Firestoned GitHub Actions

Reusable composite GitHub Actions for CI/CD pipelines

Project Status

CI/CD Status

Technology & Compatibility

Security & Compliance

Community & Support

---

A collection of production-ready, reusable GitHub Actions composite workflows for Rust, Docker, security scanning, and compliance. Built for enterprise environments with a focus on security, supply chain integrity, and regulatory compliance.

---

📋 Table of Contents

• Quick Start
• Available Actions
  • Rust Ecosystem
  • Security & Compliance
  • Docker & Containers
  • Versioning & Release
• Usage Examples
• Versioning Strategy
• Contributing
• License

---

🚀 Quick Start

Use these actions in your workflows by referencing them with the uses keyword:

# Example: Use Rust caching in your workflow
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Cache Rust dependencies
        uses: firestoned/github-actions/rust/cache-cargo@v1

      - name: Build
        run: cargo build --release

Pin to major version (@v1) for automatic minor/patch updates, or pin to exact version (@v1.0.0) for stability.

---

📦 Available Actions

Rust Ecosystem

Note: All Rust actions require the Rust toolchain to be installed. Use rust/setup-rust-build or actions-rust-lang/setup-rust-toolchain before using these actions.

Action	Description	Documentation
rust/cache-cargo	Cache Cargo registry, index, and build artifacts	📖 Docs
rust/setup-rust-build	Set up Rust toolchain with cross-compilation support	📖 Docs
rust/verify-toolchain	Verify Rust toolchain and required components are installed	📖 Docs
rust/build-binary	Build Rust binaries for x86_64 and ARM64	📖 Docs
rust/build-library	Build Rust libraries with flexible profile and feature control	📖 Docs
rust/lint	Run cargo fmt and cargo clippy for code quality	📖 Docs
rust/security-scan	Scan Rust dependencies for vulnerabilities (cargo-audit)	📖 Docs
rust/generate-sbom	Generate Software Bill of Materials (CycloneDX)	📖 Docs

Security & Compliance

Action	Description	Documentation
security/trivy-scan	Container vulnerability scanning with Trivy	📖 Docs
security/cosign-sign	Sign container images and artifacts with Cosign	📖 Docs
security/verify-signed-commits	Verify all commits are cryptographically signed	📖 Docs
security/license-check	Verify SPDX license headers in source files	📖 Docs

Docker & Containers

Action	Description	Documentation
docker/setup-docker	Set up Docker Buildx and authenticate to GHCR	📖 Docs

Versioning & Release

Action	Description	Documentation
versioning/extract-version	Extract version info for consistent tagging across workflows	📖 Docs

---

💡 Usage Examples

Complete Rust CI/CD Pipeline

name: Rust CI/CD

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  build-and-test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      # Cache Cargo dependencies
      - uses: firestoned/github-actions/rust/cache-cargo@v1

      # Set up Rust toolchain for x86_64
      - uses: firestoned/github-actions/rust/setup-rust-build@v1
        with:
          target: x86_64-unknown-linux-gnu

      # Build binary
      - uses: firestoned/github-actions/rust/build-binary@v1
        with:
          target: x86_64-unknown-linux-gnu

      # Security scan
      - uses: firestoned/github-actions/rust/security-scan@v1
        with:
          cargo-audit-version: '0.21.0'

      # Generate SBOM
      - uses: firestoned/github-actions/rust/generate-sbom@v1
        with:
          format: json
          describe: binaries

Container Security Workflow

name: Container Security

on:
  push:
    branches: [main]

jobs:
  scan-and-sign:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
      security-events: write
    steps:
      - uses: actions/checkout@v4

      # Build your container image
      - name: Build image
        run: docker build -t myapp:latest .

      # Scan with Trivy
      - uses: firestoned/github-actions/security/trivy-scan@v1
        with:
          image-ref: myapp:latest
          sarif-category: trivy-container-scan

      # Sign with Cosign (keyless)
      - uses: firestoned/github-actions/security/cosign-sign@v1
        with:
          image-digest: ${{ steps.build.outputs.digest }}
          registry: ghcr.io
          repository: myorg/myapp

Compliance & Policy Enforcement

name: Compliance Checks

on:
  pull_request:
    branches: [main]

jobs:
  compliance:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0  # Fetch all history for commit verification

      # Verify all commits are signed
      - uses: firestoned/github-actions/security/verify-signed-commits@v1
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          verify-mode: pr
          base-ref: origin/main

      # Check SPDX license headers
      - uses: firestoned/github-actions/security/license-check@v1
        with:
          copyright-holder: "Your Organization"
          license-id: MIT

---

🔖 Versioning Strategy

This repository follows semantic versioning for GitHub Actions:

