE. | no | |
GKE_CLUSTER_LOCATION |
Location of the GKE cluster to deploy to. | no | europe-west1 |
GKE_CLUSTER_NAME |
Name of the GKE cluster to deploy to. Defaults to Elvias normal clusters. | no | |
GKE_PROJECT_ID |
Project ID of GKE to deploy to. Defaults to Elvias normal clusters. | no | |
checkout |
If true, the action will check out the repository. If false, the action will assume the repository has already been checked out. |
no | true |
dry-run |
Simulate the deployment without actually deploying. | no | false |
environment |
Environment to deploy to. | yes | |
helm-chart-repository-url |
Location of Elvia's Helm chart repository; should only be changed if testing a new version of the chart. | no | |
helm-values-file |
Path to Helm values file, relative to the root of the repository. | no | .github/deploy/values.yml |
helm-values-path |
helm-values-file instead, which is a drop-in replacement. helm-values-path will be removed in the future. Path to Helm values file, relative to the root of the repository. |
no | |
name |
Name of application. Do not include namespace. | yes | |
namespace |
Namespace or system of the application. | yes | |
override-image-tag |
Overrides the default image tag of 'github.sha-github.run_number'. This should not normally be set; only change this if you know what you are doing. | no | `` |
runtime-cloud-provider |
Kubernetes cloud provider to deploy to: AKS, GKE or ISS (Elvia only). |
no | AKS |
slack-channel |
Slack channel to notify on failure. Leave empty to disable notifications. | no | `` |
workload-type |
The type of workload to deploy to Kubernetes. Must be deployment, statefulset or job. |
no | deployment |
This action requires the following base permissions:
contents: readid-token: write
More permissions might be required depending on the inputs set, see the actions documentation for more information.
- name: Deploy
uses: 3lvia/core-github-actions-templates/deploy@trunk
with:
AKS_CLUSTER_NAME:
# Name of the AKS cluster to deploy to. Defaults to Elvias normal clusters.
#
# Required: no
AKS_RESOURCE_GROUP:
# Resource group of the AKS cluster to deploy to. Defaults to Elvias normal clusters.
#
# Required: no
AKS_SUBSCRIPTION_ID:
# Subscription ID of AKS to deploy to. Defaults to Elvias normal clusters.
#
# Required: no
AZURE_CLIENT_ID:
# Client ID of a service principal that has access to AKS. Only required for deploying to AKS.
#
# Required: no
AZURE_TENANT_ID:
# Tenant ID of AKS to deploy to. Defaults to Elvias normal clusters.
#
# Required: no
GC_SERVICE_ACCOUNT:
# Service account to use for deploying to GKE. Only required for deploying to GKE.
#
# Required: no
GC_WORKLOAD_IDENTITY_PROVIDER:
# Workload identity provider to use for deploying to GKE. Only required for deploying to GKE.
#
# Required: no
GKE_CLUSTER_LOCATION:
# Location of the GKE cluster to deploy to.
#
# Required: no
# Default: 'europe-west1'
GKE_CLUSTER_NAME:
# Name of the GKE cluster to deploy to. Defaults to Elvias normal clusters.
#
# Required: no
GKE_PROJECT_ID:
# Project ID of GKE to deploy to. Defaults to Elvias normal clusters.
#
# Required: no
checkout:
# If `true`, the action will check out the repository. If `false`, the action will assume the repository has already been checked out.
#
# Required: no
# Default: 'true'
dry-run:
# Simulate the deployment without actually deploying.
#
# Required: no
# Default: 'false'
environment:
# Environment to deploy to.
#
# Required: yes
helm-chart-repository-url:
# Location of Elvia's Helm chart repository; should only be changed if testing a new version of the chart.
#
# Required: no
helm-values-file:
# Path to Helm values file, relative to the root of the repository.
#
# Required: no
# Default: '.github/deploy/values.yml'
name:
# Name of application. Do not include namespace.
#
# Required: yes
namespace:
# Namespace or system of the application.
#
# Required: yes
override-image-tag:
# Overrides the default image tag of 'github.sha-github.run_number'. **This should not normally be set; only change this if you know what you are doing.**
#
# Required: no
# Default: ''
runtime-cloud-provider:
