GitHub Actions composite actions for the Elvia organization.
These actions are mainly intended for internal use at Elvia, but are open-source and can be used by anyone! They encapsulate common tasks that we perform using GitHub Actions, such as building and deploying applications, running tests, and scanning for vulnerabilities.
Note that some actions are specifically tailored to our infrastructure and will not work outside our organization, see here for more information.
- Examples
- Elvia runners
- Actions Documentation
- Development
The files beginning with example-
in the folder .github/workflows are working examples of how to use these actions.
Both of these examples require you to have added your system/application to the list in the github-repositories-terraform repository.
This is needed for the Build
and Deploy
actions to work correctly.
You can also click on the 'Actions' tab on your repository and click 'New workflow' to get a selection of Elvia templates.
Some values in these templates are placeholders and need to be replaced with your own values; anything resembling <your xxx here>
should be replaced.
See the GitHub docs for more detailed information.
We strongly recommend using Elvia's self-hosted GitHub Actions runners for all actions.
Several of our actions use optimizations only available on Elvia runners, and will run slower on GitHub-hosted runners.
To use the Elvia runners, simply replace runs-on: ubuntu-latest
with runs-on: elvia-runner
in your workflow file.
See core-github-actions-runner for more information about the Elvia runners.
Builds a Docker image, signs it using Cosign, scans it for vulnerabilities using Trivy and pushes to either Azure Container Registry or GitHub Container Registry.
This action is a wrapper around the 3lv CLI build command (3lv build
).
To use the Build
and Deploy
actions with Elvias container registry and runtime services,
you must first add your GitHub repository to github-repositories-terraform.
Name | Description | Required | Default |
---|---|---|---|
ACR_NAME |
Name of the Azure Container Registry to push to. Only required if using your own ACR. | no | |
AZURE_CLIENT_ID |
Client ID of a service principal that can push to Azure Container Registry. | no | |
AZURE_TENANT_ID |
Tenant ID of the Azure Container Registry to push to. Only required if using your own ACR. | no | |
checkout |
If true , the action will check out the repository. If false , the action will assume the repository has already been checked out. |
no | true |
csproj-file |
project-file instead, which is a drop-in replacement. csproj-file will be removed in the future. Path to a csproj-file, e.g. src/my-app/my-app.csproj . |
no | |
docker-additional-tags |
Comma-separated list of additional tags to add to the image. | no | |
docker-build-context |
Docker build context, which is the working directory needed to build the Docker image. This is relative to the root of the repository. Defaults to the directory of project-file . |
no | |
docker-cache-tag |
Tag used for getting build cache from registry. This tag is also pushed on every build, together with github.sha-github.run_number . This action will not push a latest tag; if you want a latest tag, you can use this input or docker-additional-tags . |
no | latest-cache |
dockerfile |
project-file instead, which is a drop-in replacement. dockerfile will be removed in the future. Path to a Dockerfile, e.g. src/Dockerfile . |
no | |
go-main-package-dir |
Where the main package directory for Go projects is located, e.g. ./cmd/my-app . Defaults to ./cmd/inputs.name . |
no | |
name |
Name of application. This will be used as the image name. For Elvia applications, do not include the namespace. | yes | |
namespace |
Namespace or system of the application. Required for Elvia applications. | no | |
project-file |
Path to a .csproj -file for .NET, a go.mod file for Go, a pyproject.toml file for Python or a Dockerfile for any other project. E.g. applications/my-app/my-app.csproj , pkg/my-app/go.mod , pyproject.toml or src/Dockerfile . If you require files outside the directory of the project-file to build your application, you will need to set docker-build-context . |
no | |
push |
If true , the action will push the Docker image to the registry. |
no | true |
registry |
