This repository contains a comprehensive set of GitHub Actions workflows for managing GitHub self-hosted runners using Docker containers.
Triggers:
- Push to
mainanddevelopbranches - Pull requests to
mainanddevelopbranches - Manual workflow dispatch with configurable options
Features:
- Linting & Validation: Docker files, shell scripts, and environment files
- Security Scanning: Trivy vulnerability scanning and secret detection
- Docker Build: Multi-platform container images with caching
- Testing: Unit, integration, and configuration tests
- Deployment: Staging and production deployments with proper approvals
- Cleanup: Automated resource cleanup and reporting
Security Measures:
- Least privilege permissions for GITHUB_TOKEN
- Container image vulnerability scanning
- Secret scanning with TruffleHog
- SARIF upload for security events
Triggers:
- Scheduled weekly (Mondays at 6 AM UTC)
- Manual workflow dispatch with update type selection
Features:
- Dependency Updates: Docker base images and GitHub Actions
- Security Scanning: Comprehensive dependency vulnerability checks
- Cleanup: Old workflow runs and artifacts
- Health Checks: Repository health assessment and reporting
Triggers:
- Git tags matching
v*.*.*pattern - Manual workflow dispatch with version and release type
Features:
- Version Validation: Semantic version format checking
- Multi-platform Builds: Linux AMD64 and ARM64 support
- Container Signing: Cosign integration for image verification
- SBOM Generation: Software Bill of Materials creation
- Security Validation: Pre-release vulnerability scanning
- GitHub Releases: Automated release creation with changelog
Triggers:
- Scheduled every 6 hours
- Manual workflow dispatch with check type selection
Features:
- Infrastructure Health: Registry connectivity and image availability
- Security Monitoring: Continuous vulnerability scanning with issue creation
- Performance Monitoring: Repository size and build performance metrics
- Dependency Monitoring: Outdated packages and actions tracking
- Alert Summary: Comprehensive health scoring and reporting
- All sensitive data accessed via GitHub Secrets
- Environment-specific secrets for staging and production
- No hardcoded credentials in workflows
- Least privilege principle for GITHUB_TOKEN
- Granular permissions per job
- Security events write access for vulnerability reporting
- Filesystem and container image scanning with Trivy
- SARIF format uploads to GitHub Security tab
- Automated issue creation for critical vulnerabilities
- Secret scanning with TruffleHog
- Multi-stage Docker builds for minimal attack surface
- Image signing with Cosign
- Software Bill of Materials (SBOM) generation
- Multi-platform builds for broader compatibility
- Docker BuildKit with advanced caching
- GitHub Actions cache for dependencies
- Matrix strategies for parallel testing
- Optimized checkout with shallow clones
- Comprehensive test matrix (unit, integration, config)
- Health checks and monitoring
- Automated rollback capabilities
- Environment protection rules
- Detailed test reporting and artifacts
- Performance metrics collection
- Health scoring and alerting
- Comprehensive logging
Required secrets for full functionality:
# Staging environment
STAGING_GITHUB_TOKEN=<token_for_staging_runner>
STAGING_REPOSITORY=<staging_repo_name>
# Production environment
PROD_GITHUB_TOKEN=<token_for_production_runner>
PROD_REPOSITORY=<production_repo_name>Use workflow dispatch to manually trigger deployments:
- Go to Actions tab in GitHub
- Select "CI/CD Pipeline" workflow
- Click "Run workflow"
- Configure options:
- Environment: staging/production
- Skip tests: true/false
- Force rebuild: true/false
-
Automated: Push a git tag with semantic version:
git tag v1.0.0 git push origin v1.0.0
-
Manual: Use workflow dispatch:
- Go to "Release Management" workflow
- Click "Run workflow"
- Specify version and release type
The monitoring workflow provides:
- Health Score: Overall system health percentage
- Automated Issues: Critical vulnerability detection
- Performance Metrics: Build times and repository statistics
- Dependency Tracking: Outdated packages and actions
Update environment-specific settings in:
config/runner.env.example- Standard runner configuration templateconfig/chrome-runner.env.example- Chrome runner configuration templatedocker/docker-compose.production.yml- Standard runner orchestrationdocker/docker-compose.chrome.yml- Chrome runner orchestration- Workflow environment sections
Extend the monitoring workflow by:
- Adding new jobs for specific checks
- Updating the alert summary to include new results
- Configuring appropriate failure conditions
These workflows implement GitHub Actions best practices:
- ✅ Least privilege permissions
- ✅ Pinned action versions
- ✅ Comprehensive security scanning
- ✅ Efficient caching strategies
- ✅ Proper secret management
- ✅ Environment protection
- ✅ Automated testing
- ✅ Performance optimization
- ✅ Observability and monitoring
- Permission Errors: Check GITHUB_TOKEN permissions in workflow
- Cache Misses: Verify cache key patterns and paths
- Deployment Failures: Review environment protection rules
- Security Scan Failures: Address vulnerabilities before proceeding
Enable debug logging by setting repository secrets:
ACTIONS_STEP_DEBUG=trueACTIONS_RUNNER_DEBUG=true
For more information about GitHub Actions best practices, see the GitHub Actions documentation.