# Kubernetes cloud provider to deploy to: `AKS`, `GKE` or ISS (Elvia only).
#
# Required: no
# Default: 'AKS'
slack-channel:
# Slack channel to notify on failure. Leave empty to disable notifications.
#
# Required: no
# Default: ''
workload-type:
# The type of workload to deploy to Kubernetes. Must be `deployment`, `statefulset` or `job`.
#
# Required: no
# Default: 'deployment'Run .NET unit tests.
| Name | Description | Required | Default |
|---|---|---|---|
checkout |
If true, the action will check out the repository. If false, the action will assume the repository has already been checked out. |
no | true |
coverlet-runsettings-file |
Path to a coverlet runsettings file, relative to the root of the repository. If not specified, no runsettings file will be used for coverlet. | no | `` |
dotnet-tool-manifest |
Path to the .NET tool manifest file, relative to the root of the repository. Only needed if you require .NET tools that are outside of working-directory for the build. |
no | ./.config/dotnet-tools.json |
test-coverage |
If test coverage should be computed. Requires that all test projects include the Nuget package coverlet.collector. | no | false |
test-projects |
Pattern to use to find test projects. | no | unit*test*csproj |
working-directory |
Will run unit tests on projects under this working directory. | no | ./ |
This action requires the following base permissions:
checks: writecontents: readissues: readpull-requests: write
More permissions might be required depending on the inputs set, see the actions documentation for more information.
- name: Unit Test
uses: 3lvia/core-github-actions-templates/unittest@trunk
with:
checkout:
# If `true`, the action will check out the repository. If `false`, the action will assume the repository has already been checked out.
#
# Required: no
# Default: 'true'
coverlet-runsettings-file:
# Path to a coverlet runsettings file, relative to the root of the repository. If not specified, no runsettings file will be used for coverlet.
#
# Required: no
# Default: ''
dotnet-tool-manifest:
# Path to the .NET tool manifest file, relative to the root of the repository. Only needed if you require .NET tools that are outside of `working-directory` for the build.
#
# Required: no
# Default: './.config/dotnet-tools.json'
test-coverage:
# If test coverage should be computed. Requires that all test projects include the Nuget package coverlet.collector.
#
# Required: no
# Default: 'false'
test-projects:
# Pattern to use to find test projects.
#
# Required: no
# Default: 'unit*test*csproj'
working-directory:
# Will run unit tests on projects under this working directory.
#
# Required: no
# Default: './'Run .NET integration tests.
| Name | Description | Required | Default |
|---|---|---|---|
checkout |
If true, the action will check out the repository. If false, the action will assume the repository has already been checked out. |
no | true |
dotnet-tool-manifest |
Path to the .NET tool manifest file, relative to the root of the repository. Only needed if you require .NET tools that are outside of working-directory for the build. |
no | ./.config/dotnet-tools.json |
environment |
Environment is used to find correct Vault instance. | yes | dev |
slack-channel |
Slack channel to notify on failure. Leave empty to disable notifications | no | `` |
system |
System is used to log in to Vault using correct role. | yes | |
test-projects |
Pattern to use to find test projects. | no | integration*test*csproj |
working-directory |
Will run integration tests on projects under this working directory. | no | ./ |
This action requires the following base permissions:
checks: writecontents: readid-token: writeissues: readpull-requests: write
More permissions might be required depending on the inputs set, see the actions documentation for more information.
- name: Integration Test
uses: 3lvia/core-github-actions-templates/integrationtest@trunk
with:
checkout:
# If `true`, the action will check out the repository. If `false`, the action will assume the repository has already been checked out.
#
# Required: no
# Default: 'true'
dotnet-tool-manifest:
# Path to the .NET tool manifest file, relative to the root of the repository. Only needed if you require .NET tools that are outside of `working-directory` for the build.