What container registry to use, we support Azure Container Registry (ACR) and GitHub Container Registry (GHCR). You should set this to the URL of the registry you want to use, e.g. ghcr.io/3lvia or myregistry.azurecr.io . The action will authenticate with the registry depending on the value of the URL, i.e. if the URL contains azurecr.io jor ghcr.io . If set to an ACR registry, Elvia's private Azure Container Registry will be used by default. You can also set these explictly to point to your own ACR. Using ACR requires the permissions id-token: write to access the registry using OIDC. If set to a GHCR registry, the action will push to the GitHub Container Registry of the repository. Using GHCR requires the packages: write permission to push to the registry. |
no | |
severity |
Severity levels to scan for. See Trivy documentation for more information. | no | CRITICAL |
sign-image |
If true , the action will sign the Docker image with Cosign. |
no | true |
trivy-cve-ignores |
Comma-separated list of CVEs for Trivy to ignore. See Trivy documentation for syntax. | no | |
trivy-post-comment |
If true , the action will post a comment to the PR with the Trivy scan results. The comment will only be posted if the action is ran on a pull request. This action requires the permission pull-requests: write to be set for the job. |
no | false |
trivy-upload-report |
If true , the action will upload Trivy scan results to GitHub Advanced Security. This actions requires GitHub Advanced Security to be enabled for the repository, and the permissions actions: read and security-events: write to be set for the job. |
no | false |
Name | Description |
---|---|
image-digest |
Name of the Docker image that was built, with digest. |
image-name |
Name of the Docker image that was built, with tag. |
This action requires the following base permissions:
contents: read
id-token: write
More permissions might be required depending on the inputs set, see the actions documentation for more information.
- name: Build
uses: 3lvia/core-github-actions-templates/build@trunk
with:
ACR_NAME:
# Name of the Azure Container Registry to push to. Only required if using your own ACR.
#
# Required: no
AZURE_CLIENT_ID:
# Client ID of a service principal that can push to Azure Container Registry.
#
# Required: no
AZURE_TENANT_ID:
# Tenant ID of the Azure Container Registry to push to. Only required if using your own ACR.
#
# Required: no
checkout:
# If `true`, the action will check out the repository. If `false`, the action will assume the repository has already been checked out.
#
# Required: no
# Default: 'true'
docker-additional-tags:
# Comma-separated list of additional tags to add to the image.
#
# Required: no
docker-build-context:
# Docker build context, which is the working directory needed to build the Docker image. This is relative to the root of the repository. Defaults to the directory of `project-file`.
#
# Required: no
docker-cache-tag:
# Tag used for getting build cache from registry. This tag is also pushed on every build, together with `github.sha-github.run_number`. This action will not push a `latest` tag; if you want a `latest` tag, you can use this input or `docker-additional-tags`.
#
# Default: 'latest-cache'
go-main-package-dir:
# Where the main package directory for Go projects is located, e.g. `./cmd/my-app`. Defaults to `./cmd/inputs.name`.
#
# Required: no
name:
# Name of application. This will be used as the image name. For Elvia applications, do not include the namespace.
#
# Required: yes
namespace:
# Namespace or system of the application. Required for Elvia applications.
#
# Required: no
project-file:
# Path to a `.csproj`-file for .NET, a `go.mod` file for Go, a `pyproject.toml` file for Python or a Dockerfile for any other project. E.g. `applications/my-app/my-app.csproj`, `pkg/my-app/go.mod`, `pyproject.toml` or `src/Dockerfile`. If you require files outside the directory of the `project-file` to build your application, you will need to set `docker-build-context`.
#
# Required: no
push:
# If `true`, the action will push the Docker image to the registry.
#
# Required: no
# Default: 'true'
registry:
# What container registry to use, we support Azure Container Registry (ACR) and GitHub Container Registry (GHCR). You should set this to the URL of the registry you want to use, e.g. `ghcr.io/3lvia` or `myregistry.azurecr.io`. The action will authenticate with the registry depending on the value of the URL, i.e. if the URL contains `azurecr.io`jor `ghcr.io`. If set to an ACR registry, Elvia's private Azure Container Registry will be used by default. You can also set these explictly to point to your own ACR. Using ACR requires the permissions `id-token: write` to access the registry using OIDC. If set to a GHCR registry, the action will push to the GitHub Container Registry of the repository. Using GHCR requires the `packages: write` permission to push to the registry.
