Skip to content

GitHub Actions composite actions for the Elvia organization.

License

Notifications You must be signed in to change notification settings

3lvia/core-github-actions-templates

Repository files navigation

core-github-actions-templates

GitHub Actions composite actions for the Elvia organization.

These actions are mainly intended for internal use at Elvia, but are open-source and can be used by anyone! They encapsulate common tasks that we perform using GitHub Actions, such as building and deploying applications, running tests, and scanning for vulnerabilities.

Note that some actions are specifically tailored to our infrastructure and will not work outside our organization, see here for more information.

Table of Contents

Examples

The files beginning with example- in the folder .github/workflows are working examples of how to use these actions. Both of these examples require you to have added your system/application to the list in the github-repositories-terraform repository. This is needed for the Build and Deploy actions to work correctly.

You can also click on the 'Actions' tab on your repository and click 'New workflow' to get a selection of Elvia templates. Some values in these templates are placeholders and need to be replaced with your own values; anything resembling <your xxx here> should be replaced. See the GitHub docs for more detailed information.

Elvia runners

We strongly recommend using Elvia's self-hosted GitHub Actions runners for all actions. Several of our actions use optimizations only available on Elvia runners, and will run slower on GitHub-hosted runners. To use the Elvia runners, simply replace runs-on: ubuntu-latest with runs-on: elvia-runner in your workflow file.

See core-github-actions-runner for more information about the Elvia runners.

Actions Documentation

Build

Builds a Docker image, scans for vulnerabilities using Trivy and pushes to either Azure Container Registry or GitHub Container Registry. This action is a wrapper around the 3lv CLI build command (3lv build). To use the Build and Deploy actions with Elvias container registry and runtime services, you must first add your GitHub repository to github-repositories-terraform.

Inputs

Name Description Required Default
ACR_NAME Name of the Azure Container Registry to push to. Only required if using your own ACR. no
AZURE_CLIENT_ID Client ID of a service principal that can push to Azure Container Registry. no
AZURE_TENANT_ID Tenant ID of the Azure Container Registry to push to. Only required if using your own ACR. no
checkout If true, the action will check out the repository. If false, the action will assume the repository has already been checked out. no true
csproj-file ⚠️ DEPRECATED: Please use project-file instead, which is a drop-in replacement. csproj-file will be removed in the future. ⚠️

Path to a csproj-file, e.g. src/my-app/my-app.csproj.
no
docker-additional-tags Comma-separated list of additional tags to add to the image. no
docker-build-context Docker build context, which is the working directory needed to build the Docker image. This is relative to the root of the repository. Defaults to the directory of project-file. no
docker-cache-tag Tag used for getting build cache from registry. This tag is also pushed on every build, together with github.sha-github.run_number. This action will not push a latest tag; if you want a latest tag, you can use this input or docker-additional-tags. no latest-cache
dockerfile ⚠️ DEPRECATED: Please use project-file instead, which is a drop-in replacement. dockerfile will be removed in the future. ⚠️