#
# Required: no
# Default: './.config/dotnet-tools.json'
environment:
# Environment is used to find correct Vault instance.
#
# Required: yes
# Default: 'dev'
slack-channel:
# Slack channel to notify on failure. Leave empty to disable notifications
#
# Required: no
# Default: ''
system:
# System is used to log in to Vault using correct role.
#
# Required: yes
test-projects:
# Pattern to use to find test projects.
#
# Required: no
# Default: 'integration*test*csproj'
working-directory:
# Will run integration tests on projects under this working directory.
#
# Required: no
# Default: './'Run CodeQL analysis.
| Name | Description | Required | Default |
|---|---|---|---|
checkout |
If true, the action will check out the repository. If false, the action will assume the repository has already been checked out. |
no | true |
dotnet-tool-manifest |
Path to the .NET tool manifest file, relative to the root of the repository. Only needed if you require .NET tools that are outside of working-directory for the build. |
no | ./.config/dotnet-tools.json |
go-version |
Version of Go to use. Only used if language is set to go. |
no | stable |
language |
Language to run CodeQL analyze on. Use a matrix strategy to run for multiple languages. | no | csharp |
upload-results |
If true the action will upload CodeQL results to GitHub Security Code Scanning. If false, the action will not upload results. |
no | true |
working-directory |
Will run CodeQL Analysis on projects under this working directory. | no | ./ |
This action requires the following base permissions:
actions: readcontents: readsecurity-events: write
More permissions might be required depending on the inputs set, see the actions documentation for more information.
- name: Analyze
uses: 3lvia/core-github-actions-templates/analyze@trunk
with:
checkout:
# If `true`, the action will check out the repository. If `false`, the action will assume the repository has already been checked out.
#
# Required: no
# Default: 'true'
dotnet-tool-manifest:
# Path to the .NET tool manifest file, relative to the root of the repository. Only needed if you require .NET tools that are outside of `working-directory` for the build.
#
# Required: no
# Default: './.config/dotnet-tools.json'
go-version:
# Version of Go to use. Only used if `language` is set to `go`.
#
# Required: no
# Default: 'stable'
language:
# Language to run CodeQL analyze on. Use a matrix strategy to run for multiple languages.
#
# Required: no
# Default: 'csharp'
upload-results:
# If `true` the action will upload CodeQL results to GitHub Security Code Scanning. If `false`, the action will not upload results.
#
# Required: no
# Default: 'true'
working-directory:
# Will run CodeQL Analysis on projects under this working directory.
#
# Required: no
# Default: './'Run SonarCloud scanning on .NET code.
| Name | Description | Required | Default |
|---|---|---|---|
checkout |
If true, the action will check out the repository. If false, the action will assume the repository has already been checked out. |
no | true |
dotnet-coverage-runsettings-file |
Path to a dotnet-coverage runsettings file, relative to the root of the repository. If not specified, no runsettings file will be used for dotnet-coverage. | no | `` |
github-token |
Should normally be secrets.GITHUB_TOKEN. |
yes | |
sonarcloud-project-key |
The SonarCloud project key or id. Normally on the form 3lvia_repo-name. The project must be manually created on sonarcloud.io. |
yes | |
sonarcloud-token |
Should normally be secrets.SONAR_TOKEN. |
yes | |
test-projects |
Pattern to use to find test projects. | no | *unit*test*csproj |
working-directory |
Will run SonarCloud on projects under this working directory. | no | ./ |
This action requires the following base permissions:
checks: writecontents: readid-token: writeissues: readpull-requests: write
More permissions might be required depending on the inputs set, see the actions documentation for more information.
- name: SonarCloud
uses: 3lvia/core-github-actions-templates/sonarcloud@trunk
with:
checkout:
# If `true`, the action will check out the repository. If `false`, the action will assume the repository has already been checked out.
#
# Required: no
# Default: 'true'
dotnet-coverage-runsettings-file:
# Path to a dotnet-coverage runsettings file, relative to the root of the repository. If not specified, no runsettings file will be used for dotnet-coverage.
#
# Required: no
# Default: ''
github-token:
# Should normally be `secrets.GITHUB_TOKEN`.
#
# Required: yes
sonarcloud-project-key:
# The SonarCloud project key or id. Normally on the form `3lvia_repo-name`. The project must be manually created on sonarcloud.io.
#
# Required: yes
sonarcloud-token:
# Should normally be `secrets.SONAR_TOKEN`.
#
# Required: yes
test-projects:
# Pattern to use to find test projects.
#
# Required: no
# Default: '*unit*test*csproj'
working-directory:
# Will run SonarCloud on projects under this working directory.
#
# Required: no
# Default: './'Uses Trivy to scan IaC and report security issues. The action will report any vulnerabilities to GitHub Advanced Security, which will be visible in the Security tab on GitHub. If this action is ran on a pull request, GitHub Advanced Security will give a detailed report of any vulnerabilities introduced by new changes in the pull request.
| Name | Description | Required | Default |
|---|---|---|---|
checkout |
If true, the action will check out the repository. If false, the action will assume the repository has already been checked out. |
no | true |
path |
Path to the directory containing the IaC files. | no | . |
severity |
Severity levels to scan for. Can any combination of CRITICAL, HIGH, MEDIUM, LOW, and UNKNOWN. Multiple values must be comma-separated. |
no | CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN |
skip-dirs |
Comma-separated list of directories to skip. | no | |
trivyignore |
Path to the Trivy ignore file (.trivyignore) in the repository. This action will add a default set of CVE's that are ignored for all scans. If you wish to add more CVE's to ignore, add them to .trivyignore, or create a new file and specify the path here. See Trivy documentation for more information. |
no | .trivyignore |
upload-report |
Whether or not to upload the report generated by Trivy to the GitHub Security tab. GitHub Advanced Security must be enabled for the repository to use this feature. | no | true |
This action requires the following base permissions:
actions: readcontents: readsecurity-events: write
More permissions might be required depending on the inputs set, see the actions documentation for more information.
- name: Trivy IaC scan
uses: 3lvia/core-github-actions-templates/trivy-iac-scan@trunk
with:
checkout:
# If `true`, the action will check out the repository. If `false`, the action will assume the repository has already been checked out.
#
# Required: no
# Default: 'true'
path:
# Path to the directory containing the IaC files.
#
# Required: no
# Default: '.'
severity:
# Severity levels to scan for. Can any combination of `CRITICAL`, `HIGH`, `MEDIUM`, `LOW`, and `UNKNOWN`. Multiple values must be comma-separated.
#
# Required: no
# Default: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN'
skip-dirs:
# Comma-separated list of directories to skip.
#
# Required: no
trivyignore:
# Path to the Trivy ignore file (`.trivyignore`) in the repository. This action will add a default set of CVE's that are ignored for all scans. If you wish to add more CVE's to ignore, add them to `.trivyignore`, or create a new file and specify the path here. See [Trivy documentation](https://aquasecurity.github.io/trivy/v0.50/docs/configuration/filtering/#by-finding-ids) for more information.
#
# Required: no
# Default: '.trivyignore'
upload-report:
# Whether or not to upload the report generated by Trivy to the GitHub *Security* tab. GitHub Advanced Security must be enabled for the repository to use this feature.
#
# Required: no
# Default: 'true'Run Playwright tests written in .NET.
| Name | Description | Required | Default |
|---|---|---|---|
checkout |
If true, the action will check out the repository. If false, the action will assume the repository has already been checked out. |
no | true |
configuration |
Value to set for the --configuration flag when running dotnet test. |
no | Debug |
environment |
Environment is used to find correct Vault instance. | yes | |
system |
System is used to log in to Vault using correct role. | yes | |
test-project |
Name of test project file to run. | yes |
This action requires the following base permissions:
checks: writecontents: readid-token: writeissues: readpull-requests: write
More permissions might be required depending on the inputs set, see the actions documentation for more information.
- name: Playwright Test
uses: 3lvia/core-github-actions-templates/playwright@trunk
with:
checkout:
# If `true`, the action will check out the repository. If `false`, the action will assume the repository has already been checked out.
#
# Required: no
# Default: 'true'
configuration:
# Value to set for the `--configuration` flag when running `dotnet test`.
#
# Required: no
# Default: 'Debug'
environment:
# Environment is used to find correct Vault instance.
#
# Required: yes
system:
# System is used to log in to Vault using correct role.
#
# Required: yes
test-project:
# Name of test project file to run.
#
# Required: yesRuns a PromQL query on Grafana Cloud. Returns success (return code 0) if the query has a result. Returns failure if the result is empty (return code 1).
| Name | Description | Required | Default |
|---|---|---|---|
checkout |
If true, the action will check out the repository. If false, the action will assume the repository has already been checked out. |
no | true |
environment |
Environment is used to find correct vault instance. | yes | |
query |
PromQL query string. | yes | |
system |
System is used to log in to Vault using correct role. | yes |
This action requires the following base permissions:
id-token: write
More permissions might be required depending on the inputs set, see the actions documentation for more information.
