GitHub Actions used by go-openapi workflows.
These actions are currently used by the CI workflows run at github.com/go-openapi.
To use this action in your workflow, reference it using the standard GitHub Actions syntax:
- Install all tools
- uses: go-openapi/gh-actions@v0.1.6- Install each tool independently
- uses: go-openapi/gh-actions/install/gotestsum@v0.1.6
- uses: go-openapi/gh-actions/install/go-junit-report@v0.1.6
- uses: go-openapi/gh-actions/install/go-ctrf-json-reporter@v0.1.6
- uses: go-openapi/gh-actions/install/svu@v0.1.6- Download a specific version
- uses: go-openapi/gh-actions/install/go-ctrf-json-reporter@v0.1.6
with:
version: v0.0.12All tools are currently installed using downloaded released binaries.
CI workflows may use and pin released actions instead of resorting to a go install ...@latest
command.
This is mostly motivated by the need to pin CI dependencies to a specific commit and use only vetted versions of the installed tooling.
Our actions try to install tools from binary releases whenever applicable.
Automated version tracking is obtained thanks to a dummy go.mod module declaration in this repo,
which allows dependabot to track our target tools and post updates.
A vulnerability scan on the source repo of the tools must be passed for such an update to be approved and merged.
An action that waits for all jobs to have run (not just status checks) on a PR.
- uses: go-openapi/gh-actions/ci-jobs/wait-pending-jobs@v0.2.0
with:
pr-url: ${{ github.event.pull_request.html_url }}
github-token: ${{ secrets.GITHUB_TOKEN }}
# Optional: exclude the current run (default: true)
exclude-current-run: 'true'
# Optional: patterns to match workflow names for exclusion (default: 'auto-merge,contributors')
exclude-workflow-patterns: 'auto-merge,release'Background: This action solves a timing issue where auto-merge triggers as soon as required status checks pass, but non-required jobs (like coverage upload) are still running. The PR gets merged and branch deleted while jobs are still in progress, causing them to fail.
When multiple jobs in the same workflow use this action in parallel, they can end up waiting for each other. The action includes smart defaults to prevent deadlocks:
exclude-current-run: Automatically excludes the current workflow run from the wait list (default:true)exclude-workflow-patterns: Case-insensitive pattern matching against workflow names (default:'auto-merge,contributors')- Patterns use substring matching:
'auto-merge'matches'Dependabot auto-merge','PR auto-merge', etc. - Override the default by providing your own comma-separated list of patterns
- Patterns use substring matching:
Securely configures bot credentials for automated operations including GPG signing and GitHub App authentication. This action addresses the security vulnerability where using secrets[inputs.secret-name] exposes ALL organization secrets to the workflow runner.
Features:
- GPG signing for commits and tags
- GitHub App token generation
- Both features can be enabled independently
- Secure: only passes explicitly named secrets (not all secrets)
- Flexible: works with custom secret names for any organization
Usage example 1: go-openapi repos (using default secret names)
For go-openapi repositories, the action automatically uses the organization's standard secret names (CI_BOT_GPG_PRIVATE_KEY, CI_BOT_GPG_PASSPHRASE, CI_BOT_SIGNING_KEY, CI_BOT_APP_ID, CI_BOT_APP_PRIVATE_KEY) when called with secrets: inherit:
jobs:
release:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: go-openapi/gh-actions/ci-jobs/bot-credentials@master
id: bot
with:
enable-gpg-signing: 'true'
enable-github-app: 'true'
# No secret parameters needed! Falls back to go-openapi defaults
gpg-private-key: ${{ secrets.CI_BOT_GPG_PRIVATE_KEY }}
gpg-passphrase: ${{ secrets.CI_BOT_GPG_PASSPHRASE }}
gpg-fingerprint: ${{ secrets.CI_BOT_SIGNING_KEY }}
github-app-id: ${{ secrets.CI_BOT_APP_ID }}
github-app-private-key: ${{ secrets.CI_BOT_APP_PRIVATE_KEY }}
- run: |
git commit -m "Signed commit" # Automatically GPG signed
- uses: peter-evans/create-pull-request@v8
with:
token: ${{ steps.bot.outputs.app-token }}Usage example 2: Other organizations (using custom secret names)
For other organizations with different secret names (e.g., personal repos on github.com/fredbi):
jobs:
release:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: go-openapi/gh-actions/ci-jobs/bot-credentials@master
id: bot
with:
enable-gpg-signing: 'true'
enable-github-app: 'true'
# Pass your custom secret names explicitly
gpg-private-key: ${{ secrets.FREDBI_GPG_PRIVATE_KEY }}
gpg-passphrase: ${{ secrets.FREDBI_GPG_PASSPHRASE }}
gpg-fingerprint: ${{ secrets.FREDBI_SIGNING_KEY }}
github-app-id: ${{ secrets.FREDBI_APP_ID }}
github-app-private-key: ${{ secrets.FREDBI_APP_PRIVATE_KEY }}
- run: |
git commit -m "Signed commit" # Automatically GPG signed
- uses: peter-evans/create-pull-request@v8
with:
token: ${{ steps.bot.outputs.app-token }}Background: This action was created to solve the security issue identified in ci-workflows#43. Using secrets[inputs.secret-name] causes GitHub Actions to expose ALL organization and repository secrets to the workflow runner. This action requires secrets to be passed as actual values, ensuring only explicitly named secrets are accessible.
See https://github.com/go-openapi/gh-actions/releases
This library ships under the SPDX-License-Identifier: Apache-2.0.
Maintainers can cut a new release by either:
- running this workflow
- or pushing a semver tag
- signed tags are preferred
- The tag message is prepended to release notes