#
# Required: no
severity:
# Severity levels to scan for. See [Trivy documentation](https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#inputs) for more information.
#
# Required: no
# Default: 'CRITICAL'
sign-image:
# If `true`, the action will sign the Docker image with Cosign.
#
# Required: no
# Default: 'true'
trivy-cve-ignores:
# Comma-separated list of CVEs for Trivy to ignore. See [Trivy documentation](https://aquasecurity.github.io/trivy/v0.49/docs/configuration/filtering/#trivyignore) for syntax.
#
# Required: no
trivy-post-comment:
# If `true`, the action will post a comment to the PR with the Trivy scan results. The comment will only be posted if the action is ran on a pull request. This action requires the permission `pull-requests: write` to be set for the job.
#
# Required: no
# Default: 'false'
trivy-upload-report:
# If `true`, the action will upload Trivy scan results to GitHub Advanced Security. This actions requires GitHub Advanced Security to be enabled for the repository, and the permissions `actions: read` and `security-events: write` to be set for the job.
#
# Required: no
# Default: 'false'
Deploys an application to Kubernetes using the Elvia Helm chart.
This action is a wrapper around the 3lv CLI deploy command (3lv deploy
).
To use the Build
and Deploy
actions with Elvias container registry and runtime services,
you must first add your Github repository to github-repositories-terraform.
Name | Description | Required | Default |
---|---|---|---|
AKS_CLUSTER_NAME |
Name of the AKS cluster to deploy to. Defaults to Elvias normal clusters. | no | |
AKS_RESOURCE_GROUP |
Resource group of the AKS cluster to deploy to. Defaults to Elvias normal clusters. | no | |
AKS_SUBSCRIPTION_ID |
Subscription ID of AKS to deploy to. Defaults to Elvias normal clusters. | no | |
AZURE_CLIENT_ID |
Client ID of a service principal that has access to AKS. Only required for deploying to AKS. | no | |
AZURE_TENANT_ID |
Tenant ID of AKS to deploy to. Defaults to Elvias normal clusters. | no | |
GC_SERVICE_ACCOUNT |
Service account to use for deploying to GKE. Only required for deploying to GKE. | no | |
GC_WORKLOAD_IDENTITY_PROVIDER |
Workload identity provider to use for deploying to GKE. Only required for deploying to GKE. | no | |
GKE_CLUSTER_LOCATION |
Location of the GKE cluster to deploy to. | no | europe-west1 |
GKE_CLUSTER_NAME |
Name of the GKE cluster to deploy to. Defaults to Elvias normal clusters. | no | |
GKE_PROJECT_ID |
Project ID of GKE to deploy to. Defaults to Elvias normal clusters. | no | |
checkout |
If true , the action will check out the repository. If false , the action will assume the repository has already been checked out. |
no | true |
environment |
Environment to deploy to. | yes | |
helm-chart-repository-url |
Location of Elvia's Helm chart repository; should only be changed if testing a new version of the chart. | no | |
helm-values-file |
Path to Helm values file, relative to the root of the repository. | no | .github/deploy/values.yml |
helm-values-path |
helm-values-file instead, which is a drop-in replacement. helm-values-path will be removed in the future. Path to Helm values file, relative to the root of the repository. |
no | |
name |
Name of application. Do not include namespace. | yes | |
namespace |
Namespace or system of the application. | yes | |
override-image-tag |
Overrides the default image tag of 'github.sha-github.run_number'. This should not normally be set; only change this if you know what you are doing. | no | `` |
runtime-cloud-provider |
Kubernetes cloud provider to deploy to: AKS , GKE or ISS (Elvia only). |
no | AKS |
slack-channel |
Slack channel to notify on failure. Leave empty to disable notifications. | no | `` |
workload-type |
The type of workload to deploy to kubernetes. Must be deployment or statefulset . |
no | deployment |
This action requires the following base permissions:
contents: read
id-token: write
More permissions might be required depending on the inputs set, see the actions documentation for more information.