Path to a Dockerfile, e.g. src/Dockerfile.
no
go-main-package-dir Where the main package directory for Go projects is located, e.g. ./cmd/my-app. Defaults to ./cmd/inputs.name. no
name Name of application. This will be used as the image name. For Elvia applications, do not include the namespace. yes
namespace Namespace or system of the application. Required for Elvia applications. no
project-file Path to a .csproj-file for .NET, a go.mod file for Go, a pyproject.toml file for Python or a Dockerfile for any other project. E.g. applications/my-app/my-app.csproj, pkg/my-app/go.mod, pyproject.toml or src/Dockerfile. If you require files outside the directory of the project-file to build your application, you will need to set docker-build-context. no
push If true, the action will push the Docker image to the registry. no true
registry What container registry to use, we support Azure Container Registry (ACR) and GitHub Container Registry (GHCR). You should set this to the URL of the registry you want to use, e.g. ghcr.io/3lvia or myregistry.azurecr.io. The action will authenticate with the registry depending on the value of the URL, i.e. if the URL contains azurecr.iojor ghcr.io. If set to an ACR registry, Elvia's private Azure Container Registry will be used by default. You can also set these explictly to point to your own ACR. Using ACR requires the permissions id-token: write to access the registry using OIDC. If set to a GHCR registry, the action will push to the GitHub Container Registry of the repository. Using GHCR requires the packages: write permission to push to the registry. no
severity Severity levels to scan for. See Trivy documentation for more information. no CRITICAL
trivy-cve-ignores Comma-separated list of CVEs for Trivy to ignore. See Trivy documentation for syntax. no
trivy-post-comment If true, the action will post a comment to the PR with the Trivy scan results. The comment will only be posted if the action is ran on a pull request. This action requires the permission pull-requests: write to be set for the job. no false
trivy-upload-report If true, the action will upload Trivy scan results to GitHub Advanced Security. This actions requires GitHub Advanced Security to be enabled for the repository, and the permissions actions: read and security-events: write to be set for the job. no false

Outputs

Name Description
image-name Name of the Docker image that was built, with tag.

Permissions

This action requires the following base permissions:

  • contents: read
  • id-token: write

More permissions might be required depending on the inputs set, see the actions documentation for more information.

Usage

- name: Build
  uses: 3lvia/core-github-actions-templates/build@trunk
  with:
    ACR_NAME:
    # Name of the Azure Container Registry to push to. Only required if using your own ACR.
    #
    # Required: no

    AZURE_CLIENT_ID:
    # Client ID of a service principal that can push to Azure Container Registry.
    #
    # Required: no

    AZURE_TENANT_ID:
    # Tenant ID of the Azure Container Registry to push to. Only required if using your own ACR.
    #
    # Required: no

    checkout:
    # If `true`, the action will check out the repository. If `false`, the action will assume the repository has already been checked out.
    #
    # Required: no
    # Default: 'true'

    docker-additional-tags:
    # Comma-separated list of additional tags to add to the image.
    #
    # Required: no

    docker-build-context:
    # Docker build context, which is the working directory needed to build the Docker image. This is relative to the root of the repository. Defaults to the directory of `project-file`.
    #
    # Required: no

    docker-cache-tag:
    # Tag used for getting build cache from registry. This tag is also pushed on every build, together with `github.sha-github.run_number`. This action will not push a `latest` tag; if you want a `latest` tag, you can use this input or `docker-additional-tags`.
    #
    # Default: 'latest-cache'

    go-main-package-dir:
    # Where the main package directory for Go projects is located, e.g. `./cmd/my-app`. Defaults to `./cmd/inputs.name`.
    #
    # Required: no

    name:
    # Name of application. This will be used as the image name. For Elvia applications, do not include the namespace.
    #
    # Required: yes

    namespace:
    # Namespace or system of the application. Required for Elvia applications.
    #
    # Required: no

    project-file:
    # Path to a `.csproj`-file for .NET, a `go.mod` file for Go, a `pyproject.toml` file for Python or a Dockerfile for any other project. E.g. `applications/my-app/my-app.csproj`, `pkg/my-app/go.mod`, `pyproject.toml` or `src/Dockerfile`. If you require files outside the directory of the `project-file` to build your application, you will need to set `docker-build-context`.
    #
    # Required: no

    push:
    # If `true`, the action will push the Docker image to the registry.
    #
    # Required: no
    # Default: 'true'

    registry:
    # What container registry to use, we support Azure Container Registry (ACR) and GitHub Container Registry (GHCR). You should set this to the URL of the registry you want to use, e.g. `ghcr.io/3lvia` or `myregistry.azurecr.io`. The action will authenticate with the registry depending on the value of the URL, i.e. if the URL contains `azurecr.io`jor `ghcr.io`.  If set to an ACR registry, Elvia's private Azure Container Registry will be used by default. You can also set these explictly to point to your own ACR. Using ACR requires the permissions `id-token: write` to access the registry using OIDC.  If set to a GHCR registry, the action will push to the GitHub Container Registry of the repository. Using GHCR requires the `packages: write` permission to push to the registry.
    #
    # Required: no

