Reusable GitHub Actions workflows for CI/CD pipelines across Mconf projects.
This repository provides a centralized collection of reusable GitHub Actions workflows for building, testing, linting, and deploying applications across multiple programming languages and platforms. All workflows are optimized for self-hosted runners and follow security best practices.
Company-wide development practices and standards are documented in the guidelines/ directory. These guidelines provide:
- AI Collaboration - Best practices for working with AI coding tools
- General Development - Language-agnostic practices (linting, Makefiles, pre-commit hooks)
- Language-Specific - Guidelines for Ruby, Python, Go, and JavaScript
- Docker - Container best practices and multi-stage builds
- Testing - Testing strategies and AI-assisted test generation
- Git Workflow - Commit messages, branching, and pull requests
Templates: The templates/ directory contains starter configurations (Makefile, AGENTS.md, linter configs, Docker examples) that you can copy to your projects.
See guidelines/README.md for a complete index.
| Workflow | Action | Language/Tool | Registry | Security | Coverage | Private Repos | AI | Key Features |
|---|---|---|---|---|---|---|---|---|
| all-build-push-image | Build+Push | Docker | Harbor | Multi-platform, metadata extraction, GHA+registry caching | ||||
| all-build-push-scan-harbor | Build+Push+Scan | Docker, Trivy | Harbor | ✓ | ✓ | Auto-detect push/scan, SSH support, Trivy Explorer upload, custom context/target | ||
| all-create-tag | Release | Git | Version validation, annotated tags | |||||
| all-gen-changelog-ai | Release | Git, Claude | ✓ | PR info gathering, Notion integration, Claude Code | ||||
| all-helm-lint | Lint | Helm | Chart validation, templating, packaging test | |||||
| all-helm-publish | Publish | Helm | Harbor | OCI registry push, version extraction, GitHub summary | ||||
| data-py-uv-lint | Lint | Python, Flake8, Black, isort, uv | uv-based dependency management | |||||
| data-py-uv-tests | Test | Python, pytest, uv | ✓ | uv-based dependency management, configurable pytest markers | ||||
| lb-go-build | Build | Go | ✓ | CGO, private modules, build-essential | ||||
| lb-go-lint | Lint | Go, golangci-lint | ✓ | 10min timeout, private module support | ||||
| lb-go-tests | Test | Go, Gocov | ✓ | ✓ | Coverage XML, PR comments, file change detection | |||
| lb-node-build | Build | Node.js, npm | Custom env vars, npm cache | |||||
| lb-node-lint | Lint | Node.js, ESLint | Multiple file extensions (.js/.jsx/.ts/.tsx) | |||||
| lb-node-tests | Test | Node.js, npm | File change detection | |||||
| lb-py-lint | Lint | Python, Flake8, Black, isort | pip-based, libpq-dev | |||||
| lb-py-pdm-lint | Lint | Python, Flake8, Black, isort, PDM | PDM-based dependency management | |||||
| lb-py-tests | Test | Python, pytest, PDM | ✓ | Coverage XML, PR reports, env file loading, file detection | ||||
| lb-push-scan-image | Build+Push+Scan | Docker, Trivy | DockerHub | ✓ | ✓ | Dynamic tagging, Trivy Explorer upload, job summary | ||
| lb-ruby-lint | Lint | Ruby, RuboCop | Build tools, libpq-dev, Gemfile caching | |||||
| lb-scan | Scan | Trivy | ✓ | Filesystem scan, SARIF to PR comments | ||||
| portal-ruby-lint | Lint | Ruby, RuboCop, HAML | HAML views linting | |||||
| portal-ruby-scan | Scan | Ruby, Brakeman | ✓ | Rails security vulnerabilities | ||||
| portal-ruby-tests | Test | Ruby, RSpec, Rails | MySQL+Redis services, Chromium, ImageMagick, secrets |
lb-go-build.ymlBuilds Go applications with support for private modules via SSH. Usage: Seeexamples/lb-go-build.ymllb-go-lint.ymlRuns golangci-lint on Go code. Usage: Seeexamples/lb-go-lint.ymllb-go-tests.ymlRuns Go tests with coverage reporting to pull requests. Requirespull-requests: writepermission. Usage: Seeexamples/lb-go-tests.yml
