Skip to content

Shopify/github-workflows

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

87 Commits
.github
.github
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
LICENSE.md
LICENSE.md
 
 
README.md
README.md
 
 

Repository files navigation

github-workflows

GitHub reusable workflows for public Shopify repositories. Not specific to any language or ecosystem.

Using a workflow

We suggest you reference workflows by their git commit. If you include a commit and tag on the same line, Dependabot will maintain both references. Example: uses: Shopify/github-workflows/.github/workflows/scorecard.yaml@0cd53e568340d24a2aefc65236f0973b47402c14 # v0.0.1

Dependabot Configuration

Create/modify the .github/dependabot.yaml file in your repository. Make sure the updates block contains a github-actions entry.

version: 2
updates:
  - package-ecosystem: github-actions
    directory: /
    schedule:
      interval: weekly

Available workflows

cla.yaml

Ensure any code contributors have signed the Shopify CLA.

Example Workflow 
name: Contributor License Agreement (CLA)

on:
  pull_request_target:
    types: [opened, synchronize]
  issue_comment:
    types: [created]

permissions: {}

jobs:
  cla:
    uses: Shopify/github-workflows/.github/workflows/cla.yaml@c142f2dd84228c90bd716e4b5eafc68bd812f467 # v0.0.3
    permissions:
      pull-requests: write
    secrets:
      token: ${{secrets.GITHUB_TOKEN}}
      cla-token: ${{secrets.CLA_TOKEN}}

dependabot-automerge.yaml

Automatically approve and merge Dependabot PRs matching certain criteria. Supports filtering by ecosystem and semver gap, such as "all actions minor+patch updates".

Repositories using this workflow must:

  • Have Allow auto-merge enabled.
  • Have branch protection enabled, with the Require status checks to pass before merging option enforcing CI.
Example Workflow 
name: Dependabot auto-merge
on:
  pull_request:
    types:
      - opened
      - reopened
      - synchronize
    paths:
      - '.github/workflows/**'

permissions: {}

jobs:
  automerge:
    permissions:
      contents: write
      pull-requests: write
    uses: Shopify/github-workflows/.github/workflows/dependabot-automerge.yaml@c395c2cfd65be9a36f5dcfd21f4a2498a477fed4 # v0.0.6
    with:
      actions: minor

scorecard.yaml

Publish an OpenSSF Scorecard for a project. Use this in public repositories, so that consumers can be assured of Shopify's security practices.

Consider adding a badge like https://api.securityscorecards.dev/projects/github.com/Shopify/github-workflows/badge.

Example Workflow 
name: Scorecard
on:
  branch_protection_rule:
  schedule:
    - cron: "30 1 * * 6"

permissions: {}

jobs:
  analysis:
    permissions:
      contents: read
      id-token: write
    uses: Shopify/github-workflows/.github/workflows/scorecard.yaml@0cd53e568340d24a2aefc65236f0973b47402c14 # v0.0.1
    secrets:
      token: ${{secrets.GITHUB_TOKEN}}

About

GitHub Actions reusable workflows

Topics

github-actions github-reusable-workflows

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

4 stars

Watchers

93 watching

Forks

0 forks
Report repository

Releases 8

v0.2.0 Latest
Dec 5, 2023
+ 7 releases

Contributors 3

  •  
  •  
  •