    severity:
    # Severity levels to scan for. See [Trivy documentation](https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#inputs) for more information.
    #
    # Required: no
    # Default: 'CRITICAL'

    trivy-cve-ignores:
    # Comma-separated list of CVEs for Trivy to ignore. See [Trivy documentation](https://aquasecurity.github.io/trivy/v0.49/docs/configuration/filtering/#trivyignore) for syntax.
    #
    # Required: no

    trivy-post-comment:
    # If `true`, the action will post a comment to the PR with the Trivy scan results. The comment will only be posted if the action is ran on a pull request. This action requires the permission `pull-requests: write` to be set for the job.
    #
    # Required: no
    # Default: 'false'

    trivy-upload-report:
    # If `true`, the action will upload Trivy scan results to GitHub Advanced Security. This actions requires GitHub Advanced Security to be enabled for the repository, and the permissions `actions: read` and `security-events: write` to be set for the job.
    #
    # Required: no
    # Default: 'false'

Deploy

Deploys an application to Kubernetes using the Elvia Helm chart. This action is a wrapper around the 3lv CLI deploy command (3lv deploy). To use the Build and Deploy actions with Elvias container registry and runtime services, you must first add your Github repository to github-repositories-terraform.

Inputs

Name Description Required Default
AKS_CLUSTER_NAME Name of the AKS cluster to deploy to. Defaults to Elvias normal clusters. no
AKS_RESOURCE_GROUP Resource group of the AKS cluster to deploy to. Defaults to Elvias normal clusters. no
AKS_SUBSCRIPTION_ID Subscription ID of AKS to deploy to. Defaults to Elvias normal clusters. no
AZURE_CLIENT_ID Client ID of a service principal that has access to AKS. Only required for deploying to AKS. no
AZURE_TENANT_ID Tenant ID of AKS to deploy to. Defaults to Elvias normal clusters. no
GC_SERVICE_ACCOUNT Service account to use for deploying to GKE. Only required for deploying to GKE. no
GC_WORKLOAD_IDENTITY_PROVIDER Workload identity provider to use for deploying to GKE. Only required for deploying to GKE. no
GKE_CLUSTER_LOCATION Location of the GKE cluster to deploy to. no europe-west1
GKE_CLUSTER_NAME Name of the GKE cluster to deploy to. Defaults to Elvias normal clusters. no
GKE_PROJECT_ID Project ID of GKE to deploy to. Defaults to Elvias normal clusters. no
checkout If true, the action will check out the repository. If false, the action will assume the repository has already been checked out. no true
environment Environment to deploy to. yes
helm-chart-repository-url Location of Elvias Helm chart repository, should only be changed if testing a new version of the chart. no ``
helm-values-file Path to Helm values file, relative to the root of the repository. no .github/deploy/values.yml
helm-values-path ⚠️ DEPRECATED: Please use helm-values-file instead, which is a drop-in replacement. helm-values-path will be removed in the future. ⚠️

Path to Helm values file, relative to the root of the repository.
no
name Name of application. Do not include namespace. yes
namespace Namespace or system of the application. yes
runtime-cloud-provider Kubernetes cloud provider to deploy to: AKS, GKE or ISS (Elvia only). no AKS
slack-channel Slack channel to notify on failure. Leave empty to disable notifications. no ``
workload-type The type of workload to deploy to kubernetes. Must be deployment or statefulset. no deployment

Permissions

This action requires the following base permissions:

  • contents: read
  • id-token: write

More permissions might be required depending on the inputs set, see the actions documentation for more information.