- name: Deploy
uses: 3lvia/core-github-actions-templates/deploy@trunk
with:
AKS_CLUSTER_NAME:
# Name of the AKS cluster to deploy to. Defaults to Elvias normal clusters.
#
# Required: no
AKS_RESOURCE_GROUP:
# Resource group of the AKS cluster to deploy to. Defaults to Elvias normal clusters.
#
# Required: no
AKS_SUBSCRIPTION_ID:
# Subscription ID of AKS to deploy to. Defaults to Elvias normal clusters.
#
# Required: no
AZURE_CLIENT_ID:
# Client ID of a service principal that has access to AKS. Only required for deploying to AKS.
#
# Required: no
AZURE_TENANT_ID:
# Tenant ID of AKS to deploy to. Defaults to Elvias normal clusters.
#
# Required: no
GC_SERVICE_ACCOUNT:
# Service account to use for deploying to GKE. Only required for deploying to GKE.
#
# Required: no
GC_WORKLOAD_IDENTITY_PROVIDER:
# Workload identity provider to use for deploying to GKE. Only required for deploying to GKE.
#
# Required: no
GKE_CLUSTER_LOCATION:
# Location of the GKE cluster to deploy to.
#
# Required: no
# Default: 'europe-west1'
GKE_CLUSTER_NAME:
# Name of the GKE cluster to deploy to. Defaults to Elvias normal clusters.
#
# Required: no
GKE_PROJECT_ID:
# Project ID of GKE to deploy to. Defaults to Elvias normal clusters.
#
# Required: no
checkout:
# If `true`, the action will check out the repository. If `false`, the action will assume the repository has already been checked out.
#
# Required: no
# Default: 'true'
environment:
# Environment to deploy to.
#
# Required: yes
helm-chart-repository-url:
# Location of Elvia's Helm chart repository; should only be changed if testing a new version of the chart.
#
# Required: no
helm-values-file:
# Path to Helm values file, relative to the root of the repository.
#
# Required: no
# Default: '.github/deploy/values.yml'
name:
# Name of application. Do not include namespace.
#
# Required: yes
namespace:
# Namespace or system of the application.
#
# Required: yes
override-image-tag:
# Overrides the default image tag of 'github.sha-github.run_number'. **This should not normally be set; only change this if you know what you are doing.**
#
# Required: no
# Default: ''
runtime-cloud-provider:
# Kubernetes cloud provider to deploy to: `AKS`, `GKE` or ISS (Elvia only).
#
# Required: no
# Default: 'AKS'
slack-channel:
# Slack channel to notify on failure. Leave empty to disable notifications.
#
# Required: no
# Default: ''
workload-type:
# The type of workload to deploy to kubernetes. Must be `deployment` or `statefulset`.
#
# Required: no
# Default: 'deployment'
Run .NET unit tests.
Name | Description | Required | Default |
---|---|---|---|
checkout |
If true , the action will check out the repository. If false , the action will assume the repository has already been checked out. |
no | true |
dotnet-tool-manifest |
Path to the .NET tool manifest file, relative to the root of the repository. Only needed if you require .NET tools that are outside of working-directory for the build. |
no | ./.config/dotnet-tools.json |
test-coverage |
If test coverage should be computed. Requires that all test projects include the Nuget package coverlet.collector. | no | false |
test-projects |
Pattern to use to find test projects. | no | unit*test*csproj |
working-directory |
Will run unit tests on projects under this working directory. | no | ./ |
This action requires the following base permissions:
checks: write
contents: read
issues: read
pull-requests: write
More permissions might be required depending on the inputs set, see the actions documentation for more information.
- name: Unit Test
uses: 3lvia/core-github-actions-templates/unittest@trunk
with:
checkout:
# If `true`, the action will check out the repository. If `false`, the action will assume the repository has already been checked out.
