Flowzone

Reusable, opinionated, zero-conf workflows for GitHub actions

Contents

• Contents
• Getting Started
• Usage
  • Merging
  • External Contributions
  • Commit Message
    • Skipping Workflow Runs
• Supported project types
  • npm
  • Docker
  • balena
  • Python (with Poetry)
  • Rust
  • GitHub
  • Custom
  • Versioning
  • Docs
  • Website
• Help
• Contributing

Getting Started

Open a PR with the following changes to test and enable Flowzone:

1. Create .github/workflows/flowzone.yml (see Usage) in a new Draft Pull Request to avoid changing branch protection rules.
2. Ensure your package.json, docker-compose.test.yml, balena.yml, etc. contain correct information and all tests are passing.
3. Mark the Pull Request as Ready for Review and re-run the checks via the Checks or Actions panel. New branch protection rules will be applied and this requires admin access to revert!
4. Seek approval or self-certify!

Usage

<!-- start usage --> <!--- DO NOT EDIT MANUALLY - This section is auto-generated from flowzone.yml -->

name: Flowzone

on:
  pull_request:
    types: [opened, synchronize, closed]
    branches: [main, master]
  # allow external contributions to use secrets within trusted code
  pull_request_target:
    types: [opened, synchronize, closed]
    branches: [main, master]

jobs:
  flowzone:
    name: Flowzone
    uses: product-os/flowzone/.github/workflows/flowzone.yml@master
    # prevent duplicate workflow executions for pull_request and pull_request_target
    if: |
      (
        github.event.pull_request.head.repo.full_name == github.repository &&
        github.event_name == 'pull_request'
      ) || (
        github.event.pull_request.head.repo.full_name != github.repository &&
        github.event_name == 'pull_request_target'
      )

    # Workflows in the same org or enterprise can use the inherit keyword to implicitly pass secrets
    secrets: inherit

    # Otherwise you must manually specify which secrets to pass
    secrets:
      # GitHub App private key to generate ephemeral access tokens. Supports base64 encoded or raw
      # PEM formats. If set, takes precedence over FLOWZONE_TOKEN.
      # Required: false
      FLOWZONE_APP_PRIVATE_KEY:

      # Deprecated, use FLOWZONE_APP_PRIVATE_KEY instead
      # Required: false
      GH_APP_PRIVATE_KEY:

      # .. or Personal Access Token (PAT) with admin/owner permissions in the org.
      # Required: false
      FLOWZONE_TOKEN:

      # The NPM auth. token to use for publishing
      # Required: false
      NPM_TOKEN:

      # Username to publish to the Docker Hub container registry
      # Required: false
      DOCKERHUB_USER:

      # Deprecated, use DOCKERHUB_USER instead
      # Required: false
      DOCKER_REGISTRY_USER:

      # A personal access token to publish to the Docker Hub container registry
      # Required: false
      DOCKERHUB_TOKEN:

      # Deprecated, use DOCKERHUB_TOKEN instead
      # Required: false
      DOCKER_REGISTRY_PASS:

      # API key for pushing releases to balena applications
      # Required: false
      BALENA_API_KEY:

      # Deprecated, use BALENA_API_KEY instead
      # Required: false
      BALENA_API_KEY_PUSH:

      # A personal access token to publish to a cargo registry
      # Required: false
      CARGO_REGISTRY_TOKEN:

      # Optional base64 encoded docker-compose `.env` file for testing Docker images
      # Required: false
      COMPOSE_VARS:

      # Cloudflare account ID
      # Required: false
      CF_ACCOUNT_ID:

      # Cloudflare API token with limited access for Pages projects
      # Required: false
      CF_API_TOKEN:

      # Token to publish to pypi.org
      # Required: false
      PYPI_TOKEN:

      # Token to publish to test.pypi.org
      # Required: false
      PYPI_TEST_TOKEN:

      # API key to post Zulip messages.
      # Required: false
      ZULIP_API_KEY:

      # Optional secret for using with custom jobs
      # Required: false
      CUSTOM_JOB_SECRET_1:

      # Optional secret for using with custom jobs
      # Required: false
      CUSTOM_JOB_SECRET_2:

      # Optional secret for using with custom jobs
      # Required: false
      CUSTOM_JOB_SECRET_3:

      # API key for Dependency-Track integration
      # Required: false
      DTRACK_TOKEN:

    with:
      # AWS region with GitHub OIDC provider IAM configuration
      # Type: string
      # Required: false
      aws_region: ${{ vars.AWS_REGION || '' }}

      # AWS IAM role ARN to assume with GitHub OIDC provider
      # Type: string
      # Required: false
      aws_iam_role: ${{ vars.AWS_IAM_ROLE || '' }}