Usage

- name: Deploy
  uses: 3lvia/core-github-actions-templates/deploy@trunk
  with:
    AKS_CLUSTER_NAME:
    # Name of the AKS cluster to deploy to. Defaults to Elvias normal clusters.
    #
    # Required: no

    AKS_RESOURCE_GROUP:
    # Resource group of the AKS cluster to deploy to. Defaults to Elvias normal clusters.
    #
    # Required: no

    AKS_SUBSCRIPTION_ID:
    # Subscription ID of AKS to deploy to. Defaults to Elvias normal clusters.
    #
    # Required: no

    AZURE_CLIENT_ID:
    # Client ID of a service principal that has access to AKS. Only required for deploying to AKS.
    #
    # Required: no

    AZURE_TENANT_ID:
    # Tenant ID of AKS to deploy to. Defaults to Elvias normal clusters.
    #
    # Required: no

    GC_SERVICE_ACCOUNT:
    # Service account to use for deploying to GKE. Only required for deploying to GKE.
    #
    # Required: no

    GC_WORKLOAD_IDENTITY_PROVIDER:
    # Workload identity provider to use for deploying to GKE. Only required for deploying to GKE.
    #
    # Required: no

    GKE_CLUSTER_LOCATION:
    # Location of the GKE cluster to deploy to.
    #
    # Required: no
    # Default: 'europe-west1'

    GKE_CLUSTER_NAME:
    # Name of the GKE cluster to deploy to. Defaults to Elvias normal clusters.
    #
    # Required: no

    GKE_PROJECT_ID:
    # Project ID of GKE to deploy to. Defaults to Elvias normal clusters.
    #
    # Required: no

    checkout:
    # If `true`, the action will check out the repository. If `false`, the action will assume the repository has already been checked out.
    #
    # Required: no
    # Default: 'true'

    environment:
    # Environment to deploy to.
    #
    # Required: yes

    helm-chart-repository-url:
    # Location of Elvias Helm chart repository, should only be changed if testing a new version of the chart.
    #
    # Required: no
    # Default: ''

    helm-values-file:
    # Path to Helm values file, relative to the root of the repository.
    #
    # Required: no
    # Default: '.github/deploy/values.yml'

    name:
    # Name of application. Do not include namespace.
    #
    # Required: yes

    namespace:
    # Namespace or system of the application.
    #
    # Required: yes

    runtime-cloud-provider:
    # Kubernetes cloud provider to deploy to: `AKS`, `GKE` or ISS (Elvia only).
    #
    # Required: no
    # Default: 'AKS'

    slack-channel:
    # Slack channel to notify on failure. Leave empty to disable notifications.
    #
    # Required: no
    # Default: ''

    workload-type:
    # The type of workload to deploy to kubernetes. Must be `deployment` or `statefulset`.
    #
    # Required: no
    # Default: 'deployment'

Unit Test

Run .NET unit tests.

Inputs

Name Description Required Default
checkout If true, the action will check out the repository. If false, the action will assume the repository has already been checked out. no true
dotnet-tool-manifest Path to the .NET tool manifest file, relative to the root of the repository. Only needed if you require .NET tools that are outside of working-directory for the build. no ./.config/dotnet-tools.json
test-coverage If test coverage should be computed. Requires that all test projects include the Nuget package coverlet.collector. no false
test-projects Pattern to use to find test projects. no unit*test*csproj
working-directory Will run unit tests on projects under this working directory. no ./

Permissions

This action requires the following base permissions:

  • checks: write
  • contents: read
  • issues: read
  • pull-requests: write

More permissions might be required depending on the inputs set, see the actions documentation for more information.

Usage

- name: Unit Test
  uses: 3lvia/core-github-actions-templates/unittest@trunk
  with:
    checkout:
    # If `true`, the action will check out the repository. If `false`, the action will assume the repository has already been checked out.
    #
    # Required: no
    # Default: 'true'

    dotnet-tool-manifest:
    # Path to the .NET tool manifest file, relative to the root of the repository. Only needed if you require .NET tools that are outside of `working-directory` for the build.
    #
    # Required: no
    # Default: './.config/dotnet-tools.json'

    test-coverage:
    # If test coverage should be computed. Requires that all test projects include the Nuget package coverlet.collector.
    #
    # Required: no
    # Default: 'false'

    test-projects:
    # Pattern to use to find test projects.
    #
    # Required: no
    # Default: 'unit*test*csproj'

    working-directory:
    # Will run unit tests on projects under this working directory.
    #
    # Required: no
    # Default: './'

Integration Test

Run .NET integration tests.