#
# Required: no
# Default: 'true'
dotnet-tool-manifest:
# Path to the .NET tool manifest file, relative to the root of the repository. Only needed if you require .NET tools that are outside of `working-directory` for the build.
#
# Required: no
# Default: './.config/dotnet-tools.json'
test-coverage:
# If test coverage should be computed. Requires that all test projects include the Nuget package coverlet.collector.
#
# Required: no
# Default: 'false'
test-projects:
# Pattern to use to find test projects.
#
# Required: no
# Default: 'unit*test*csproj'
working-directory:
# Will run unit tests on projects under this working directory.
#
# Required: no
# Default: './'
Run .NET integration tests.
Name | Description | Required | Default |
---|---|---|---|
checkout |
If true , the action will check out the repository. If false , the action will assume the repository has already been checked out. |
no | true |
dotnet-tool-manifest |
Path to the .NET tool manifest file, relative to the root of the repository. Only needed if you require .NET tools that are outside of working-directory for the build. |
no | ./.config/dotnet-tools.json |
environment |
Environment is used to find correct Vault instance. | yes | dev |
slack-channel |
Slack channel to notify on failure. Leave empty to disable notifications | no | `` |
system |
System is used to log in to Vault using correct role. | yes | |
test-projects |
Pattern to use to find test projects. | no | integration*test*csproj |
working-directory |
Will run integration tests on projects under this working directory. | no | ./ |
This action requires the following base permissions:
checks: write
contents: read
id-token: write
issues: read
pull-requests: write
More permissions might be required depending on the inputs set, see the actions documentation for more information.
- name: Integration Test
uses: 3lvia/core-github-actions-templates/integrationtest@trunk
with:
checkout:
# If `true`, the action will check out the repository. If `false`, the action will assume the repository has already been checked out.
#
# Required: no
# Default: 'true'
dotnet-tool-manifest:
# Path to the .NET tool manifest file, relative to the root of the repository. Only needed if you require .NET tools that are outside of `working-directory` for the build.
#
# Required: no
# Default: './.config/dotnet-tools.json'
environment:
# Environment is used to find correct Vault instance.
#
# Required: yes
# Default: 'dev'
slack-channel:
# Slack channel to notify on failure. Leave empty to disable notifications
#
# Required: no
# Default: ''
system:
# System is used to log in to Vault using correct role.
#
# Required: yes
test-projects:
# Pattern to use to find test projects.
#
# Required: no
# Default: 'integration*test*csproj'
working-directory:
# Will run integration tests on projects under this working directory.
#
# Required: no
# Default: './'
Run CodeQL analysis.
Name | Description | Required | Default |
---|---|---|---|
checkout |
If true , the action will check out the repository. If false , the action will assume the repository has already been checked out. |
no | true |
dotnet-tool-manifest |
Path to the .NET tool manifest file, relative to the root of the repository. Only needed if you require .NET tools that are outside of working-directory for the build. |
no | ./.config/dotnet-tools.json |
language |
Language to run CodeQL analyze on. Use a matrix strategy to run for multiple languages. | no | csharp |
upload-results |
If true the action will upload CodeQL results to GitHub Security Code Scanning. If false , the action will not upload results. |
no | true |
working-directory |
Will run CodeQL Analysis on projects under this working directory. | no | ./ |
This action requires the following base permissions:
actions: read
contents: read
security-events: write
More permissions might be required depending on the inputs set, see the actions documentation for more information.
- name: Analyze
uses: 3lvia/core-github-actions-templates/analyze@trunk
with:
checkout:
# If `true`, the action will check out the repository. If `false`, the action will assume the repository has already been checked out.
#
# Required: no
# Default: 'true'
dotnet-tool-manifest:
# Path to the .NET tool manifest file, relative to the root of the repository. Only needed if you require .NET tools that are outside of `working-directory` for the build.
