This document summarizes the GitHub Actions workflows and reusable stages provided by the repository template.
| Layer | Responsibility |
|---|---|
| PR Workflow | Orchestrates commit, test, build, acceptance for validation |
| Publish Workflow | Release management on merge to main |
| Deploy Workflow | Manual promotion of a selected tag |
| Stage Workflows | Reusable quality gates (can be invoked by other orchestrators) |
| Composite Actions | Encapsulate repeatable checks & reports |
File: workflows/cicd-1-pull-request.yaml
Trigger: pull_request (opened, reopened).
Purpose: Full PR quality gate (~≤20 min target).
Job sequence:
- metadata – gathers timestamps, tool versions, semantic version.
- commit-stage – calls reusable workflow stage-1-commit.yaml.
- test-stage – calls stage-2-test.yaml.
- build-stage – calls stage-3-build.yaml.
- acceptance-stage – calls stage-4-acceptance.yaml.
Outcome: Fast feedback on security, formatting, unit tests, build readiness, and higher‑level tests before merge.
File: workflows/cicd-2-publish.yaml
Trigger: pull_request closed on default branch where merged == true.
Purpose: Convert merged main commit into a release artefact and send optional notification.
Jobs:
- metadata – reconstructs build/version context.
- publish – placeholder for artefact retrieval (future), creates release/tag.
- success – optional Microsoft Teams notification (webhook secret gated).
File: workflows/cicd-3-deploy.yaml
Trigger: workflow_dispatch (input: tag; default latest).
Purpose: Manually deploy a chosen tag to an environment.
Jobs:
- metadata – captures tag + version details.
- deploy – placeholder deployment steps (extend with real infra logic).
File: workflows/stage-1-commit.yaml (invoked via workflow_call)
Parallel short-running jobs:
- scan-secrets – actions/scan-secrets
- check-file-format – actions/check-file-format
- check-markdown-format – actions/check-markdown-format
- check-english-usage – actions/check-english-usage
- lint-terraform – actions/lint-terraform
- count-lines-of-code – actions/create-lines-of-code-report
- scan-dependencies – actions/scan-dependencies Purpose: Early fail-fast quality, security, formatting, and reporting gates.
File: workflows/stage-2-test.yaml Jobs:
- test-unit –
make test-unit - test-lint –
make test-lint - test-coverage – depends on unit;
make test-coverage
Purpose: Validate correctness, style, and coverage.
File: workflows/stage-3-build.yaml Jobs:
- artefact-1 – placeholder for build + artefact upload.
- artefact-2 – second placeholder pattern.
Purpose: Scaffold for producing distributable artefacts.
File: workflows/stage-4-acceptance.yaml Flow:
- environment-set-up – provision infra / DB / deploy app (placeholders).
- Parallel test jobs (all depend on setup):
- test-security (
make test-security) - test-ui (
make test-ui) - test-ui-performance (
make test-ui-performance) - test-integration (
make test-integration) - test-load (
make test-load)
- test-security (
- environment-tear-down – runs with
if: always()after tests.
Purpose: Broad functional and non-functional validation in an ephemeral environment.
| Action | Path | Purpose | Key Script(s) |
|---|---|---|---|
| Scan secrets | actions/scan-secrets | Detect committed secrets | Internal script (history scan) |
| Check file format | actions/check-file-format | Enforce formatting conventions | scripts/githooks/check-file-format.sh |
| Check Markdown format | actions/check-markdown-format | Markdown style/structure | scripts/githooks/check-markdown-format.sh |
| Check English usage | actions/check-english-usage | Natural language lint (e.g. Vale) | scripts/githooks/check-english-usage.sh (implied) |
| Lint Terraform | actions/lint-terraform | Terraform fmt + validate + custom checks |
scripts/githooks/check-terraform-format.sh |
| Create LOC report | actions/create-lines-of-code-report | Generate & archive lines-of-code metrics | scripts/reports/create-lines-of-code-report.sh |
| Scan dependencies | actions/scan-dependencies | SBOM + vulnerability report | scripts/reports/create-sbom-report.sh (+ vulnerability script) |
Primary targets invoked:
- Test stage & acceptance tests: see
scripts/tests/test.mkfortest-*targets. - Local workflow emulation:
runner-actinscripts/init.mk(usesact).