Getting Started

KevinDeBenedetti/github-workflows is a library of reusable GitHub Actions workflows and composite actions. Callers stay minimal — CI steps run consistently across all your repos.

Prerequisites

• A GitHub repository
• Appropriate secrets set in your repo/org (see each workflow's docs)

How it works

Workflows are called with workflow_call and referenced from your own workflow files:

jobs:
  ci:
    uses: KevinDeBenedetti/github-workflows/.github/workflows/<name>.yml@main
    secrets: inherit

Production tip: Pin to a commit SHA instead of @main for reproducible builds.

Important: All workflow files must live at the flat root of .github/workflows/. GitHub Actions does not support reusable workflows in subdirectories.

---

Quick start by stack

Node.js

# .github/workflows/ci.yml
name: CI
on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  ci:
    uses: KevinDeBenedetti/github-workflows/.github/workflows/ci-node.yml@main
    secrets: inherit

Auto-detects pnpm or bun from your lockfile. Runs lint → typecheck → test → build. → Full reference

---

Python

# .github/workflows/ci.yml
name: CI
on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  ci:
    uses: KevinDeBenedetti/github-workflows/.github/workflows/ci-python.yml@main
    secrets: inherit

Uses uv and ruff. Runs lint → format check → test. → Full reference

---

Shell scripts

# .github/workflows/ci.yml
name: CI
on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  ci:
    uses: KevinDeBenedetti/github-workflows/.github/workflows/ci-shell.yml@main
    secrets: inherit

Runs ShellCheck → actionlint → Bats. → Full reference

---

Helm

jobs:
  ci:
    uses: KevinDeBenedetti/github-workflows/.github/workflows/ci-helm.yml@main
    with:
      chart-paths: 'charts/*'
      run-template: true
    secrets: inherit

Runs helm lint and an optional helm template dry-run on all charts.

---

Kubernetes

jobs:
  ci:
    uses: KevinDeBenedetti/github-workflows/.github/workflows/ci-kubernetes.yml@main
    with:
      kubeconform-paths: kubernetes/
    secrets: inherit

Validates Kubernetes manifests with kubeconform (CRDs-catalog enabled by default).

---

Terraform

jobs:
  ci:
    uses: KevinDeBenedetti/github-workflows/.github/workflows/ci-terraform.yml@main
    with:
      tf-dir: terraform
    secrets: inherit

Runs terraform validate and terraform fmt -check -diff.

---

Ansible

jobs:
  ci:
    uses: KevinDeBenedetti/github-workflows/.github/workflows/ci-ansible.yml@main
    with:
      ansible-dir: ansible/
      run-syntax-check: true
    secrets: inherit

Runs ansible-lint and an optional ansible-playbook --syntax-check.

---

Docker

jobs:
  deploy:
    uses: KevinDeBenedetti/github-workflows/.github/workflows/cd-docker.yml@main
    with:
      image-name: my-app
      tag-latest: true
    secrets: inherit

Builds and pushes a multi-platform image to GHCR (ghcr.io). → Full reference

---

Kaniko (self-hosted)

jobs:
  deploy:
    uses: KevinDeBenedetti/github-workflows/.github/workflows/cd-kaniko.yml@main
    with:
      image-name: my-app
      runner: '["self-hosted","linux","k3s","kaniko"]'
    secrets: inherit

Builds and pushes an image to GHCR using Kaniko on self-hosted runners (no Docker daemon required).

---

GitHub Pages

jobs:
  deploy:
    uses: KevinDeBenedetti/github-workflows/.github/workflows/cd-pages.yml@main
    with:
      output-directory: dist
    secrets: inherit

→ Full reference

---

Vercel

Requires three secrets: VERCEL_TOKEN, VERCEL_ORG_ID, VERCEL_PROJECT_ID.

jobs:
  deploy:
    uses: KevinDeBenedetti/github-workflows/.github/workflows/cd-vercel.yml@main
    with:
      environment: preview
    secrets: inherit

→ Full reference

---

Docs sync

Sync this repo's docs to a centralized docs site via repository_dispatch. Requires a GitHub App: pass its client-id and the APP_PRIVATE_KEY secret.

jobs:
  docs:
    uses: KevinDeBenedetti/github-workflows/.github/workflows/cd-docs.yml@main
    with:
      docs-directory: docs
      client-id: ${{ vars.DOCS_APP_CLIENT_ID }}
    secrets:
      APP_PRIVATE_KEY: ${{ secrets.DOCS_APP_PRIVATE_KEY }}

→ Full reference

---

Automated releases

jobs:
  release:
    uses: KevinDeBenedetti/github-workflows/.github/workflows/release.yml@main
    secrets: inherit

Uses release-please. Automatically moves a v<major> tag after each release. → Full reference

---

Security scanning

jobs:
  security:
    uses: KevinDeBenedetti/github-workflows/.github/workflows/security.yml@main
    secrets: inherit

Combines Gitleaks secret scanning, CodeQL SAST, and optional dependency audits. → Full reference

---

All available workflows

Workflow	Description	Doc
ci-node.yml	Node.js CI (lint → typecheck → test → build)	→
ci-python.yml	Python CI (lint → format → test)	→
ci-shell.yml	Shell CI (ShellCheck → actionlint → Bats)	→
ci-ansible.yml	Ansible CI (ansible-lint + syntax check)	→
ci-helm.yml	Helm CI (lint + template dry-run)	→
ci-kubernetes.yml	Kubernetes CI (kubeconform manifest validation)	→
ci-terraform.yml	Terraform CI (validate + fmt check)	→
cd-docker.yml	Build & push multi-platform Docker image to GHCR	→
cd-kaniko.yml	Build & push image with Kaniko on self-hosted runners	→
cd-pages.yml	Build & deploy static site to GitHub Pages	→
cd-vercel.yml	Deploy preview or production to Vercel	→
cd-docs.yml	Sync docs to a centralized docs repository	→
release.yml	Automated releases via release-please	→
security.yml	Secret scan + CodeQL SAST + dependency audit	→
check-bot-commits.yml	Guard PRs against bot-authored commits	→

---

Composite actions

Actions can be used individually inside your own workflow steps:

steps:
  - uses: KevinDeBenedetti/github-workflows/.github/actions/setup-node@main
    with:
      node-version: '20'

Action	Description
setup-node	Install Node.js + pnpm/bun with cache
setup-python	Install Python + uv with cache
shellcheck	Run ShellCheck on all .sh files
bats	Run Bats shell unit tests
detect-changes	Output a JSON matrix of changed apps in a monorepo
actionlint	Validate GitHub Actions workflow files
kubeconform	Validate Kubernetes manifests
check-docs-links	Check for broken links in docs
check-vitepress-md	Validate VitePress markdown
notify-deployment	Post a deployment status notification

---

Examples

Complete ready-to-use caller files live in examples/:

File	Stack
ci-cd-pages.yml	Node.js CI → GitHub Pages → release-please
ci-cd-vercel.yml	Node.js CI → Vercel → release-please
next.yml	Next.js
nuxt.yml	Nuxt
vue-react.yml	Vue / React (Vite)
fastapi.yml	FastAPI (Python)
monorepo.yml	Monorepo with change detection
vitepress.yml	VitePress docs site