• Major version (v1, v2): Breaking changes to inputs/outputs
• Minor version (v1.1, v1.2): New features, backward compatible
• Patch version (v1.0.1, v1.0.2): Bug fixes

Recommended Usage

# ✅ Recommended: Pin to major version (get minor/patch updates automatically)
uses: firestoned/github-actions/rust/cache-cargo@v1

# ✅ Conservative: Pin to exact version (manual updates only)
uses: firestoned/github-actions/rust/cache-cargo@v1.0.0

# ⚠️ Not recommended: Use main branch (unstable)
uses: firestoned/github-actions/rust/cache-cargo@main

Version Tags

Each action is tagged with:

• v1 - Latest v1.x.x release (auto-updates)
• v1.0 - Latest v1.0.x release (patch updates only)
• v1.0.0 - Exact release (no auto-updates)

---

🎯 Design Principles

These actions are built with the following principles:

1. Zero Hardcoding: All values are configurable via inputs
2. Language Agnostic: Generic actions work with any language/ecosystem
3. Security First: Built for regulated environments (banking, finance, healthcare)
4. Compliance Ready: SBOM generation, signed commits, license verification
5. Well Documented: Every action has comprehensive README with examples
6. Tested: Validated in production across multiple projects
7. Composable: Actions work together and with standard GitHub Actions

---

🏢 Use Cases

Perfect For:

• ✅ Rust projects with multi-architecture builds
• ✅ Projects requiring SLSA supply chain security
• ✅ Organizations with compliance requirements (SOC2, PCI-DSS, HIPAA)
• ✅ Teams standardizing CI/CD across multiple repositories
• ✅ Open-source projects with security best practices

Enterprise Features:

• Supply Chain Security: SBOM generation, artifact signing, commit verification
• Vulnerability Management: Automated scanning with Trivy and cargo-audit
• Audit Trail: All actions log detailed output for compliance reviews
• Reproducible Builds: Deterministic caching and versioning

---

🛠️ Action Categories

By Language Support

Language	Actions Available	Count
Rust	cache-cargo, setup-rust-build, verify-toolchain, build-binary, build-library, lint, security-scan, generate-sbom	8
Go	trivy-scan, cosign-sign, verify-signed-commits, license-check, setup-docker, extract-version	6
Python	trivy-scan, cosign-sign, verify-signed-commits, license-check, setup-docker, extract-version	6
Node.js	trivy-scan, cosign-sign, verify-signed-commits, license-check, setup-docker, extract-version	6
Java	trivy-scan, cosign-sign, verify-signed-commits, license-check, setup-docker, extract-version	6
Any	trivy-scan, cosign-sign, verify-signed-commits, license-check, setup-docker, extract-version	6

By Use Case

Use Case	Actions	Benefit
Security Scanning	trivy-scan, security-scan	Detect vulnerabilities early
Supply Chain	generate-sbom, cosign-sign	SLSA compliance, provenance
Compliance	license-check, verify-signed-commits	Regulatory requirements
Performance	cache-cargo, setup-rust-build	Faster builds, lower costs
Multi-Arch	setup-rust-build, build-binary	ARM64 + x86_64 support

---

📚 Documentation

Each action has its own detailed README with:

• Purpose and use cases
• Input parameters and defaults
• Output values
• Complete usage examples
• Troubleshooting tips
• Best practices

Browse actions:

• Rust Actions
• Security Actions
• Docker Actions
• Versioning Actions

---

🤝 Contributing

Contributions are welcome! Please:

1. Fork the repository
2. Create a feature branch (git checkout -b feature/new-action)
3. Follow existing action patterns and documentation style
4. Test your changes thoroughly
5. Submit a pull request

Adding a New Action

1. Create directory: <category>/<action-name>/
2. Add action.yml with proper inputs/outputs
3. Create comprehensive README.md
4. Update main README.md with new action
5. Add test workflow in .github/workflows/

See CONTRIBUTING.md for detailed guidelines.

---

🐛 Reporting Issues

Found a bug or have a feature request?

1. Check existing issues
2. Create a new issue with:
   • Action name and version
   • Steps to reproduce
   • Expected vs. actual behavior
   • Workflow YAML (sanitized)

---

📄 License

This project is licensed under the MIT License - see the LICENSE file for details.

---

🙏 Acknowledgments

These actions are battle-tested in production environments across:

• Banking and financial services
• Platform engineering teams
• Multi-cluster Kubernetes deployments
• Regulated compliance environments

Built with ❤️ by the firestoned team.

---

📞 Support

• Documentation: GitHub Actions Documentation
• Issues: GitHub Issues
• Discussions: GitHub Discussions

---

Star this repo ⭐ if you find it useful!