A collection of reusable GitHub Actions workflows and composite actions for building, testing, scanning, pushing and releasing containerized applications.
actions-templates is a centralized library of reusable GitHub Actions workflows
and composite actions designed to standardize CI/CD pipelines across multiple repositories.
Instead of duplicating pipeline logic in every project, consumer repositories call these templates with a few lines of YAML and get a full CI/CD pipeline with automatic semantic versioning based on Conventional Commits.
- Automatic semantic versioning —
feat:bumps minor,fix:bumps patch,feat!:bumps major - Docker image build with OCI labels and GitHub Actions cache
- Vulnerability scanning with Anchore and SARIF upload to GitHub Security tab
- Automatic changelog generation and GitHub releases with AI-generated summary
- Multi-container deploy support via JSON configuration
- PR title validation enforcing Conventional Commits format
- Workflow linting with actionlint and yamllint
- Language agnostic — works with Python, Go or any containerized app
- Trunk Based Development — single
mainbranch, nodevelopbranch needed
Copy one of the ready-to-use examples into your repository at .github/workflows/:
| Example | Description |
|---|---|
| single-container/cicd.yml | One container deployment |
| multi-container/cicd.yml | Multiple containers deployment |
For language-specific guides see the Documentation section below.
Calculates the next semantic version tag based on Conventional Commits, and exposes repository metadata as outputs for downstream jobs.
Source: .github/workflows/wf-setup.yml
| Output | Description |
|---|---|
tag_version |
Next semver tag (v1.2.3) or empty if no release needed |
bump_type |
major, minor, patch or none |
repo_name |
Repository name without org prefix |
repo_description |
Repository description from GitHub API |
author_name |
Name of the commit author |
author_email |
Email of the commit author |
created_at |
ISO timestamp of the run |
changelog_entries |
Grouped commit list since last tag |
Builds a Docker image using docker/build-push-action with OCI labels,
GitHub Actions layer cache, and uploads the image tar as an artifact.
Source: .github/workflows/wf-build.yml
| Input | Required | Default | Description |
|---|---|---|---|
tag_version |
✅ | — | Image tag |
github_repository |
✅ | — | org/repo |
author_name |
✅ | — | OCI label |
author_email |
✅ | — | OCI label |
repo_description |
❌ | '' |
OCI label |
created_at |
✅ | — | OCI label |
dockerfile |
❌ | docker/Dockerfile |
Path to Dockerfile |
platform |
❌ | linux/amd64 |
Target platform |
Runs tests inside the built Docker image. Supports flake8, pytest and custom commands.
Source: .github/workflows/wf-tests.yml
| Input | Required | Default | Description |
|---|---|---|---|
tag_version |
✅ | — | Image tag |
github_repository |
✅ | — | org/repo |
flake8_enabled |
❌ | false |
Enable flake8 linting |
pytest_enabled |
❌ | false |
Enable pytest |
test_command |
❌ | '' |
Custom test command |
Scans the Docker image with Anchore, uploads SARIF to the GitHub Security tab, and generates a detailed summary.
Source: .github/workflows/wf-scan.yml
| Input | Required | Default | Description |
|---|---|---|---|
tag_version |
✅ | — | Image tag |
github_repository |
✅ | — | org/repo |
fail_on_critical |
❌ | true |
Fail build on critical CVEs |
severity_cutoff |
❌ | critical |
Minimum severity to report |
only_fixed |
❌ | true |
Only report CVEs with a fix |
Pushes the image to GitHub Container Registry (ghcr.io) with the semver tag and latest.
Source: .github/workflows/wf-push.yml
| Input | Required | Default | Description |
|---|---|---|---|
tag_version |
✅ | — | Image tag |
github_repository |
✅ | — | org/repo |
Updates CHANGELOG.md, commits it, creates a git tag and a GitHub release
with an AI-generated summary and a grouped commit changelog.
Source: .github/workflows/wf-release.yml
| Input | Required | Default | Description |
|---|---|---|---|
tag_version |
✅ | — | Release tag |
bump_type |
✅ | — | major, minor or patch |
github_repository |
✅ | — | org/repo |
changelog_entries |
✅ | — | Formatted commit list |
Deploys one or more Docker containers on the runner host from a JSON configuration array.
Source: .github/workflows/wf-deploy.yml
| Input | Required | Default | Description |
|---|---|---|---|
tag_version |
✅ | — | Image tag |
github_repository |
✅ | — | org/repo |
containers |
✅ | — | JSON array of container configs |
Container configuration schema:
[
{
"name": "my-app",
"image": "ghcr.io/org/repo:v1.0.0",
"network": "proxy",
"ports": ["8080:80"],
"volumes": ["/data:/app/data"],
"healthcheck_url": "http://localhost:8080/health",
"memory_limit": "512m",
"memory_reservation": "256m",
"restart_policy": "always",
"env_vars": {
"ENV_VAR": "value"
},
"extra_networks": ["internal-network"]
}
]Runs actionlint and yamllint against the repository workflows.
Source: .github/workflows/wf-lint.yml
| Input | Required | Default | Description |
|---|---|---|---|
actionlint_paths |
❌ | .github/workflows/ |
Paths for actionlint |
yamllint_paths |
❌ | .github/workflows/ |
Paths for yamllint |
yamllint_max_line_length |
❌ | 180 |
Max line length |
Validates that the PR title follows the Conventional Commits format.
| Input | Required | Default | Description |
|---|---|---|---|
allowed_types |
❌ | feat|fix|docs|chore|... |
Pipe-separated allowed types |
max_title_length |
❌ | 100 |
Max description length |
Analyzes all commits since the last tag and determines the next semver bump following Conventional Commits specification.
Source: actions/calculate-tag/action.yml
| Bump | Trigger |
|---|---|
major |
feat!: or BREAKING CHANGE: footer |
minor |
feat: |
patch |
fix:, perf:, refactor: |
none |
chore:, docs:, ci:, test:, style: |
Detailed usage guides per language:
Ready-to-use examples:
Contributions are welcome! Please read CONTRIBUTING.md first.