#
# Required: no
# Default: './.config/dotnet-tools.json'
language:
# Language to run CodeQL analyze on. Use a matrix strategy to run for multiple languages.
#
# Required: no
# Default: 'csharp'
upload-results:
# If `true` the action will upload CodeQL results to GitHub Security Code Scanning. If `false`, the action will not upload results.
#
# Required: no
# Default: 'true'
working-directory:
# Will run CodeQL Analysis on projects under this working directory.
#
# Required: no
# Default: './'
Run SonarCloud scanning on .NET code.
Name | Description | Required | Default |
---|---|---|---|
checkout |
If true , the action will check out the repository. If false , the action will assume the repository has already been checked out. |
no | true |
github-token |
Should normally be secrets.GITHUB_TOKEN . |
yes | |
sonarcloud-project-key |
The SonarCloud project key or id. Normally on the form 3lvia_repo-name . The project must be manually created on sonarcloud.io. |
yes | |
sonarcloud-token |
Should normally be secrets.SONAR_TOKEN . |
yes | |
test-projects |
Pattern to use to find test projects. | no | *unit*test*csproj |
working-directory |
Will run SonarCloud on projects under this working directory. | no | ./ |
This action requires the following base permissions:
checks: write
contents: read
id-token: write
issues: read
pull-requests: write
More permissions might be required depending on the inputs set, see the actions documentation for more information.
- name: SonarCloud
uses: 3lvia/core-github-actions-templates/sonarcloud@trunk
with:
checkout:
# If `true`, the action will check out the repository. If `false`, the action will assume the repository has already been checked out.
#
# Required: no
# Default: 'true'
github-token:
# Should normally be `secrets.GITHUB_TOKEN`.
#
# Required: yes
sonarcloud-project-key:
# The SonarCloud project key or id. Normally on the form `3lvia_repo-name`. The project must be manually created on sonarcloud.io.
#
# Required: yes
sonarcloud-token:
# Should normally be `secrets.SONAR_TOKEN`.
#
# Required: yes
test-projects:
# Pattern to use to find test projects.
#
# Required: no
# Default: '*unit*test*csproj'
working-directory:
# Will run SonarCloud on projects under this working directory.
#
# Required: no
# Default: './'
Uses Trivy to scan IaC and report security issues. The action will report any vulnerabilities to GitHub Advanced Security, which will be visible in the Security tab on GitHub. If this action is ran on a pull request, GitHub Advanced Security will give a detailed report of any vulnerabilities introduced by new changes in the pull request.
Name | Description | Required | Default |
---|---|---|---|
checkout |
If true , the action will check out the repository. If false , the action will assume the repository has already been checked out. |
no | true |
path |
Path to the directory containing the IaC files. | no | . |
severity |
Severity levels to scan for. Can any combination of CRITICAL , HIGH , MEDIUM , LOW , and UNKNOWN . Multiple values must be comma-separated. |
no | CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN |
skip-dirs |
Comma-separated list of directories to skip. | no | |
trivyignore |
Path to the Trivy ignore file (.trivyignore ) in the repository. This action will add a default set of CVE's that are ignored for all scans. If you wish to add more CVE's to ignore, add them to .trivyignore , or create a new file and specify the path here. See Trivy documentation for more information. |
no | .trivyignore |
upload-report |
Whether or not to upload the report generated by Trivy to the GitHub Security tab. GitHub Advanced Security must be enabled for the repository to use this feature. | no | true |
This action requires the following base permissions:
actions: read
contents: read
security-events: write
More permissions might be required depending on the inputs set, see the actions documentation for more information.
- name: Trivy IaC scan
uses: 3lvia/core-github-actions-templates/trivy-iac-scan@trunk
with:
checkout:
# If `true`, the action will check out the repository. If `false`, the action will assume the repository has already been checked out.
#
# Required: no
# Default: 'true'
path:
# Path to the directory containing the IaC files.
#
# Required: no
# Default: '.'
severity:
# Severity levels to scan for. Can any combination of `CRITICAL`, `HIGH`, `MEDIUM`, `LOW`, and `UNKNOWN`. Multiple values must be comma-separated.