Inputs

Name Description Required Default
checkout If true, the action will check out the repository. If false, the action will assume the repository has already been checked out. no true
dotnet-tool-manifest Path to the .NET tool manifest file, relative to the root of the repository. Only needed if you require .NET tools that are outside of working-directory for the build. no ./.config/dotnet-tools.json
environment Environment is used to find correct Vault instance. yes dev
slack-channel Slack channel to notify on failure. Leave empty to disable notifications no ``
system System is used to log in to Vault using correct role. yes
test-projects Pattern to use to find test projects. no integration*test*csproj
working-directory Will run integration tests on projects under this working directory. no ./

Permissions

This action requires the following base permissions:

  • checks: write
  • contents: read
  • id-token: write
  • issues: read
  • pull-requests: write

More permissions might be required depending on the inputs set, see the actions documentation for more information.

Usage

- name: Integration Test
  uses: 3lvia/core-github-actions-templates/integrationtest@trunk
  with:
    checkout:
    # If `true`, the action will check out the repository. If `false`, the action will assume the repository has already been checked out.
    #
    # Required: no
    # Default: 'true'

    dotnet-tool-manifest:
    # Path to the .NET tool manifest file, relative to the root of the repository. Only needed if you require .NET tools that are outside of `working-directory` for the build.
    #
    # Required: no
    # Default: './.config/dotnet-tools.json'

    environment:
    # Environment is used to find correct Vault instance.
    #
    # Required: yes
    # Default: 'dev'

    slack-channel:
    # Slack channel to notify on failure. Leave empty to disable notifications
    #
    # Required: no
    # Default: ''

    system:
    # System is used to log in to Vault using correct role.
    #
    # Required: yes

    test-projects:
    # Pattern to use to find test projects.
    #
    # Required: no
    # Default: 'integration*test*csproj'

    working-directory:
    # Will run integration tests on projects under this working directory.
    #
    # Required: no
    # Default: './'

Analyze

Run CodeQL analysis.

Inputs

Name Description Required Default
checkout If true, the action will check out the repository. If false, the action will assume the repository has already been checked out. no true
dotnet-tool-manifest Path to the .NET tool manifest file, relative to the root of the repository. Only needed if you require .NET tools that are outside of working-directory for the build. no ./.config/dotnet-tools.json
language Language to run CodeQL analyze on. Use a matrix strategy to run for multiple languages. no csharp
upload-results If true the action will upload CodeQL results to GitHub Security Code Scanning. If false, the action will not upload results. no true
working-directory Will run CodeQL Analysis on projects under this working directory. no ./

Permissions

This action requires the following base permissions:

  • actions: read
  • contents: read
  • security-events: write

More permissions might be required depending on the inputs set, see the actions documentation for more information.

Usage

- name: Analyze
  uses: 3lvia/core-github-actions-templates/analyze@trunk
  with:
    checkout:
    # If `true`, the action will check out the repository. If `false`, the action will assume the repository has already been checked out.
    #
    # Required: no
    # Default: 'true'

    dotnet-tool-manifest:
    # Path to the .NET tool manifest file, relative to the root of the repository. Only needed if you require .NET tools that are outside of `working-directory` for the build.
    #
    # Required: no
    # Default: './.config/dotnet-tools.json'

    language:
    # Language to run CodeQL analyze on. Use a matrix strategy to run for multiple languages.
    #
    # Required: no
    # Default: 'csharp'

    upload-results:
    # If `true` the action will upload CodeQL results to GitHub Security Code Scanning. If `false`, the action will not upload results.
    #
    # Required: no
    # Default: 'true'

    working-directory:
    # Will run CodeQL Analysis on projects under this working directory.
    #
    # Required: no
    # Default: './'

SonarCloud

Run SonarCloud scanning on .NET code.

