diff --git a/README.md b/README.md index 9be5b1f..7ed11b8 100644 --- a/README.md +++ b/README.md @@ -22,33 +22,36 @@ Reusable GitHub Actions workflows that support OpenTofu/Terraform module automat -# GitHub Actions - Reusable Workflows +# Available GitHub Actions Workflows -This repository contains reusable GitHub Actions workflows for CI/CD, security scanning, documentation generation, and release management. +This repository provides reusable GitHub Actions workflows for CI/CD, security scanning, documentation generation, and release management. -## Summary +## Summary Table | Workflow | Category | Description | |----------|----------|-------------| -| [branch-validation](#branch-validation) | 🔍 CI & Validation | Validates branch names against conventional commit patterns | -| [Changelog and Release](#changelog-and-release) | 📦 Release & Changelog | Automated semantic versioning, changelog generation, and GitHub releases for monorepos | -| [conventional-commit](#conventional-commit) | 🔍 CI & Validation | Validates commit messages follow conventional commit format | -| [Docker Build and Push to ECR](#docker-build-and-push-to-ecr) | 🚀 Build & Deploy | Multi-architecture Docker builds with automatic ECR push | -| [Docker Security Scan](#docker-security-scan) | 🔒 Security | Scans Docker images for vulnerabilities using Trivy | -| [ECR Security Scan](#ecr-security-scan) | 🔒 Security | Scheduled security scans of ECR images with Slack alerts | -| [PR Checks - Docker Build](#pr-checks---docker-build) | 🔍 CI & Validation | Validates Docker builds in pull requests | -| [PR Checks - Go](#pr-checks---go) | 🔍 CI & Validation | Runs Go linting and tests | -| [PR Checks - Node (npm)](#pr-checks---node-npm) | 🔍 CI & Validation | Runs npm linting and tests | -| [PR Checks - Node Build (pnpm)](#pr-checks---node-build-pnpm) | 🔍 CI & Validation | Validates Node.js builds using pnpm | -| [PR Checks - Node (pnpm)](#pr-checks---node-pnpm) | 🔍 CI & Validation | Runs pnpm linting and tests | -| [tofu-pre-release](#tofu-pre-release) | 📦 Release & Changelog | Posts changelog preview comments on PRs | -| [readme-ai-generator-v2](#readme-ai-generator-v2) | 📚 Documentation | AI-powered README generation for code projects | -| [tofu-release](#tofu-release) | 📦 Release & Changelog | Automated releases for Terraform modules with README version updates | -| [tofu-docs](#tofu-docs) | 📚 Documentation | Automated Terraform documentation generation | -| [tfsec-security-scan](#tfsec-security-scan) | 🔒 Security | Security scanning for Terraform code with SARIF upload | -| [tofu-lint](#tofu-lint) | 🔍 CI & Validation | Formats and validates OpenTofu/Terraform code | -| [tofu-test](#tofu-test) | 🔍 CI & Validation | Runs OpenTofu tests across multiple modules | -| [update-readme-actions](#update-readme-actions) | 📚 Documentation | Automatically updates repository README with workflow documentation | +| [branch-validation](#branch-validation) | 🔍 CI & Validation | Validates branch names against conventional commit type patterns | +| [conventional-commit](#conventional-commit) | 🔍 CI & Validation | Enforces conventional commit message format on all commits | +| [shellcheck](#shellcheck) | 🔍 CI & Validation | Static analysis of shell scripts for common errors and best practices | +| [docker-security-scan](#docker-security-scan) | 🔒 Security | Scans Docker images for vulnerabilities using Trivy | +| [ecr-security-scan](#ecr-security-scan) | 🔒 Security | Scans ECR images for vulnerabilities and alerts via Slack | +| [tfsec-security-scan](#tfsec-security-scan) | 🔒 Security | Security scanner for Terraform/OpenTofu with SARIF upload | +| [Docker Build and Push to ECR](#docker-build-and-push-to-ecr) | 🚀 Build & Deploy | Builds multi-arch Docker images and pushes to Amazon ECR Public | +| [Docker Build and Push to ECR (Nullplatform)](#docker-build-and-push-to-ecr-nullplatform) | 🚀 Build & Deploy | Integrates Docker builds with Nullplatform build lifecycle | +| [PR Checks - Docker Build](#pr-checks---docker-build) | 🚀 Build & Deploy | Validates Docker builds work correctly in pull requests | +| [PR Checks - Go](#pr-checks---go) | 🚀 Build & Deploy | Runs linting and tests for Go projects | +| [PR Checks - Node (npm)](#pr-checks---node-npm) | 🚀 Build & Deploy | Runs linting and tests for Node.js projects using npm | +| [PR Checks - Node (pnpm)](#pr-checks---node-pnpm) | 🚀 Build & Deploy | Runs linting and tests for Node.js projects using pnpm | +| [PR Checks - Node Build (pnpm)](#pr-checks---node-build-pnpm) | 🚀 Build & Deploy | Validates build process for Node.js projects using pnpm | +| [PR Checks - Terraform](#pr-checks---terraform) | 🚀 Build & Deploy | Comprehensive Terraform validation including linting, security, and testing | +| [tofu-lint](#tofu-lint) | 🚀 Build & Deploy | Validates OpenTofu/Terraform formatting and configuration | +| [tofu-test](#tofu-test) | 🚀 Build & Deploy | Runs OpenTofu test suites for infrastructure modules | +| [Changelog and Release](#changelog-and-release) | 📦 Release & Changelog | Automated version bumping and changelog generation | +| [tofu-release](#tofu-release) | 📦 Release & Changelog | Creates releases for Terraform modules with version updates | +| [tofu-pre-release](#tofu-pre-release) | 📦 Release & Changelog | Previews changelog in pull requests before release | +| [readme-ai-generator-v2](#readme-ai-generator-v2) | 📚 Documentation | AI-powered README generation for projects | +| [tofu-docs](#tofu-docs) | 📚 Documentation | Generates Terraform module documentation | +| [update-readme-actions](#update-readme-actions) | 📚 Documentation | Automatically updates this README with workflow documentation | --- @@ -56,7 +59,7 @@ This repository contains reusable GitHub Actions workflows for CI/CD, security s ### branch-validation -Enforces consistent branch naming conventions for pull requests. Validates that branch names follow the pattern `type/description` where type can be feat, fix, docs, style, refactor, perf, test, build, ci, chore, or revert. Use this workflow to maintain clean git history and enable automated changelog generation. +Validates pull request branch names follow conventional commit type patterns (feat/, fix/, docs/, etc.). Use this in pull request workflows to enforce branch naming conventions before allowing merges. **Inputs** @@ -64,317 +67,321 @@ Enforces consistent branch naming conventions for pull requests. Validates that |------|-------------|----------|---------| | pattern | Regex pattern for branch name validation | No | `^(feat\|feature\|fix\|docs\|style\|refactor\|perf\|test\|build\|ci\|chore\|revert)/.+$` | +**Secrets required** +- None + **Usage** ```yaml uses: nullplatform/actions-nullplatform/.github/workflows/branch-validation.yml@main +with: + pattern: '^(feat|fix|docs|refactor)/.+$' ``` ### conventional-commit -Validates that all commit messages in a pull request follow the Conventional Commits specification. Ensures commits start with a valid type (feat, fix, docs, etc.) and enforces proper formatting. Essential for projects using automated changelog generation and semantic versioning. - -**Usage** - -```yaml -uses: nullplatform/actions-nullplatform/.github/workflows/conventional-commit.yml@main -``` - -### PR Checks - Docker Build - -Validates that Docker images build successfully in pull requests without pushing to any registry. Useful for catching build errors early and ensuring Dockerfiles remain valid. Supports private GitHub packages through automatic token injection. +Enforces conventional commit message format across all commits in pull requests. Validates commit messages follow the pattern `type(scope): description` where type is one of feat, fix, docs, etc. Use this to maintain consistent commit history and enable automated changelog generation. **Inputs** +- None -| Name | Description | Required | Default | -|------|-------------|----------|---------| -| context | Docker build context path | No | `.` | -| dockerfile | Path to the Dockerfile | No | `Dockerfile` | +**Secrets required** +- None **Usage** ```yaml -uses: nullplatform/actions-nullplatform/.github/workflows/pr-checks-docker.yml@main -with: - context: ./app - dockerfile: Dockerfile +uses: nullplatform/actions-nullplatform/.github/workflows/conventional-commit.yml@main ``` -### PR Checks - Go +### shellcheck -Runs Go linting with `go vet` and executes all tests. Automatically detects Go version from go.mod or allows explicit version override. Use this workflow to ensure Go code quality and test coverage before merging. +Performs static analysis on shell scripts to catch syntax errors, deprecated commands, and common mistakes. Scans either specified files/directories or all `.sh` files in the repository. Use this to maintain high-quality shell scripts and prevent runtime errors. **Inputs** | Name | Description | Required | Default | |------|-------------|----------|---------| -| working-directory | Working directory for go commands | No | `.