Reusable CI/CD workflows and scripts. Implements best Open Source workflows, compliance, security best practices, automated releases, and quality checks.
Getting Started:
- Workflow Guide - Workflow architecture and patterns
- Artifacts Reference -
artifacts.ymldocumentation with examples
Customizing:
- Publishing Guide - Maven Central, NPM, and registry setup
- Components Reference - Individual workflow components
Advanced:
- Reference Guide - Permissions, secrets, and validation matrices
- Artifact Verification - Security and verification
- Scripts Reference - Validation scripts
There are two main workflow chains (and a dev-release flow):
-
The Pull Request Chain - Run on PR and push
- Linting and code quality checks
- Security scanning
- License compliance
- Build verification
- Optional testing (project-specific)
-
Release Chain - Runs when you create and push version tag
- Version validation (including tag requirements)
- Artifact building and publishing
- Container image creation
- Security features (SBOM, signing, attestation)
- Changelog generation
- GitHub release creation
- Dependency caching between jobs
- Enhanced build summaries
The workflows handle multi-platform container builds, security scanning and attestation, artifact signing and checksums, version management, and changelog generation.
Most components are configurable.
Most projects require two or three files:
.github/workflows/pullrequest-workflow.yml- For PR checks.github/workflows/release-workflow.yml- For production releases.github/workflows/release-workflow-dev.yml- (Optional) For dev/feature branch releases
- Push code → PR workflow runs checks
- Create version tag → Release workflow builds and publishes
- Workflow failures → Detailed error messages
uses: diggsweden/reusable-ci/.github/workflows/release-orchestrator.yml@main
with:
artifacts-config: .github/artifacts.yml
release-publisher: github-clijobs:
build-maven:
uses: diggsweden/reusable-ci/.github/workflows/build-maven.yml@main
with:
build-type: app
java-version: "21"
publish-github:
needs: build-maven
uses: diggsweden/reusable-ci/.github/workflows/publish-maven-github.yml@main
with:
package-type: maven
artifact-source: maven-build-artifacts
build-container:
needs: build-maven
uses: diggsweden/reusable-ci/.github/workflows/publish-container.yml@main
with:
container-file: Containerfile
artifact-source: maven-build-artifacts-
Create artifacts configuration - Define what to build:
# .github/artifacts.yml artifacts: - name: my-app project-type: maven # or npm, gradle, gradle-android, xcode-ios working-directory: . config: java-version: 21 # or node-version for npm, xcode-version for xcode-ios
-
Create pull request workflow - Run checks on PRs:
# .github/workflows/pullrequest-workflow.yml name: Pull Request Checks on: pull_request: branches: [main, master, develop] permissions: contents: read jobs: pr-checks: uses: diggsweden/reusable-ci/.github/workflows/pullrequest-orchestrator.yml@main permissions: contents: read packages: read security-events: write secrets: inherit with: project-type: maven # or npm, gradle, gradle-android, xcode-ios # Recommended: Use devbase-check (lightweight, just+mise-based) linters.devbasecheck: true linters.commitlint: false linters.licenselint: false linters.megalint: false # Optional linters: # linters.dependencyreview: true # Dependency vulnerability scan # linters.publiccodelint: false # publiccode.yml validation # linters.swiftlint: false # Swift linting for iOS/macOS
-
Create release workflow - Trigger builds on tags:
# .github/workflows/release-workflow.yml name: Release on: push: tags: ["v[0-9]+.[0-9]+.[0-9]+"] permissions: contents: read jobs: release: uses: diggsweden/reusable-ci/.github/workflows/release-orchestrator.yml@main permissions: contents: write packages: write id-token: write actions: read security-events: write attestations: write secrets: inherit with: artifacts-config: .github/artifacts.yml
-
(Optional) Create dev release workflow - Fast dev builds:
# .github/workflows/release-dev-workflow.yml name: Dev Release on: push: branches: ['dev/**', 'feat/**'] permissions: contents: read jobs: dev-release: uses: diggsweden/reusable-ci/.github/workflows/release-dev-orchestrator.yml@main permissions: contents: write packages: write secrets: inherit with: project-type: maven # or npm, gradle, gradle-android, xcode-ios
-
Create your first release:
git tag -s v1.0.0 -m "Release v1.0.0" git push origin v1.0.0
┌─────────────────────────────────────────────────────────────────────┐
│ Pull Request Created/Updated │
└────────────────────────────────┬────────────────────────────────────┘
│
┌────────────▼────────────┐
│ Commit Lint Check │
│ (conventional commits)│
└────────────┬────────────┘
│
┌────────────▼────────────┐
│ License Lint Check │
│ (SPDX headers) │
└────────────┬────────────┘
│
┌────────────▼────────────┐
│ Dependency Review │
│ (vulnerability scan) │
└────────────┬────────────┘
│
┌────────────▼────────────┐
│ MegaLint │
│ (50+ code linters) │
└────────────┬────────────┘
│
┌────────────▼────────────┐
│ Build & Verify │
│ (Maven/NPM/Gradle) │
└────────────┬────────────┘
│
┌────────────▼────────────┐
│ PR Checks Complete │
│ ✓ Ready to merge │
└─────────────────────────┘
┌─────────────────────────────────────────────────────────────────────┐
│ Tag Push (v1.0.0) │
└────────────────────────────────┬────────────────────────────────────┘
│
┌────────────▼────────────┐
│ Parse artifacts.yml │
│ Validate configuration │
└────────────┬────────────┘
│
┌─────────────────────┼─────────────────────┐
│ │ │
┌───────▼────────┐ ┌───────▼────────┐ ┌───────▼────────┐
│ Build Maven │ │ Build NPM │ │ Build Gradle │
│ Artifact 1 │ │ Artifact 2 │ │ Artifact 3 │
└───────┬────────┘ └───────┬────────┘ └───────┬────────┘
│ │ │
└─────────────────────┼─────────────────────┘
│
┌────────────▼────────────┐
│ Publish to Registries │
│ - GitHub Packages │
│ - Maven Central │
│ - npmjs.org │
└────────────┬────────────┘
│
┌────────────▼────────────┐
│ Build Containers │
│ (from artifacts) │
│ - Multi-platform │
│ - SLSA + SBOM + Scan │
└────────────┬────────────┘
│
┌────────────▼────────────┐
│ Create GitHub Release │
│ - Changelog │
│ - Checksums │
│ - Signatures │
└─────────────────────────┘
Build Stage - Language-specific builders create artifacts:
build-maven- Builds Maven projects (apps or libs)build-npm- Builds NPM projectsbuild-gradle-app- Builds Gradle projects (JVM or Android apps)build-gradle-android- Builds Android apps with flavors/variants (APK/AAB)build-xcode-ios- Builds iOS/macOS apps (IPA)
Publish Stage - Target-specific workflows publish artifacts:
publish-github- Publishes Maven/NPM/Gradle → GitHub Packagespublish-maven-central- Publishes Maven libs → Maven Centralpublish-apple-appstore- Publishes iOS/macOS apps → TestFlight/Apple App Store
Container Stage - Separate containers section references artifacts:
- Containers defined in
containers[]section - Reference artifacts by name via
from: [artifact-name] - Built after all artifact builds complete
- Support multi-artifact containers (combine multiple artifacts into one image)
Development builds (NOT from tags):
- Branch pushes create branch-aware tags:
0.5.9-dev-feat-feature-abc1234 - Tags like
v1.0.0-devare explicitly excluded from releases
This project is licensed under the CC0-1.0 License.