Inputs

Name Description Required Default
checkout If true, the action will check out the repository. If false, the action will assume the repository has already been checked out. no true
github-token Should normally be secrets.GITHUB_TOKEN. yes
sonarcloud-project-key The SonarCloud project key or id. Normally on the form 3lvia_repo-name. The project must be manually created on sonarcloud.io. yes
sonarcloud-token Should normally be secrets.SONAR_TOKEN. yes
test-projects Pattern to use to find test projects. no *unit*test*csproj
working-directory Will run SonarCloud on projects under this working directory. no ./

Permissions

This action requires the following base permissions:

  • checks: write
  • contents: read
  • id-token: write
  • issues: read
  • pull-requests: write

More permissions might be required depending on the inputs set, see the actions documentation for more information.

Usage

- name: SonarCloud
  uses: 3lvia/core-github-actions-templates/sonarcloud@trunk
  with:
    checkout:
    # If `true`, the action will check out the repository. If `false`, the action will assume the repository has already been checked out.
    #
    # Required: no
    # Default: 'true'

    github-token:
    # Should normally be `secrets.GITHUB_TOKEN`.
    #
    # Required: yes

    sonarcloud-project-key:
    # The SonarCloud project key or id. Normally on the form `3lvia_repo-name`. The project must be manually created on sonarcloud.io.
    #
    # Required: yes

    sonarcloud-token:
    # Should normally be `secrets.SONAR_TOKEN`.
    #
    # Required: yes

    test-projects:
    # Pattern to use to find test projects.
    #
    # Required: no
    # Default: '*unit*test*csproj'

    working-directory:
    # Will run SonarCloud on projects under this working directory.
    #
    # Required: no
    # Default: './'

Trivy IaC scan

Uses Trivy to scan IaC and report security issues. The action will report any vulnerabilities to GitHub Advanced Security, which will be visible in the Security tab on GitHub. If this action is ran on a pull request, GitHub Advanced Security will give a detailed report of any vulnerabilities introduced by new changes in the pull request.

Inputs

Name Description Required Default
checkout If true, the action will check out the repository. If false, the action will assume the repository has already been checked out. no true
path Path to the directory containing the IaC files. no .
severity Severity levels to scan for. Can any combination of CRITICAL, HIGH, MEDIUM, LOW, and UNKNOWN. Multiple values must be comma-separated. no CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN
skip-dirs Comma-separated list of directories to skip. no
trivyignore Path to the Trivy ignore file (.trivyignore) in the repository. This action will add a default set of CVE's that are ignored for all scans. If you wish to add more CVE's to ignore, add them to .trivyignore, or create a new file and specify the path here. See Trivy documentation for more information. no .trivyignore
upload-report Whether or not to upload the report generated by Trivy to the GitHub Security tab. GitHub Advanced Security must be enabled for the repository to use this feature. no true

Permissions

This action requires the following base permissions:

  • actions: read
  • contents: read
  • security-events: write

More permissions might be required depending on the inputs set, see the actions documentation for more information.

Usage

- name: Trivy IaC scan
  uses: 3lvia/core-github-actions-templates/trivy-iac-scan@trunk
  with:
    checkout:
    # If `true`, the action will check out the repository. If `false`, the action will assume the repository has already been checked out.
    #
    # Required: no
    # Default: 'true'

    path:
    # Path to the directory containing the IaC files.
    #
    # Required: no
    # Default: '.'

    severity:
    # Severity levels to scan for. Can any combination of `CRITICAL`, `HIGH`, `MEDIUM`, `LOW`, and `UNKNOWN`. Multiple values must be comma-separated.
    #
    # Required: no
    # Default: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN'

    skip-dirs:
    # Comma-separated list of directories to skip.
    #
    # Required: no

    trivyignore:
    # Path to the Trivy ignore file (`.trivyignore`) in the repository. This action will add a default set of CVE's that are ignored for all scans. If you wish to add more CVE's to ignore, add them to `.trivyignore`, or create a new file and specify the path here. See [Trivy documentation](https://aquasecurity.github.io/trivy/v0.50/docs/configuration/filtering/#by-finding-ids) for more information.
    #
    # Required: no
    # Default: '.trivyignore'

    upload-report:
    # Whether or not to upload the report generated by Trivy to the GitHub *Security* tab. GitHub Advanced Security must be enabled for the repository to use this feature.
    #
    # Required: no
    # Default: 'true'

Playwright Test

Run Playwright tests written in .NET.