#
# Required: no
# Default: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN'
skip-dirs:
# Comma-separated list of directories to skip.
#
# Required: no
trivyignore:
# Path to the Trivy ignore file (`.trivyignore`) in the repository. This action will add a default set of CVE's that are ignored for all scans. If you wish to add more CVE's to ignore, add them to `.trivyignore`, or create a new file and specify the path here. See [Trivy documentation](https://aquasecurity.github.io/trivy/v0.50/docs/configuration/filtering/#by-finding-ids) for more information.
#
# Required: no
# Default: '.trivyignore'
upload-report:
# Whether or not to upload the report generated by Trivy to the GitHub *Security* tab. GitHub Advanced Security must be enabled for the repository to use this feature.
#
# Required: no
# Default: 'true'
Run Playwright tests written in .NET.
Name | Description | Required | Default |
---|---|---|---|
checkout |
If true , the action will check out the repository. If false , the action will assume the repository has already been checked out. |
no | true |
environment |
Environment is used to find correct Vault instance. | yes | |
system |
System is used to log in to Vault using correct role. | yes | |
test-project |
Name of test project file to run. | yes |
This action requires the following base permissions:
checks: write
contents: read
id-token: write
issues: read
pull-requests: write
More permissions might be required depending on the inputs set, see the actions documentation for more information.
- name: Playwright Test
uses: 3lvia/core-github-actions-templates/playwright@trunk
with:
checkout:
# If `true`, the action will check out the repository. If `false`, the action will assume the repository has already been checked out.
#
# Required: no
# Default: 'true'
environment:
# Environment is used to find correct Vault instance.
#
# Required: yes
system:
# System is used to log in to Vault using correct role.
#
# Required: yes
test-project:
# Name of test project file to run.
#
# Required: yes
Runs a PromQL query on Grafana Cloud. Returns success (return code 0) if the query has a result. Returns failure if the result is empty (return code 1).
Name | Description | Required | Default |
---|---|---|---|
checkout |
If true , the action will check out the repository. If false , the action will assume the repository has already been checked out. |
no | true |
environment |
Environment is used to find correct vault instance. | yes | |
query |
PromQL query string. | yes | |
system |
System is used to log in to Vault using correct role. | yes |
This action requires the following base permissions:
id-token: write
More permissions might be required depending on the inputs set, see the actions documentation for more information.
- name: Validate Metrics
uses: 3lvia/core-github-actions-templates/validate-metrics@trunk
with:
checkout:
# If `true`, the action will check out the repository. If `false`, the action will assume the repository has already been checked out.
#
# Required: no
# Default: 'true'
environment:
# Environment is used to find correct vault instance.
#
# Required: yes
query:
# PromQL query string.
#
# Required: yes
system:
# System is used to log in to Vault using correct role.
#
# Required: yes
Sends a message to a Slack channel.
Permission id-token:write
is only required if you're not defining the slack-api-token
input.
Name | Description | Required | Default |
---|---|---|---|
environment |
Environment is used to find the correct Vault instance. Not required if you use slack-api-token . |
no | |
message |
Message to send to the Slack channel. | yes | |
namespace |
Namespace is used to find the correct Vault role. Not required if you use slack-api-token . |
no | |
slack-api-token |
Slack API token. Within the Elvia organization, you can use GitHub organization secret SLACK_API_TOKEN . If no input is provided, the action will attempt to read the token from Elvia's Vault instance. Reading the token from Vault is only possible if the repository you are running this action from has been added to github-repositories-terraform, and you are running inside the GitHub Actions environments dev , test or prod . |
no | |
slack-channel |
Slack channel to send message to. The app "Github Workflow Notifications" must be added to the channel. | yes |
This action requires the following base permissions:
contens: read
id-token: write
More permissions might be required depending on the inputs set, see the actions documentation for more information.