- name: Validate Metrics
uses: 3lvia/core-github-actions-templates/validate-metrics@trunk
with:
checkout:
# If `true`, the action will check out the repository. If `false`, the action will assume the repository has already been checked out.
#
# Required: no
# Default: 'true'
environment:
# Environment is used to find correct vault instance.
#
# Required: yes
query:
# PromQL query string.
#
# Required: yes
system:
# System is used to log in to Vault using correct role.
#
# Required: yesChecking if a certain metric has been updated after the deployment happened Returns success (return code 0) if the query has a result. Returns failure if the result is empty (return code 1).
| Name | Description | Required | Default |
|---|---|---|---|
application |
Application name is used in the derived PromQL query. | yes | |
checkout |
If true, the action will check out the repository. If false, the action will assume the repository has already been checked out. |
no | true |
environment |
Environment is used to find correct vault instance. | yes | |
system |
System name is used in the derived PromQL query. | yes | |
topic |
Topic name is used in the derived PromQL query. | yes | |
type |
publisher or consumer. | yes |
This action requires the following base permissions:
contents: readid-token: write
More permissions might be required depending on the inputs set, see the actions documentation for more information.
- name: Verify Edna Deploy
uses: 3lvia/core-github-actions-templates/verify-edna-deploy@trunk
with:
application:
# Application name is used in the derived PromQL query.
#
# Required: yes
checkout:
# If `true`, the action will check out the repository. If `false`, the action will assume the repository has already been checked out.
#
# Required: no
# Default: 'true'
environment:
# Environment is used to find correct vault instance.
#
# Required: yes
system:
# System name is used in the derived PromQL query.
#
# Required: yes
topic:
# Topic name is used in the derived PromQL query.
#
# Required: yes
type:
# publisher or consumer.
#
# Required: yesSends a message to a Slack channel.
| Name | Description | Required | Default |
|---|---|---|---|
environment |
Environment is used to find the correct Vault instance. | no | dev |
message |
Message to send to the Slack channel. | yes | |
namespace |
system instead, which is a drop-in replacement. namespace will be removed in the future. Namespace is used to find the correct Vault role. |
no | |
slack-channel |
Slack channel to send message to. The app "Github Workflow Notifications" must be added to the channel. | yes | |
system |
System is used to find the correct Vault role. | no |
This action requires the following base permissions:
contents: readid-token: write
More permissions might be required depending on the inputs set, see the actions documentation for more information.
- name: Slack Message
uses: 3lvia/core-github-actions-templates/slack-message@trunk
with:
environment:
# Environment is used to find the correct Vault instance.
#
# Required: no
# Default: 'dev'
message:
# Message to send to the Slack channel.
#
# Required: yes
slack-channel:
# Slack channel to send message to. The app "Github Workflow Notifications" must be added to the channel.
#
# Required: yes
system:
# System is used to find the correct Vault role.
#
# Required: noFetches vulnerabilities from the GitHub Security Advisory API and sends a message to a Slack channel with a list of new vulnerabilities from the past week.
| Name | Description | Required | Default |
|---|---|---|---|
environment |
Environment is used to find the correct Vault instance. | no | dev |
github-token |
'GitHub token is used to authenticate on behalf of the GitHub Actions workflow and for interacting with the GitHub API. You can use the GitHub secret GITHUB_TOKEN.' |
yes | |
max-alerts |
Maximum number of vulnerabilities to show in the Slack alert. By default, the top 3 most severe vulnerabilities are shown. | no | 3 |
slack-channel |
Slack channel to send message to. The app "Github Workflow Notifications" must be added to the channel. | yes | |
sort-by-newest |
'Sorts vulnerabilities by newest first. Set to true to have the vulnerabilities shown in order with newest first. By default the list is grouped by severity and then sorted by date created.' |
no | false |
system |
System is used to find the correct Vault role. | no |
This action requires the following base permissions:
contents: readsecurity-events: read
More permissions might be required depending on the inputs set, see the actions documentation for more information.
