Shared CI definitions for the cshuttle homelab estate: reusable GitHub
Actions workflows (.github/workflows/) and the shared Lefthook git-hook
config (lefthook/).
This repo is intentionally public so the private GitOps repos can consume it
— cross-repo reusable workflows between private repos require a paid GitHub
plan, but a public host is callable by any repo on any plan, and Lefthook
remotes: likewise pull from here. Only generic CI recipes live here; no
secrets, manifests, or hostnames.
Renders every kustomization.yaml root in the caller's checkout with
kustomize build --enable-helm and schema-validates the output with
kubeconform. Catches a commit that breaks a render before ArgoCD pulls it.
# .github/workflows/validate.yml in a GitOps content repo
name: validate
on:
push:
pull_request:
jobs:
kustomize:
uses: cshuttle/workflows/.github/workflows/kustomize-validate.yml@mainOptional input paths (space-separated roots to scan; default .).
Runs a GitGuardian ggshield secret
scan over the caller's pushed/PR commit range — a pre-merge gate, unlike the
GitGuardian GitHub App which only flags leaks retroactively. Findings also appear
in the shared GitGuardian dashboard (where policy and false-positives — e.g. bws
UUIDs — are managed; don't obfuscate them in code).
# .github/workflows/ggshield.yml in any repo
name: ggshield
on:
push:
pull_request:
jobs:
ggshield:
uses: cshuttle/workflows/.github/workflows/ggshield-scan.yml@main
secrets: inheritRequires the org Actions secret GITGUARDIAN_API_KEY (scope scan; source
of truth in bws Infrastructure). secrets: inherit passes it through — no
per-repo secret needed.
Shared advisory pre-commit hooks (shellcheck, gitleaks, ggshield, yamllint,
whitespace / merge-conflict). Consume from any repo with a tiny lefthook.yml:
remotes:
- git_url: https://github.com/cshuttle/workflows
ref: main
configs:
- lefthook/base.ymlThen lefthook install per clone. Tools expected on PATH: lefthook,
shellcheck, gitleaks, ggshield, yamllint. ggshield also needs a
GitGuardian token (ggshield auth login or GITGUARDIAN_API_KEY); without one
its hook self-skips (advisory) — gitleaks still runs offline.
The canonical engineering standards for the estate — change flow, lint/format
(Trunk is normative), commit/PR conventions, secrets rules, ADR practice, docs
conventions, and the per-repo AGENTS.md contract. Every repo's root
AGENTS.md links here and carries only repo-specific deltas.
Shared pragmatic markdownlint profile (defaults on; noisy prose/structural
rules off). Copy into a repo as .trunk/configs/.markdownlint.yaml and remove
markdownlint from lint.disabled in .trunk/trunk.yaml. Strict adoption is
tracked in #7.