` | -| go-version | Go version (overrides go.mod if set) | No | `` | +| script_dirs | Space-separated dirs/files to scan. When empty, finds *.sh recursively | No | '' | +| severity | Minimum severity (error, warning, info, style) | No | error | + +**Secrets required** +- None **Usage** ```yaml -uses: nullplatform/actions-nullplatform/.github/workflows/pr-checks-go.yml@main +uses: nullplatform/actions-nullplatform/.github/workflows/shellcheck.yml@main with: - working-directory: ./service - go-version: '1.21' + script_dirs: 'scripts/ tools/' + severity: 'warning' ``` -### PR Checks - Node (npm) +--- -Runs npm-based linting and tests for Node.js projects. Automatically detects Node version from .node-version file and uses npm ci for reproducible builds. Intelligently runs either lint or test:static script based on what's available in package.json. +## 🔒 Security + +### docker-security-scan + +Scans Docker images for security vulnerabilities using Trivy before deployment. Builds the image locally and checks for known CVEs with configurable severity thresholds. Use this in CI pipelines to prevent deploying vulnerable containers. **Inputs** | Name | Description | Required | Default | |------|-------------|----------|---------| -| working-directory | Working directory for npm commands | No | `.` | -| node-version | Node.js version (overrides .node-version file if set) | No | `` | +| context | Build context directory | Yes | - | +| dockerfile | Path to Dockerfile relative to context | No | Dockerfile | +| image_name | Name for the scanned image (used for reporting) | Yes | - | +| severity | Minimum severity to report (CRITICAL,HIGH,MEDIUM,LOW) | No | CRITICAL,HIGH | +| build_args | Docker build arguments (multiline, one per line: KEY=VALUE) | No | '' | +| exit_code | Exit code when vulnerabilities are found (0 to not fail) | No | 1 | + +**Secrets required** +- None **Usage** ```yaml -uses: nullplatform/actions-nullplatform/.github/workflows/pr-checks-node-npm.yml@main +uses: nullplatform/actions-nullplatform/.github/workflows/docker-security-scan.yml@main with: - working-directory: ./frontend + context: . + dockerfile: Dockerfile + image_name: my-app + severity: 'CRITICAL,HIGH,MEDIUM' + build_args: | + NODE_VERSION=20 + BUILD_ENV=production ``` -### PR Checks - Node Build (pnpm) +### ecr-security-scan -Validates that Node.js projects build successfully using pnpm. Ideal for TypeScript projects or any codebase requiring a compilation step. Uses pnpm's efficient disk space usage and faster install times compared to npm. +Scans published ECR images for vulnerabilities on a schedule or manually. Finds the latest semver tag for each specified image, scans for critical/high vulnerabilities, and sends Slack alerts if issues are found. Use this for continuous security monitoring of production images. **Inputs** | Name | Description | Required | Default | |------|-------------|----------|---------| -| working-directory | Working directory for pnpm commands | No | `.` | -| node-version | Node.js version (overrides .node-version file if set) | No | `` | +| image_names | JSON array of image names to scan (e.g., ["k8s-logs-controller", "k8s-traffic-manager"]) | Yes | - | +| ecr_registry | ECR registry URL | No | public.ecr.aws/nullplatform | +| severity | Minimum severity to report (CRITICAL,HIGH,MEDIUM,LOW) | No | CRITICAL,HIGH | + +**Secrets required** +- `aws_role_arn`: AWS IAM Role ARN for OIDC authentication +- `slack_webhook_url`: Slack webhook URL for vulnerability alerts **Usage** ```yaml -uses: nullplatform/actions-nullplatform/.github/workflows/pr-checks-node-pnpm-build.yml@main +uses: nullplatform/actions-nullplatform/.github/workflows/ecr-security-scan.yml@main with: - working-directory: ./packages/app + image_names: '["my-app", "my-worker"]' + ecr_registry: 'public.ecr.aws/myorg' + severity: 'CRITICAL,HIGH' +secrets: + aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} + slack_webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }} ``` -### PR Checks - Node (pnpm) +### tfsec-security-scan -Runs pnpm-based linting and tests for Node.js monorepos or projects. Supports both lint and test:static scripts, automatically choosing the first available. Perfect for repositories using pnpm workspaces. +Security scanner for Terraform/OpenTofu code that detects misconfigurations and security issues. Generates SARIF reports for GitHub Security tab and posts PR comments on failures. Use this to enforce security best practices in infrastructure code. **Inputs** | Name | Description | Required | Default | |------|-------------|----------|---------| -| working-directory | Working directory for pnpm commands | No | `.