lb-node-build.ymlBuilds Node.js applications. Usage: Seeexamples/lb-node-build.ymllb-node-lint.ymlRuns ESLint on JavaScript/TypeScript code. Usage: Seeexamples/lb-node-lint.ymllb-node-tests.ymlRuns Node.js tests (only on modified JavaScript/TypeScript files). Usage: Seeexamples/lb-node-tests.yml
lb-py-lint.ymlRuns Flake8, Black, and isort on Python code (pip-based projects). Usage: Seeexamples/lb-py-lint.ymllb-py-pdm-lint.ymlRuns Flake8, Black, and isort on Python code (PDM-based projects). Usage: Seeexamples/lb-py-pdm-lint.ymllb-py-tests.ymlRuns Python tests with coverage reporting (PDM-based projects). Requirespull-requests: writepermission. Usage: Seeexamples/lb-py-tests.yml
data-py-uv-lint.ymlRuns Flake8, Black, and isort on Python code (uv-based projects). Usage: Seeexamples/data-py-uv-lint.ymldata-py-uv-tests.ymlRuns Python tests with coverage reporting (uv-based projects). Includes configurable pytest markers. Requirespull-requests: writepermission. Usage: Seeexamples/data-py-uv-tests.yml
lb-ruby-lint.ymlRuns RuboCop linter on Ruby code. Usage: Seeexamples/lb-ruby-lint.ymlportal-ruby-lint.ymlRuns RuboCop and HAML linting for Rails applications. Reads Ruby version from.ruby-versionfile. Usage: Seeexamples/portal-ruby-lint.ymlportal-ruby-scan.ymlScans Rails applications for security vulnerabilities using Brakeman. Reads Ruby version from.ruby-versionfile. Usage: Seeexamples/portal-ruby-scan.ymlportal-ruby-tests.ymlRuns Rails tests with MySQL and Redis services. Reads Ruby version from.ruby-versionfile. Requires OAuth and Devise secrets. Usage: Seeexamples/portal-ruby-tests.yml
all-build-push-image.ymlBuilds and pushes Docker images to Harbor with automatic tagging and caching. Supports multi-platform builds and optional DockerHub login for base images. Usage: Seeexamples/all-build-push-image.ymlall-build-push-scan-harbor.ymlBuilds, pushes Docker images to Harbor, and scans with Trivy. Includes auto-detection for push and scan based on git refs and available secrets. Supports SSH for private dependencies, custom build context and multi-stage targets. Usage: Seeexamples/all-build-push-scan-harbor.ymllb-scan.ymlScans repository filesystem for security vulnerabilities using Trivy. Requirespull-requests: writepermission. Usage: Seeexamples/lb-scan.ymllb-push-scan-image.ymlBuilds Docker image, pushes to registry (on tags), and scans with Trivy. Includes optional SSH support for private dependencies. Usage: Seeexamples/lb-push-scan-image.yml
all-helm-lint.ymlLints, templates, and validates Helm charts. Auto-detects chart name and supports custom values files. Usage: Seeexamples/all-helm-lint.ymlall-helm-publish.ymlPackages and publishes Helm charts to Harbor OCI registry. Includes version extraction from tags and GitHub summary with install command. Usage: Seeexamples/all-helm-publish.yml
all-gen-changelog-ai.ymlGenerates changelog entries using Claude AI based on commits and pull requests between versions. Usage: Seeexamples/all-gen-changelog-ai.ymlall-create-tag.ymlCreates an annotated git tag for a specified version. Usage: Seeexamples/all-create-tag.yml
All workflows include:
- Minimal permissions: Only required permissions are granted
- Timeout protection: All jobs have timeout limits (15-30 minutes)
- Private module support: SSH agent configured when
SSH_PRIVATE_KEYsecret is provided - Dependency caching: Faster builds with intelligent caching
- Vulnerability scanning: Trivy integration for security checks
Workflows may require the following secrets (configured in your repository):
SSH_PRIVATE_KEY: SSH key for accessing private Git repositoriesHARBOR_USERNAME: Harbor registry usernameHARBOR_PASSWORD: Harbor registry passwordDOCKERHUB_USERNAME: DockerHub usernameDOCKERHUB_PASSWORD: DockerHub passwordREGISTRY_ACCESS_TOKEN: DockerHub access token for pushing images (will be deprecated in favor ofDOCKERHUB_PASSWORD)TRIVY_EXPLORER_AUTH_TOKEN: Authentication for Trivy ExplorerTRIVY_EXPLORER_URL: Trivy Explorer endpoint URLGITHUB_TOKEN: Automatically provided by GitHub Actions