Centralized reusable GitHub Actions workflows and composite actions for Node.js / React / Next.js and Python / uv repositories. Consuming repos call a single uses: line; this repository controls how every job runs.
Consuming repo controls when · platform-tooling controls how
There are two ways to use this repository:
Option A — reference from the shared repo (recommended)
Reference workflows and actions directly from this repository using the latest SHA from main. Always use the SHA shown in Current SHA — never use @main, as that resolves at runtime and bypasses pinning.
jobs:
ci:
uses: orangitfi/platform-tooling/.github/workflows/node-ci.yml@<current-sha>Option B — copy to your own repo Copy the relevant workflow or action files into your repository and maintain them independently. This gives you full control but means you receive no updates automatically.
a4ca46b0de8eda2f61573cfbd4164e538a7775a1
Use this SHA when referencing any workflow or action from this repository:
# Reusable workflow
jobs:
ci:
uses: orangitfi/platform-tooling/.github/workflows/node-ci.yml@a4ca46b0de8eda2f61573cfbd4164e538a7775a1
# Composite action
steps:
- uses: orangitfi/platform-tooling/.github/actions/slack-notify@a4ca46b0de8eda2f61573cfbd4164e538a7775a1Every uses: line inside this repository is tagged with a # pt-sha comment so they can be found and updated in one command. After committing changes run:
OLD=a4ca46b0de8eda2f61573cfbd4164e538a7775a1
NEW=$(git rev-parse HEAD)
sed -i '' "s/${OLD}/${NEW}/g" README.md $(grep -rl "# pt-sha" .github/workflows/)
git add README.md .github/workflows/
git commit -m "chore: bump platform-tooling SHA pins to ${NEW}"Located in .github/workflows/. All use on: workflow_call and never define their own triggers.
| Workflow | Doc | Description |
|---|---|---|
node-ci.yml |
📄 | Full CI pipeline — security → lint + build + test (parallel) → vulnerability scan. Single uses: line replaces an entire CI file. |
node-daily.yml |
📄 | Nightly pipeline — runs the full CI pipeline and an OWASP ZAP DAST scan in parallel. |
node-security-scan.yml |
📄 | Runs gitleaks, npm audit, and guarddog in parallel. Intended as the first gate in any Node.js pipeline. |
node-lint.yml |
📄 | Runs npm lint and Docker lint (hadolint) in parallel. Docker lint is skipped cleanly when no Dockerfile is found. |
node-build.yml |
📄 | Installs dependencies with npm ci and runs the npm build script. |
node-test.yml |
📄 | Runs unit tests and optional Playwright e2e tests in parallel. Playwright report is uploaded as an artifact on failure. |
node-vulnerability-scan.yml |
📄 | Runs Syft + Grype vulnerability scans against the source code and the Docker image. Docker scan is optional. |
node-build-and-publish-docker.yml |
📄 | Builds a Docker image and optionally pushes it to GCP Artifact Registry. No push occurs when publish is false. |
node-update-visual-snapshots.yml |
📄 | Regenerates Playwright visual baseline screenshots and commits them back to the branch. Triggered manually via workflow_dispatch. |
| Workflow | Doc | Description |
|---|---|---|
python-ci.yml |
📄 | Full CI pipeline — security → lint + test (parallel) → vulnerability scan. Single uses: line replaces an entire CI file. |
python-daily.yml |
📄 | Nightly pipeline — runs the full CI pipeline and an OWASP ZAP DAST scan in parallel. |
python-security-scan.yml |
📄 | Runs gitleaks, pip-audit, and guarddog in parallel. Intended as the first gate in any Python pipeline. |
python-lint.yml |
📄 | Runs ruff check + ruff format and Docker lint (hadolint) in parallel. Docker lint is skipped cleanly when no Dockerfile is found. |
python-test.yml |
📄 | Installs dependencies with uv sync --frozen and runs pytest. Python version is resolved from pyproject.toml automatically. |
python-vulnerability-scan.yml |
📄 | Runs Syft + Grype vulnerability scans against the source code and the Docker image. Docker scan is optional. |
python-build-and-publish-docker.yml |
📄 | Builds a Docker image and optionally pushes it to GCP Artifact Registry. Credentials are read from 1Password at runtime. |
| Workflow | Doc | Description |
|---|---|---|
dast-scan.yml |
📄 | OWASP ZAP dynamic security scan against a live URL. Supports baseline (passive), full (active), and api (OpenAPI-aware) scan types. Skips cleanly when no URL is provided. |
Located in .github/actions/. Each action has its own README.md with full input/output documentation.
| Action | Description |
|---|---|
gitleaks-scan |
Installs gitleaks from a pinned release with SHA-256 verification and scans the repository for leaked secrets across the full git history. |
npm-audit |
Runs npm audit against the lockfile to detect known CVEs in npm dependencies. NPM_CONFIG_IGNORE_SCRIPTS=true prevents lifecycle scripts from running. |
guarddog-npm-scan |
Runs guarddog against package.json to detect supply-chain threats (typosquatting, code injection, exfiltration) before any dependency is installed. |
pip-audit |
Exports the uv lockfile and runs pip-audit to detect known CVEs in Python dependencies before any package is installed. Requires setup-uv. |
guarddog-scan |
Exports the uv lockfile and runs guarddog to detect supply-chain threats in PyPI packages before any package is installed. Requires setup-uv. |
security-scan-code |
Generates a Syft SBOM for a source directory and scans it with Grype. Requires scheduled_test_setup. |
owasp-zap-scan |
Runs an OWASP ZAP DAST scan against a live URL using a pinned Docker digest. Supports baseline, full, and api modes. Skips cleanly when no URL is provided. |
| Action | Description |
|---|---|
docker-lint |
Lints a Dockerfile with hadolint. |
docker-scan |
Builds a Docker image and scans it for vulnerabilities with Syft + Grype. Uploads the SBOM as a workflow artifact. |
docker-build-push |
Builds a Docker image, runs a Syft + Grype vulnerability scan, and pushes to GCP Artifact Registry only if the scan passes. |
| Action | Description |
|---|---|
setup-uv |
Installs uv (v0.11.3) from the official GitHub release with SHA-256 verification. Prerequisite for all Python composite actions and workflows. |
scheduled_test_setup |
Installs Syft and Grype on the runner. Prerequisite for security-scan-code and docker-scan. |
| Action | Description |
|---|---|
slack-notify |
Reads a Slack webhook URL from 1Password and posts a workflow status notification with repo, branch, commit, and run link. |
publish-to-confluence |
Publishes a docs/ folder of Markdown files to Confluence Cloud, preserving folder hierarchy as page hierarchy. |
This repository is provided as-is, without warranty of any kind. The workflows and actions are internal tooling — they are not a security product and do not guarantee that consuming repositories are free of vulnerabilities.
Only the latest commit on main is maintained. There are no versioned releases and no backports. When a fix is committed, consuming repositories must update their pinned SHA to receive it. See SECURITY.md for the full policy.
- No third-party marketplace actions — binaries are downloaded directly with SHA-256 verification.
actions/checkout,actions/upload-artifact, andactions/setup-node(official GitHub org) are acceptable. - All secrets come from 1Password — only
OP_SERVICE_ACCOUNT_TOKENis passed as a secret; all values are read viaop readand masked with::add-mask::before use. - Tight version pinning — SHA pins on all external actions; versioned and checksum-verified binaries.
fail-on-findingsdefaults totrueon all security actions but is overridable per call site.- Consuming repo controls when, platform-tooling controls how — no triggers (
push,pull_request) are defined in this repository.