- name: Vulnerabilities Slack Alert
uses: 3lvia/core-github-actions-templates/vulnerabilities-slack-alert@trunk
with:
environment:
# Environment is used to find the correct Vault instance.
#
# Required: no
# Default: 'dev'
github-token:
# 'GitHub token is used to authenticate on behalf of the GitHub Actions workflow and for interacting with the GitHub API. You can use the GitHub secret `GITHUB_TOKEN`.'
#
# Required: yes
max-alerts:
# Maximum number of vulnerabilities to show in the Slack alert. By default, the top 3 most severe vulnerabilities are shown.
#
# Required: no
# Default: '3'
slack-channel:
# Slack channel to send message to. The app "Github Workflow Notifications" must be added to the channel.
#
# Required: yes
sort-by-newest:
# 'Sorts vulnerabilities by newest first. Set to `true` to have the vulnerabilities shown in order with newest first. By default the list is grouped by severity and then sorted by date created.'
#
# Required: no
# Default: 'false'
system:
# System is used to find the correct Vault role.
#
# Required: noPulls image from GHCR, re-tags it and pushes it to GCR.
Only useful for ISS deployments.
| Name | Description | Required | Default |
|---|---|---|---|
new-image-name |
Name of the Docker image to push to GCR, without the tag. | yes | |
old-image-name-with-tag |
Name of the Docker image to pull from GHCR, including the tag. | yes |
This action requires the following base permissions:
contents: readpackages: read
More permissions might be required depending on the inputs set, see the actions documentation for more information.
- name: ISS Tag & Push Image
uses: 3lvia/core-github-actions-templates/iss-tag-push-image@trunk
with:
new-image-name:
# Name of the Docker image to push to GCR, without the tag.
#
# Required: yes
old-image-name-with-tag:
# Name of the Docker image to pull from GHCR, including the tag.
#
# Required: yesGet secrets from Elvia's Vault for use in GitHub Actions.
| Name | Description | Required | Default |
|---|---|---|---|
environment |
Environment is used to find correct Vault instance. | no | dev |
exportToken |
Whether to export the Vault token as an environment variable. Set this to true if you need to be authenticated to Vault in subsequent steps. | no | false |
secrets |
Secrets to fetch from Vault; see here for syntax. | no | |
system |
System name is used to log in to Vault using the correct role. | yes |
This action requires the following base permissions:
contents: readid-token: write
More permissions might be required depending on the inputs set, see the actions documentation for more information.
- name: Vault
uses: 3lvia/core-github-actions-templates/vault@trunk
with:
environment:
# Environment is used to find correct Vault instance.
#
# Default: 'dev'
exportToken:
# Whether to export the Vault token as an environment variable. Set this to true if you need to be authenticated to Vault in subsequent steps.
#
# Default: 'false'
secrets:
# Secrets to fetch from Vault; see [here](https://github.com/hashicorp/vault-action?tab=readme-ov-file#multiple-secrets) for syntax.
#
system:
# System name is used to log in to Vault using the correct role.
#
# Required: yesThe below list of actions are specific to Elvia's infrastructure and will not work outside our organization:
We use Prettier to format the README and yaml files. See the installation guide for how to install it.
Run Prettier with this command:
prettier -w --single-quote "**/*.yml" "**/*.md"
#OR
prettier -w --single-quote --end-of-line crlf "**/*.yml" "**/*.md"Documentation in the README is auto-generated for any actions in the repository using 3lvia/gh-actions-docs.
The table of contents is also auto-generated, using the headers in this README.
To add documentation for a new action, add these two tags to the README.md file:
<!-- gh-actions-docs-start path=my-new-action/action.yml owner=3lvia project=core-github-actions-templates version=trunk -->
<!-- gh-actions-docs-end -->Replace path with the path to the action yaml file from the root of the repository.
The fields owner, project and version are optional, but should be set to 3lvia, core-github-actions-templates and trunk respectively.
The field permissions is also optional, but should be set to the permissions required for the action to run, e.g. permissions=actions:read,contents:read.
The documentation will then be auto-generated, added to the table of contents and commited on push to the trunk branch.