GitHub Actions workflows and actions accessible to all Pexip workflows. This repository provides reusable composite actions for common CI/CD tasks including Docker builds, security scanning, Terraform deployments, and release automation.
- auth-gcp-action - Authenticate with Google Cloud Platform using service account key or workload identity federation
- auth-github-action - Authenticate with GitHub Container Registry
- docker-build-action - Build and push Docker images with automatic tagging and metadata
- docker-security-scan-action - Security scan Docker images using Snyk
- terraform-deploy-gcp-action - Deploy infrastructure to GCP using Terraform (init, validate, plan, apply)
- terraform-deploy-openstack-action - Deploy infrastructure to OpenStack using Terraform
- release-action - Create GitHub releases with auto-generated notes and optional Jira integration
- setup-zizmor-action - Install zizmor CLI tool for GitHub Actions security analysis
Reference actions from this repository using the following pattern:
uses: pexip/shared-github-actions/{action-name}@{ref}steps:
- name: Checkout
uses: actions/checkout@v4
- uses: pexip/shared-github-actions/auth-gcp-action@master
with:
repository: ${{ vars.DOCKER_REPO }}
service_account_key: ${{ secrets.DEPLOY_SERVICE_ACCOUNT_KEY }}
- uses: pexip/shared-github-actions/docker-build-action@master
with:
repository: ${{ vars.DOCKER_REPO }}
image_name: my-application
dockerfile: Dockerfilesteps:
- name: Checkout
uses: actions/checkout@v4
- uses: pexip/shared-github-actions/auth-gcp-action@master
with:
repository: ${{ vars.DOCKER_REPO }}
service_account_key: ${{ secrets.DEPLOY_SERVICE_ACCOUNT_KEY }}
- uses: pexip/shared-github-actions/terraform-deploy-gcp-action@master
with:
directory: ./deploy
token: ${{ secrets.GITHUB_TOKEN }}Workload Identity Federation allows GitHub Actions to authenticate to GCP without using service account keys.
-
Create a Workload Identity Pool:
gcloud iam workload-identity-pools create "github-pool" \ --project="${PROJECT_ID}" \ --location="global" \ --display-name="GitHub Actions Pool"
-
Create a Workload Identity Provider:
gcloud iam workload-identity-pools providers create-oidc "github-provider" \ --project="${PROJECT_ID}" \ --location="global" \ --workload-identity-pool="github-pool" \ --display-name="GitHub provider" \ --attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository,attribute.repository_owner=assertion.repository_owner" \ --attribute-condition="assertion.repository_owner == 'pexip'" \ --issuer-uri="https://token.actions.githubusercontent.com"
-
Create a Service Account:
gcloud iam service-accounts create "github-actions-sa" \ --project="${PROJECT_ID}" \ --display-name="GitHub Actions Service Account"
-
Grant permissions to the Service Account:
# Example: Grant Artifact Registry gcloud projects add-iam-policy-binding ${PROJECT_ID} \ --member="serviceAccount:github-actions-sa@${PROJECT_ID}.iam.gserviceaccount.com" \ --role="roles/artifactregistry.writer"
-
Allow the Workload Identity Pool to impersonate the Service Account:
gcloud iam service-accounts add-iam-policy-binding "github-actions-sa@${PROJECT_ID}.iam.gserviceaccount.com" \ --project="${PROJECT_ID}" \ --role="roles/iam.workloadIdentityUser" \ --member="principalSet://iam.googleapis.com/projects/${PROJECT_NUMBER}/locations/global/workloadIdentityPools/github-pool/attribute.repository/pexip/REPOSITORY_NAME"
-
Get the Workload Identity Provider resource name:
gcloud iam workload-identity-pools providers describe "github-provider" \ --project="${PROJECT_ID}" \ --location="global" \ --workload-identity-pool="github-pool" \ --format="value(name)"
Save this value as
WORKLOAD_IDENTITY_PROVIDERvariable in your repository.
steps:
- name: Checkout
uses: actions/checkout@v4
- uses: pexip/shared-github-actions/auth-gcp-action@master
with:
repository: ${{ vars.DOCKER_REPO }}
workload_identity_provider: ${{ vars.WORKLOAD_IDENTITY_PROVIDER }}
service_account: ${{ vars.SERVICE_ACCOUNT_EMAIL }}
- uses: pexip/shared-github-actions/docker-build-action@master
with:
repository: ${{ vars.DOCKER_REPO }}
image_name: my-application
dockerfile: Dockerfilesteps:
- name: Checkout
uses: actions/checkout@v4
- uses: pexip/shared-github-actions/release-action@master
with:
version: v1.0.0
github_token: ${{ secrets.GITHUB_TOKEN }}Configure these secrets in your repository settings:
DEPLOY_SERVICE_ACCOUNT_KEY- GCP service account JSON key for authentication and Docker registry accessSNYK_PEXIP_UNSORTED_ACCESS_TOKEN- Snyk API token for security scanning (if using docker-security-scan)GITHUB_TOKEN- Automatically provided by GitHub Actions
jira_webhook- Jira automation webhook URL for release integration
Configure these variables in your repository settings:
DOCKER_REPO- Docker repository URL (e.g.,europe-docker.pkg.dev/project-id/repo-name)DOCKER_IMAGE- Docker image nameDEPLOY_PROJECT_ID- GCP project ID for deployments
If using Workload Identity Federation instead of service account keys:
WORKLOAD_IDENTITY_PROVIDER- Workload identity provider resource name (e.g.,projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID)SERVICE_ACCOUNT_EMAIL- Service account email to impersonate (e.g.,[email protected])
Complete workflow examples are located in the examples folder:
- development.yml - Full development pipeline with Docker build, security scan, and Terraform deployment
- production.yml - Production deployment workflow triggered on main branch pushes or version tags
- release.yml - Release workflow with GitHub and Jira integration
These examples demonstrate common patterns for integrating multiple actions into complete CI/CD pipelines.