      # This input is deprecated. To deploy CloudFormation stacks, create a
      # `aws-cf-templates.yaml` file in the root of the repository.
      # Type: string
      # Required: false
      cloudformation_templates: 

      # GitHub App ID to generate an installation token.
      # See https://github.com/tibdex/github-app-token for more info.
      # Type: string
      # Required: false
      app_id: ${{ vars.FLOWZONE_APP_ID || vars.APP_ID }}

      # Timeout for the job(s).
      # Type: number
      # Required: false
      jobs_timeout_minutes: 120

      # GitHub actions working directory
      # Type: string
      # Required: false
      working_directory: .

      # Comma-delimited string of Docker images (without tags) to publish (skipped if empty)
      # Type: string
      # Required: false
      docker_images: 

      # Comma-delimited string of Docker buildx bake targets to publish (skipped if empty)
      # Type: string
      # Required: false
      bake_targets: default

      # Invert the tags for the Docker images (e.g. `{tag}-{variant}` becomes `{variant}-{tag}`)
      # Type: boolean
      # Required: false
      docker_invert_tags: false

      # Publish platform-specific tags in addition to multi-arch manifests (e.g.
      # `product-os/flowzone:latest-amd64`)
      # Type: boolean
      # Required: false
      docker_publish_platform_tags: false

      # balenaCloud environment
      # Type: string
      # Required: false
      balena_environment: balena-cloud.com

      # Comma-delimited string of balenaCloud apps, fleets, or blocks to deploy (skipped if empty)
      # Type: string
      # Required: false
      balena_slugs: 

      # Comma-delimited string of Rust stable targets to publish (skipped if empty)
      # Type: string
      # Required: false
      cargo_targets: >
        aarch64-unknown-linux-gnu,
        armv7-unknown-linux-gnueabihf,
        arm-unknown-linux-gnueabihf,
        x86_64-unknown-linux-gnu,
        i686-unknown-linux-gnu

      # Set to true to publish Rust binary release artifacts to GitHub
      # Type: boolean
      # Required: false
      rust_binaries: false

      # Set to true to enable terminal emulation for test steps
      # Type: boolean
      # Required: false
      pseudo_terminal: false

      # Set to true to disable automatic versioning
      # Type: boolean
      # Required: false
      disable_versioning: false

      # JSON array of runner label strings for default jobs.
      # Type: string
      # Required: false
      runs_on: >
        [
          "ubuntu-24.04"
        ]

      # JSON key-value pairs mapping platforms to arrays of runner labels. Unlisted platforms will
      # use `runs_on`.
      # Type: string
      # Required: false
      docker_runs_on: >
        {
          "linux/amd64": ["ubuntu-24.04"],
          "linux/arm64": ["ubuntu-24.04-arm"],
          "linux/arm/v7": ["ubuntu-24.04-arm"],
          "linux/arm/v6": ["ubuntu-24.04-arm"]
        }

      # JSON array of runner label strings for cloudformation jobs.
      # Type: string
      # Required: false
      cloudformation_runs_on:

      # Setting this to your existing CF pages project name will generate and deploy a website.
      # Skipped if empty.
      # Type: string
      # Required: false
      cloudflare_website: 

      # Set to false to disable building a docusaurus website. If false the script `npm run
      # deploy-docs` will be run if it exists.
      # Type: boolean
      # Required: false
      docusaurus_website: true

      # Finalize releases on merge.
      # Type: boolean
      # Required: false
      github_prerelease: false

      # Do not execute custom actions for external contributors. Only remove this restriction if
      # custom actions have been vetted as secure.
      # Type: boolean
      # Required: false
      restrict_custom_actions: true

      # JSON matrix strategy for the custom test action. Properties 'environment' and 'os' will be
      # applied to the job.
      # Type: string
      # Required: false
      custom_test_matrix: 

      # JSON matrix strategy for the custom publish action. Properties 'environment' and 'os' will
      # be applied to the job.
      # Type: string
      # Required: false
      custom_publish_matrix: 

      # JSON matrix strategy for the custom finalize action. Properties 'environment' and 'os'
      # will be applied to the job.
      # Type: string
      # Required: false
      custom_finalize_matrix: 

      # Deprecated. Add the 'os' property in custom_test_matrix, custom_publish_matrix, and
      # custom_finalize_matrix instead.
      # Type: string
      # Required: false
      custom_runs_on:

      # Set to false to disable toggling auto-merge on PRs.
      # Type: boolean
      # Required: false
      toggle_auto_merge: true

      # Create git tags and a PR comment with detailed change log.
      # Type: boolean
      # Required: false
      release_notes: fa