` | -| node-version | Node.js version (overrides .node-version file if set) | No | `` | +| minimum_severity | Minimum severity level to report (CRITICAL, HIGH, MEDIUM, LOW) | No | HIGH | +| upload_sarif | Upload SARIF results to GitHub Security tab | No | true | +| post_comment | Post comment on PR if scan fails | No | true | + +**Secrets required** +- None (uses `GITHUB_TOKEN` automatically) **Usage** ```yaml -uses: nullplatform/actions-nullplatform/.github/workflows/pr-checks-node-pnpm.yml@main +uses: nullplatform/actions-nullplatform/.github/workflows/tfsec.yml@main with: - working-directory: ./apps/web - node-version: '20' + minimum_severity: 'MEDIUM' + upload_sarif: true + post_comment: true +permissions: + contents: read + pull-requests: write + security-events: write ``` -### tofu-lint - -Validates OpenTofu/Terraform code formatting and syntax. Runs `tofu fmt -check` to ensure consistent formatting and `tofu validate` to catch configuration errors. Essential for maintaining Infrastructure as Code quality standards. - -**Usage** +--- -```yaml -uses: nullplatform/actions-nullplatform/.github/workflows/tofu-lint.yml@main -``` +## 🚀 Build & Deploy -### tofu-test +### Docker Build and Push to ECR -Executes OpenTofu tests across multiple modules in parallel. Ideal for monorepo setups with multiple Terraform modules that need independent validation. Uses matrix strategy for efficient parallel execution. +Builds multi-architecture Docker images and pushes them to Amazon ECR Public. Supports custom build arguments, multiple platforms (amd64/arm64), and uses GitHub Actions cache for faster builds. Use this to publish production-ready container images. **Inputs** | Name | Description | Required | Default | |------|-------------|----------|---------| -| modules | JSON array of module paths to test | Yes | - | -| tofu_version | OpenTofu version to use | No | `1.10.6` | +| image_name | Name of the Docker image (e.g., k8s-logs-controller) | Yes | - | +| context | Build context directory | Yes | - | +| dockerfile | Path to Dockerfile relative to context | No | Dockerfile | +| platforms | Target platforms for multi-arch build | No | linux/amd64,linux/arm64 | +| ecr_registry | ECR registry URL | No | public.ecr.aws/nullplatform | +| tag | Additional tag for the image (latest and sha are always added) | No | '' | +| aws_region | AWS region for ECR | No | us-east-1 | +| build_args | Docker build arguments (newline-separated) | No | '' | + +**Secrets required** +- `aws_role_arn`: AWS IAM Role ARN for OIDC authentication **Usage** ```yaml -uses: nullplatform/actions-nullplatform/.github/workflows/tofu-test.yml@main +uses: nullplatform/actions-nullplatform/.github/workflows/docker-build-push-ecr.yml@main with: - modules: '["modules/networking", "modules/compute"]' - tofu_version: '1.10.6' + image_name: my-app + context: . + dockerfile: Dockerfile + tag: v1.2.3 + platforms: 'linux/amd64,linux/arm64' + build_args: | + NODE_VERSION=20 + BUILD_ENV=production +secrets: + aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} ``` ---- - -## 🔒 Security - -### Docker Security Scan +### Docker Build and Push to ECR (Nullplatform) -Scans Docker images for security vulnerabilities using Trivy before deployment. Builds the image locally and analyzes it for CRITICAL and HIGH severity issues. Configure to fail builds on vulnerabilities or just report findings for awareness. +Integrates Docker image builds with Nullplatform's build lifecycle management. Uses your project's Makefile for building and pushing, automatically tracking build status in Nullplatform. Use this when deploying applications managed by Nullplatform. **Inputs** | Name | Description | Required | Default | |------|-------------|----------|---------| -| context | Build context directory | Yes | - | -| dockerfile | Path to Dockerfile relative to context | No | `Dockerfile` | -| image_name | Name for the scanned image (used for reporting) | Yes | - | -| severity | Minimum severity to report (CRITICAL,HIGH,MEDIUM,LOW) | No | `CRITICAL,HIGH` | -| build_args | Docker build arguments (multiline, one per line: KEY=VALUE) | No | `` | -| exit_code | Exit code when vulnerabilities are found (0 to not fail) | No | `1` | +| platforms | Target platforms for multi-arch build (passed as DOCKER_PLATFORMS env var to make) | No | linux/amd64,linux/arm64 | + +**Secrets required** +- `nullplatform_api_key`: Nullplatform API key for CLI authentication **Usage** ```yaml -uses: nullplatform/actions-nullplatform/.github/workflows/docker-security-scan.yml@main +uses: nullplatform/actions-nullplatform/.github/workflows/docker-build-push-np-ecr.yml@main with: - context: ./app - dockerfile: Dockerfile - image_name: my-application - severity: CRITICAL,HIGH - exit_code: 1 + platforms: 'linux/amd64,linux/arm64' +secrets: + nullplatform_api_key: ${{ secrets.NULLPLATFORM_API_KEY }} ``` -### ECR Security Scan +### PR Checks - Docker Build -Scheduled security scanning of images in Amazon ECR Public registry. Automatically finds the latest semver tag for each image, scans for vulnerabilities, and sends Slack alerts when CRITICAL or HIGH issues are detected. Ideal for continuous monitoring of production images. +Validates that Docker images build successfully in pull requests. Supports both legacy `--build-arg` and modern BuildKit `--secret` for passing the GitHub token to private dependency installation. Use this to catch Docker build issues before merging. **Inputs** | Name | Description | Required | Default | |------|-------------|----------|---------| -| image_names | JSON array of image names to scan | Yes | - | -| ecr_registry | ECR registry URL | No | `public.ecr.aws/nullplatform` | -| severity | Minimum severity to report (CRITICAL,HIGH,MEDIUM,LOW) | No | `CRITICAL,HIGH` | +| context | Docker build context path | No | . | +| dockerfile | Path to the Dockerfile | No | Dockerfile | +| use_buildkit_secret | Use BuildKit --secret for GITHUB_TOKEN instead of --build-arg | No | false | **Secrets required** -- `aws_role_arn` - AWS IAM Role ARN for OIDC authentication -- `slack_webhook_url` - Slack webhook URL for vulnerability alerts +- None (uses `GITHUB_TOKEN` automatically, or `CI_TOKEN` if available) **Usage** ```yaml -uses: nullplatform/actions-nullplatform/.github/workflows/ecr-security-scan.yml@main +uses: nullplatform/actions-nullplatform/.github/workflows/pr-checks-docker.yml@main with: - image_names: '["k8s-logs-controller", "k8s-traffic-manager"]' - severity: CRITICAL,HIGH -secrets: - aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} - slack_webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }} + context: . + dockerfile: Dockerfile + use_buildkit_secret: true ``` -### tfsec-security-scan +### PR Checks - Go -Security scanning for Terraform/OpenTofu code using tfsec. Detects security misconfigurations, compliance violations, and best practice issues. Uploads results to GitHub Security tab and posts PR comments when issues are found. Configure minimum severity threshold based on your security requirements. +Runs linting and tests for Go projects in pull requests. Automatically detects Go version from `go.mod` or uses a specified version. Use this to validate Go code changes before merging. **Inputs** | Name | Description | Required | Default | |------|-------------|----------|---------| -| minimum_severity | Minimum severity level to report (CRITICAL, HIGH, MEDIUM, LOW) | No | `HIGH` | -| upload_sarif | Upload SARIF results to GitHub Security tab | No | `true` | -| post_comment | Post comment on PR if scan fails | No | `true` | +| working-directory | Working directory for go commands | No | . | +| go-version | Go version (overrides go.mod if set) | No | '' | + +**Secrets required** +- None **Usage** ```yaml -uses: nullplatform/actions-nullplatform/.github/workflows/tfsec.yml@main +uses: nullplatform/actions-nullplatform/.github/workflows/pr-checks-go.yml@main with: - minimum_severity: HIGH - upload_sarif: true - post_comment: true + working-directory: ./services/api + go-version: '1.21' ``` ---- - -## 🚀 Build & Deploy - -### Docker Build and Push to ECR +### PR Checks - Node (npm) -Multi-platform Docker image builds with automatic push to Amazon ECR Public. Supports linux/amd64 and linux/arm64 architectures, custom build arguments, and efficient layer caching. Uses AWS OIDC for secure authentication without long-lived credentials. +Runs linting and tests for Node.js projects using npm. Automatically detects Node version from `.node-version` file and runs the first available linting command (test:static or lint). Use this for npm-based projects. **Inputs** | Name | Description | Required | Default | |------|-------------|----------|---------| -| image_name | Name of the Docker image | Yes | - | -| context | Build context directory | Yes | - | -| dockerfile | Path to Dockerfile relative to context | No | `Dockerfile` | -| platforms | Target platforms for multi-arch build | No | `linux/amd64,linux/arm64` | -| ecr_registry | ECR registry URL | No | `public.ecr.aws/nullplatform` | -| tag | Additional tag for the image (latest and sha are always added) | No | `` | -| aws_region | AWS region for ECR | No | `us-east-1` | -| build_args | Docker build arguments (newline-separated) | No | `` | +| working-directory | Working directory for npm commands | No | . | +| node-version | Node.js version (overrides .node-version file if set) | No | '' | **Secrets required** -- `aws_role_arn` - AWS IAM Role ARN for OIDC authentication +- None (uses `GITHUB_TOKEN` or `CI_TOKEN` for private packages) **Usage** ```yaml -uses: nullplatform/actions-nullplatform/.github/workflows/docker-build-push-ecr.yml@main +uses: nullplatform/actions-nullplatform/.github/workflows/pr-checks-node-npm.yml@main with: - image_name: my-app - context: . - dockerfile: Dockerfile - tag: v1.0.0 - platforms: linux/amd64,linux/arm64 -secrets: - aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} + working-directory: ./frontend + node-version: '20' ``` ---- - -## 📦 Release & Changelog - -### Changelog and Release +### PR Checks - Node (pnpm) -Intelligent semantic versioning and changelog generation for monorepos and single projects. Analyzes conventional commits to determine version bumps (major, minor, patch), updates version files (Chart.yaml, package.json, VERSION), generates detailed changelogs with commit links, and creates GitHub releases. Supports Helm charts, npm packages, and generic projects. +Runs linting and tests for Node.js projects using pnpm. Supports pnpm workspaces and monorepos, with automatic Node version detection. Use this for pnpm-based projects. **Inputs** | Name | Description | Required | Default | |------|-------------|----------|---------| -| project-type | Type of project: helm-charts, npm, generic | No | `generic` | -| source-dir | Directory containing packages/charts (use . for root) | No | `.` | -| version-file | Version file name (Chart.yaml, package.json, VERSION). Auto-detected if not specified. | No | `` | -| tag-prefix | Prefix for git tags (e.g., "v" for v1.0.0). Use empty for no prefix. | No | `` | -| create-github-release | Create a GitHub Release | No | `true` | -| commit-message | Commit message for version bump | No | `chore(release): bump version and update changelog [skip ci]` | - -**Outputs** -- `has_changes` - Whether there were changes to release -- `new_version` - The new version number -- `changelog` - The generated changelog content +| working-directory | Working directory for pnpm commands | No | . | +| node-version | Node.js version (overrides .node-version file if set) | No | '' | + +**Secrets required** +- None (uses `GITHUB_TOKEN` or `CI_TOKEN` for private packages) **Usage** ```yaml -uses: nullplatform/actions-nullplatform/.github/workflows/changelog-release.yml@main +uses: nullplatform/actions-nullplatform/.github/workflows/pr-checks-node-pnpm.yml@main with: - project-type: helm-charts - source-dir: charts - tag-prefix: v - create-github-release: true + working-directory: ./packages/core + node-version: '20' ``` -### tofu-pre-release - -Posts an automated changelog preview as a comment on pull requests using semantic-release. Shows what changes will be included in the next release based on conventional commits. Helps reviewers understand the impact of merging a PR. +### PR Checks - Node Build (pnpm) -**Usage** +Validates that Node.js projects build successfully using pnpm. Only runs the build step without tests, useful for checking build artifacts. Use this to ensure production builds work before merging. -```yaml -uses: nullplatform/actions-nullplatform/.github/workflows/pre-release.yml@main -``` +**Inputs** -### tofu-release +| Name | Description | Required | Default | +|------|-------------|----------|---------| +| working-directory | Working directory for pnpm commands | No | . | +| node-version | Node.js version (overrides .node-version file if set) | No | '' | -Automated release management for Terraform modules using Google's Release Please. Creates release PRs that bump versions, generates changelogs, and optionally updates all README.md +**Secrets required** +- None (uses `GITHUB_TOKEN