Inputs

Name Description Required Default
checkout If true, the action will check out the repository. If false, the action will assume the repository has already been checked out. no true
environment Environment is used to find correct Vault instance. yes
system System is used to log in to Vault using correct role. yes
test-project Name of test project file to run. yes

Permissions

This action requires the following base permissions:

  • checks: write
  • contents: read
  • id-token: write
  • issues: read
  • pull-requests: write

More permissions might be required depending on the inputs set, see the actions documentation for more information.

Usage

- name: Playwright Test
  uses: 3lvia/core-github-actions-templates/playwright@trunk
  with:
    checkout:
    # If `true`, the action will check out the repository. If `false`, the action will assume the repository has already been checked out.
    #
    # Required: no
    # Default: 'true'

    environment:
    # Environment is used to find correct Vault instance.
    #
    # Required: yes

    system:
    # System is used to log in to Vault using correct role.
    #
    # Required: yes

    test-project:
    # Name of test project file to run.
    #
    # Required: yes

Validate Metrics

Runs a PromQL query on Grafana Cloud. Returns success (return code 0) if the query has a result. Returns failure if the result is empty (return code 1).

Inputs

Name Description Required Default
checkout If true, the action will check out the repository. If false, the action will assume the repository has already been checked out. no true
environment Environment is used to find correct vault instance. yes
query PromQL query string. yes
system System is used to log in to Vault using correct role. yes

Permissions

This action requires the following base permissions:

  • id-token: write

More permissions might be required depending on the inputs set, see the actions documentation for more information.

Usage

- name: Validate Metrics
  uses: 3lvia/core-github-actions-templates/validate-metrics@trunk
  with:
    checkout:
    # If `true`, the action will check out the repository. If `false`, the action will assume the repository has already been checked out.
    #
    # Required: no
    # Default: 'true'

    environment:
    # Environment is used to find correct vault instance.
    #
    # Required: yes

    query:
    # PromQL query string.
    #
    # Required: yes

    system:
    # System is used to log in to Vault using correct role.
    #
    # Required: yes

Slack Message

Sends a message to a Slack channel. Permission id-token:write is only required if you're not defining the slack-api-token input.

Inputs

Name Description Required Default
environment Environment is used to find the correct Vault instance. Not required if you use slack-api-token. no
message Message to send to the Slack channel. yes
namespace Namespace is used to find the correct Vault role. Not required if you use slack-api-token. no
slack-api-token Slack API token. Within the Elvia organization, you can use GitHub organization secret SLACK_API_TOKEN. If no input is provided, the action will attempt to read the token from Elvia's Vault instance. Reading the token from Vault is only possible if the repository you are running this action from has been added to github-repositories-terraform, and you are running inside the GitHub Actions environments dev, test or prod. no
slack-channel Slack channel to send message to. The app "Github Workflow Notifications" must be added to the channel. yes

Permissions

This action requires the following base permissions:

  • contens: read
  • id-token: write

More permissions might be required depending on the inputs set, see the actions documentation for more information.