- name: Slack Message
uses: 3lvia/core-github-actions-templates/slack-message@trunk
with:
environment:
# Environment is used to find the correct Vault instance. Not required if you use `slack-api-token`.
#
# Required: no
message:
# Message to send to the Slack channel.
#
# Required: yes
namespace:
# Namespace is used to find the correct Vault role. Not required if you use `slack-api-token`.
#
# Required: no
slack-api-token:
# Slack API token. Within the Elvia organization, you can use GitHub organization secret `SLACK_API_TOKEN`. If no input is provided, the action will attempt to read the token from Elvia's Vault instance. Reading the token from Vault is only possible if the repository you are running this action from has been added to [github-repositories-terraform](https://github.com/3lvia/github-repositories-terraform), and you are running inside the GitHub Actions environments `dev`, `test` or `prod`.
#
# Required: no
slack-channel:
# Slack channel to send message to. The app "Github Workflow Notifications" must be added to the channel.
#
# Required: yes
Pulls image from GHCR, re-tags it and pushes it to GCR.
Only useful for ISS deployments.
Name | Description | Required | Default |
---|---|---|---|
new-image-name |
Name of the Docker image to push to GCR, without the tag. | yes | |
old-image-name-with-tag |
Name of the Docker image to pull from GHCR, including the tag. | yes |
This action requires the following base permissions:
contens: read
packages: read
More permissions might be required depending on the inputs set, see the actions documentation for more information.
- name: ISS Tag & Push Image
uses: 3lvia/core-github-actions-templates/iss-tag-push-image@trunk
with:
new-image-name:
# Name of the Docker image to push to GCR, without the tag.
#
# Required: yes
old-image-name-with-tag:
# Name of the Docker image to pull from GHCR, including the tag.
#
# Required: yes
Get secrets from Elvia's Vault for use in GitHub Actions.
Name | Description | Required | Default |
---|---|---|---|
environment |
Environment is used to find correct Vault instance. | no | dev |
exportToken |
Whether to export the Vault token as an environment variable. Set this to true if you need to be authenticated to Vault in subsequent steps. | no | false |
secrets |
Secrets to fetch from Vault; see here for syntax. | no | |
system |
System name is used to log in to Vault using the correct role. | yes |
This action requires the following base permissions:
contents: read
id-token: write
More permissions might be required depending on the inputs set, see the actions documentation for more information.
- name: Vault
uses: 3lvia/core-github-actions-templates/vault@trunk
with:
environment:
# Environment is used to find correct Vault instance.
#
# Default: 'dev'
exportToken:
# Whether to export the Vault token as an environment variable. Set this to true if you need to be authenticated to Vault in subsequent steps.
#
# Default: 'false'
secrets:
# Secrets to fetch from Vault; see [here](https://github.com/hashicorp/vault-action?tab=readme-ov-file#multiple-secrets) for syntax.
#
system:
# System name is used to log in to Vault using the correct role.
#
# Required: yes
The below list of actions are specific to Elvia's infrastructure and will not work outside our organization:
We use Prettier to format the README and yaml files. See the installation guide for how to install it.
Run Prettier with this command:
prettier -w --single-quote "**/*.yml" "**/*.md"
#OR
prettier -w --single-quote --end-of-line crlf "**/*.yml" "**/*.md"
Documentation in the README is auto-generated for any actions in the repository using 3lvia/gh-actions-docs.
The table of contents is also auto-generated, using the headers in this README.
To add documentation for a new action, add these two tags to the README.md
file:
<!-- gh-actions-docs-start path=my-new-action/action.yml owner=3lvia project=core-github-actions-templates version=trunk -->
<!-- gh-actions-docs-end -->
Replace path
with the path to the action yaml file from the root of the repository.
The fields owner
, project
and version
are optional, but should be set to 3lvia
, core-github-actions-templates
and trunk
respectively.
The field permissions
is also optional, but should be set to the permissions required for the action to run, e.g. permissions=actions:read,contents:read
.
The documentation will then be auto-generated, added to the table of contents and commited on push to the trunk
branch.