AgentSkillsCN

github-actions

CI/CD与部署——GitHub Actions工作流(develop、master、release)、复合操作、支持SBOM/溯源信息的Docker多架构发布、NuGet包发布,以及安全扫描(SonarCloud、CodeQL)。完整记录了部署流水线的各个环节。关键词:CI/CD、GitHub Actions、部署、Docker、NuGet、安全扫描、SonarCloud、CodeQL、发布管理、持续集成、持续部署、技能

SKILL.md
--- frontmatter
name: github-actions
description: CI/CD and deployment - GitHub Actions workflows (develop, master, release), composite actions, Docker multi-arch publishing with SBOM/provenance, NuGet package publishing, and security scanning (SonarCloud, CodeQL). Complete deployment pipeline documentation. Keywords: cicd, github-actions, deployment, docker, nuget, security-scanning, sonarcloud, codeql, release-management, continuous-integration, continuous-deployment, skills

Deployment

This skill documents the standardized deployment workflows and practices for the DRN-Project. It covers the CI/CD pipeline strategy, GitHub Actions structure, and Docker containerization standards.

1. Workflow Strategy

The project follows a GitFlow-inspired workflow adapted for continuous delivery:

Branch / TagWorkflowPurposeTriggers
developdevelop.ymlFast CI: Quick feedback loop. Builds and tests the code.Push/PR to develop
mastermaster.ymlQuality Gate: Comprehensive analysis. Includes SonarCloud scans, CodeQL security analysis, and stricter gates.Push/PR to master, Schedule (Sunday)
v*.*.*release.ymlRelease CD: automated deployment. Publishes NuGet packages and Docker images to production registries.Push of tag v*
v*-preview*release-preview.ymlPreview CD: Similar to release but for pre-release versions.Push of tag v*-preview*

2. GitHub Actions Architecture

The repository uses Composite Actions to encapsulate logic and reduce duplication across workflows. These are located in .github/workflows/actions/.

Core Composite Actions

  • setup-sdk-and-tools: Standardizes the .NET SDK setup, tool restoration, and caching.
  • dotnet-build / dotnet-build-release: centralized build logic.
  • dotnet-test / dotnet-test-release: Centralized testing logic.
  • docker-publish-all: Orchestrates the publishing of all Docker images in the solution.
  • nuget-publish-all: Orchestrates the publishing of all NuGet packages.

Security & Analysis Actions

  • sonar-begin / sonar-end: Wraps SonarCloud static analysis.
  • scan-file-system-vulnerabilities: Scans the filesystem for known vulnerabilities.
  • scan-nuget-vulnerabilities: Checks dependencies against vulnerability databases.

3. Docker Standards

Docker images are built and published using the docker/build-push-action.

Key Configuration

  • Multi-Architecture Support: Images are built for both linux/amd64 and linux/arm64.
  • Security:
    • OMNI (SBOM): Software Bill of Materials is generated (sbom: true).
    • Provenance: SLSA provenance is generated (provenance: true).
    • Docker Scout: Integrated for vulnerability scanning (quickview,cves,recommendations).
  • Registry: Images are published to Docker Hub under the duranserkan namespace.
  • Versioning:
    • semver: Matches the git tag (e.g., 1.2.3).
    • major.minor: Floating tag for stability (e.g., 1.2).
    • branch, pr: Context-aware tagging for non-release builds.

Standard Dockerfile Locations

  • DRN.Nexus.Hosted/Dockerfile -> drn-project-nexus
  • Sample.Hosted/Dockerfile -> drn-project-sample

4. NuGet Publishing

NuGet package publishing is automated via the release workflows.

  • Versioning: extracted directly from the Git tag.
  • Attestation: Uses actions/attest-build-provenance to generate build provenance for packages.
  • Artifacts: Packages are uploaded as workflow artifacts (packages) for traceability.

5. Required Secrets

To function correctly, the repository requires the following secrets to be configured in GitHub:

  • SONAR_TOKEN: Token for SonarCloud analysis.
  • NUGET_TOKEN: API key for publishing to NuGet.org.
  • DOCKER_USERNAME: Docker Hub username.
  • DOCKER_PASSWORD: Docker Hub Access Token.