Usage

- name: Slack Message
  uses: 3lvia/core-github-actions-templates/slack-message@trunk
  with:
    environment:
    # Environment is used to find the correct Vault instance. Not required if you use `slack-api-token`.
    #
    # Required: no

    message:
    # Message to send to the Slack channel.
    #
    # Required: yes

    namespace:
    # Namespace is used to find the correct Vault role. Not required if you use `slack-api-token`.
    #
    # Required: no

    slack-api-token:
    # Slack API token. Within the Elvia organization, you can use GitHub organization secret `SLACK_API_TOKEN`.  If no input is provided, the action will attempt to read the token from Elvia's Vault instance. Reading the token from Vault is only possible if the repository you are running this action from has been added to [github-repositories-terraform](https://github.com/3lvia/github-repositories-terraform), and you are running inside the GitHub Actions environments `dev`, `test` or `prod`.
    #
    # Required: no

    slack-channel:
    # Slack channel to send message to. The app "Github Workflow Notifications" must be added to the channel.
    #
    # Required: yes

ISS Tag & Push Image

Pulls image from GHCR, re-tags it and pushes it to GCR.

Only useful for ISS deployments.

Inputs

Name Description Required Default
new-image-name Name of the Docker image to push to GCR, without the tag. yes
old-image-name-with-tag Name of the Docker image to pull from GHCR, including the tag. yes

Permissions

This action requires the following base permissions:

  • contens: read
  • packages: read

More permissions might be required depending on the inputs set, see the actions documentation for more information.

Usage

- name: ISS Tag & Push Image
  uses: 3lvia/core-github-actions-templates/iss-tag-push-image@trunk
  with:
    new-image-name:
    # Name of the Docker image to push to GCR, without the tag.
    #
    # Required: yes

    old-image-name-with-tag:
    # Name of the Docker image to pull from GHCR, including the tag.
    #
    # Required: yes

Vault

Get secrets from Elvia's Vault for use in GitHub Actions.

Inputs

Name Description Required Default
environment Environment is used to find correct Vault instance. no dev
exportToken Whether to export the Vault token as an environment variable. Set this to true if you need to be authenticated to Vault in subsequent steps. no false
secrets Secrets to fetch from Vault; see here for syntax. no
system System name is used to log in to Vault using the correct role. yes

Permissions

This action requires the following base permissions:

  • contents: read
  • id-token: write

More permissions might be required depending on the inputs set, see the actions documentation for more information.

Usage

- name: Vault
  uses: 3lvia/core-github-actions-templates/vault@trunk
  with:
    environment:
    # Environment is used to find correct Vault instance.
    #
    # Default: 'dev'

    exportToken:
    # Whether to export the Vault token as an environment variable. Set this to true if you need to be authenticated to Vault in subsequent steps.
    #
    # Default: 'false'

    secrets:
    # Secrets to fetch from Vault; see [here](https://github.com/hashicorp/vault-action?tab=readme-ov-file#multiple-secrets) for syntax.
    #

    system:
    # System name is used to log in to Vault using the correct role.
    #
    # Required: yes

Elvia-specific Actions

The below list of actions are specific to Elvia's infrastructure and will not work outside our organization:

Development

Formatting

We use Prettier to format the README and yaml files. See the installation guide for how to install it.

Run Prettier with this command:

prettier -w --single-quote "**/*.yml" "**/*.md"
#OR
prettier -w --single-quote --end-of-line crlf "**/*.yml" "**/*.md"

Action documentation & table of contents

Documentation in the README is auto-generated for any actions in the repository using 3lvia/gh-actions-docs. The table of contents is also auto-generated, using the headers in this README. To add documentation for a new action, add these two tags to the README.md file:

<!-- gh-actions-docs-start path=my-new-action/action.yml owner=3lvia project=core-github-actions-templates version=trunk -->
<!-- gh-actions-docs-end -->

Replace path with the path to the action yaml file from the root of the repository. The fields owner, project and version are optional, but should be set to 3lvia, core-github-actions-templates and trunk respectively. The field permissions is also optional, but should be set to the permissions required for the action to run, e.g. permissions=actions:read,contents:read.

The documentation will then be auto-generated, added to the table of contents and commited on push to the trunk branch.

About

GitHub Actions composite actions for the Elvia organization.

Resources

License

Stars

Watchers

Forks

Packages

 
 
 

Languages