Reusable GitHub Actions composite actions and CI workflow for the Sparkgeo organisation.
All action references in this repo are pinned to full commit SHAs. See CONTRIBUTING.md for authoring standards and how to add new actions.
| Workflow | File | Triggers | Purpose |
|---|---|---|---|
| CI | ci.yml |
push to main, pull_request, schedule (weekly), workflow_dispatch |
Dogfoods all composite actions in this repo; serves as a live reference implementation |
Drop these into any job with a uses: step. Pin to a full commit SHA for supply-chain safety.
# Find the SHA to pin to
gh api repos/sparkgeo/github-actions/commits/main --jq '.sha'| Action | Path | Purpose | Inputs |
|---|---|---|---|
| GitHub Actionlint | github-actionlint |
Lints workflow and action YAML files using actionlint via reviewdog; posts annotations as GitHub Checks | None |
| Zizmor | zizmor |
Runs zizmor static security analysis against workflow and action YAML files; uploads findings as SARIF to the Security tab | None |
| OpenSSF Scorecard | scorecard |
Runs OpenSSF Scorecard checks; uploads SARIF to the Security tab | publish_results (default: false — always fails with HTTP 400 if set to true; see action description) |
| Dependency Review | dependency-review |
Blocks PRs introducing dependencies with known vulnerabilities or non-permitted licenses; posts a summary comment. Also supports non-PR invocation via base-ref/head-ref. |
fail-on-severity (default: high), allow-licenses (default: MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, Unlicense, CC0-1.0), comment-summary-in-pr (default: on-failure), base-ref (default: ""), head-ref (default: "") |
| Storage Optimizer | storage-optimizer |
Frees disk space on GitHub-hosted runners by removing unused toolchains (JDK, .NET, Swift, Android SDK, etc.) and pruning Docker | None |
| Terramate + OpenTofu Setup | terramate-opentofu-setup |
Installs Terramate and OpenTofu, validates generated files are up to date, initialises changed stacks, and lists changed stacks | opentofu_version (default: 1.10.0), terramate_version (default: 0.14.7) |
jobs:
lint:
runs-on: ubuntu-latest
permissions:
contents: read
checks: write
steps:
- uses: actions/checkout@<SHA>
with:
persist-credentials: false
- uses: sparkgeo/github-actions/.github/actions/github-actionlint@<SHA>jobs:
security-scan:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@<SHA>
with:
persist-credentials: false
- uses: sparkgeo/github-actions/.github/actions/zizmor@<SHA>SARIF is always uploaded to the GitHub Security tab. Does not require id-token: write — publish_results defaults to false and no OIDC token is consumed.
Note on
publish_results: Settingpublish_results: truealways fails with HTTP 400. The scorecard webapp verifies that the calling workflow directly invokesossf/scorecard-actionas a job step — composite action wrapping hides that call. Keep the default (false). To publish to the public OpenSSF database, callossf/scorecard-actiondirectly in your workflow.
jobs:
scorecard:
runs-on: ubuntu-latest
permissions:
contents: read
actions: read
security-events: write
steps:
- uses: actions/checkout@<SHA>
with:
persist-credentials: false
- uses: sparkgeo/github-actions/.github/actions/scorecard@<SHA>
# publish_results defaults to false — do not set to true (always fails with HTTP 400)Works on pull_request events (automatic base/head from PR context) and on push/non-PR events by passing base-ref/head-ref explicitly. Skip on initial branch push (event.before = zero SHA — no base to compare).
jobs:
dependency-review:
runs-on: ubuntu-latest
if: github.event_name == 'pull_request' || (github.event_name == 'push' && github.ref == 'refs/heads/main' && github.event.before != '0000000000000000000000000000000000000000')
permissions:
contents: read
pull-requests: write
steps:
- uses: actions/checkout@<SHA>
with:
persist-credentials: false
- uses: sparkgeo/github-actions/.github/actions/dependency-review@<SHA>
with:
fail-on-severity: high # critical | high | moderate | low
allow-licenses: MIT, Apache-2.0, BSD-2-Clause # SPDX identifiers; deps with other licenses fail
comment-summary-in-pr: always # always | on-failure | never
base-ref: ${{ github.event_name == 'push' && github.event.before || '' }} # leave empty on pull_request
head-ref: ${{ github.event_name == 'push' && github.sha || '' }} # leave empty on pull_requestReclaims ~30 GB on ubuntu-latest runners — useful before large build or scan jobs.
steps:
- uses: sparkgeo/github-actions/.github/actions/storage-optimizer@<SHA>steps:
- uses: sparkgeo/github-actions/.github/actions/terramate-opentofu-setup@<SHA>
with:
opentofu_version: "1.10.0" # optional — matches the action default
terramate_version: "0.14.7" # optional — matches the action defaultThe action will fail the job if terramate generate produces uncommitted output, ensuring generated files are always in sync with the source of truth.
This repo is part of the Sparkgeo GitHub Actions security programme. The pillars are:
| Pillar | Issue | Summary |
|---|---|---|
| Workflow authoring standards | #25 | SHA pinning policy; actionlint/zizmor gate |
| Supply chain hardening | #26 | Org allowlist; dependency locking; approved actions |
| OIDC & secret federation | #27 | No static credentials; OIDC for cloud auth; environment-scoped secrets |
| Runner egress control | #28 | harden-runner audit → block; self-hosted runner isolation policy |
| Enterprise governance & observability | #29 | Org rulesets; OpenSSF Scorecard; audit log → SIEM |
To report a security vulnerability, use the Security Advisory process — do not open a public issue.