Skip to content

SocioProphet/.github

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
.github/workflows
.github/workflows
 
 
profile
profile
 
 
README.md
README.md
 
 

Repository files navigation

SocioProphet/.github — estate CI/CD backbone

Org-wide reusable GitHub Actions workflows for the SocioProphet / SourceOS / socios estate. Repos call these instead of copy-pasting pipelines, so the whole estate builds, signs, and publishes the same way.

Why this exists: across ~120 active repos almost everything has CI but almost nothing ships (no standardized image build, package publish, or release automation). These workflows are the shared build → sign → publish layer.

The three lanes

Lane Artifact Reusable workflow Lands in
Specs & contracts versioned schema bundles + clients bundle-spec.yml GitHub Releases (+ npm/PyPI clients)
End-user products CLIs, apps, OS images publish-pypi.yml, (release-cli — planned) PyPI, Homebrew tap, registries
Cluster services container images build-image.yml Artifact Registry → Argo CD → GKE

Shared infrastructure

  • Container registry: us-central1-docker.pkg.dev/socioprophet-platform/socioprophet
  • Signing: container images → cosign (keyless, Fulcio/Rekor); files/specs → minisign + SLSA (same key family as the SourceOS image pipeline).
  • Auth: GCP Workload Identity Federation — repos pass GCP_WORKLOAD_IDENTITY_PROVIDER + GCP_SERVICE_ACCOUNT (CI SA sourceos-ci@socioprophet-platform), no long-lived keys.
  • Versioning: git tag = semver; the immutable image tag is the commit SHA (what GitOps promotes); latest tracks the default branch.

Usage

Cluster service → image (Lane C)

# .github/workflows/image.yml in your service repo
name: image
on: { push: { branches: [main], tags: ['v*'] } }
jobs:
  image:
    uses: SocioProphet/.github/.github/workflows/build-image.yml@main
    with:
      image: socioprophet-api
      dockerfile: Dockerfile
    secrets:
      gcp_wif_provider:    ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
      gcp_service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}

The image + digest outputs feed the GitOps promotion in prophet-platform.

Python package → PyPI (Lane A/B)

on: { push: { tags: ['v*'] } }
jobs:
  pypi:
    uses: SocioProphet/.github/.github/workflows/publish-pypi.yml@main
    with: { package-dir: . }

Uses PyPI trusted publishing (OIDC) — register this repo as a trusted publisher on the PyPI project once; no token needed.

Spec/contract repo → versioned bundle (Lane A)

on: { push: { tags: ['v*'] } }
jobs:
  bundle:
    uses: SocioProphet/.github/.github/workflows/bundle-spec.yml@main
    with: { schema-dir: schemas }
    secrets:
      sign_secret_key: ${{ secrets.SOURCEOS_SIGN_SECRET_KEY }}  # optional

Status

  • build-image.yml, publish-pypi.yml, bundle-spec.yml — initial cut.
  • Planned: build-node.yml / publish-npm.yml, release-cli.yml (GoReleaser + Homebrew tap), and a gitops-promote.yml that opens a version-bump PR against prophet-platform's Kustomize overlays.

About

Org-wide reusable CI/CD workflows

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors