| description | Naming, ordering, inputs, security, and structural rules for all GitHub Actions workflow files. | ||
|---|---|---|---|
| paths |
|
Structural and stylistic rules for GitHub Actions workflow files. Refer to shell-scripts.md for Bash conventions used
inside run: steps, and to terraforms.md for Terraform conventions used in terraform/.
Verify every item before producing any workflow YAML. If any item fails, revise before outputting.
- File name follows the convention:
ci-<runtime>.ymlfor reusable CI,cd-<purpose>.ymlfor dispatch CD. namefield follows the patternCI — <Context>orCD — <Context>, using sentence case after the dash (e.g.,CD — Run migration, notCD — Run Migration).- Reusable workflows use
workflow_calltrigger. CD workflows useworkflow_dispatchtrigger. - Each workflow has a single responsibility. CI tests code. CD deploys it. Never combine both.
- Every input has a
descriptionfield. Descriptions use American English and end with a period. - Input names use
kebab-case:service-name,dry-run,skip-build. - Inputs are ordered: required first, then optional. Each group by name length ascending.
- Choice input options are in alphabetical order.
env,outputs, andwithentries are ordered by key length ascending.permissionskeys are ordered by key length ascending (contentsbeforeid-token).- Top-level workflow keys follow canonical order:
name,on,concurrency,permissions,env,jobs. - Job-level properties follow canonical order:
if,name,needs,uses,with,runs-on,environment,timeout-minutes,strategy,outputs,permissions,env,steps. - All other YAML property names within a block are ordered by name length ascending.
- Jobs follow execution order:
load-config→lint→test→build→deploy. - Step names start with a verb and use sentence case:
Setup PHP,Run lint,Resolve image tag. - Runtime versions are resolved from the service repo's native dependency file (
composer.json,go.mod,package.json). No version is hardcoded in any workflow. - Service-specific overrides live in a pipeline config file (e.g.,
.pipeline.yml) in the service repo, not in the workflows repository. - The
load-configjob reads the pipeline config file at runtime with safe fallback to defaults when absent. - Top-level
permissionsdefaults to read-only (contents: read). Jobs escalate only the permissions they need. - AWS authentication uses OIDC federation exclusively. Static access keys are forbidden.
- Secrets are passed via
secrets: inheritfrom callers. No secret is hardcoded. - Sensitive values fetched from SSM are masked with
::add-mask::before assignment. - Third-party actions are pinned to the latest available full commit SHA with a version comment:
uses: aws-actions/configure-aws-credentials@<latest-sha> # v4.0.2. Always verify the latest version before generating a workflow. - First-party actions (
actions/*) are pinned to the latest major version tag available:actions/checkout@v4. Always check for the most recent major version before generating a workflow. - Production deployments require GitHub Environments protection rules (manual approval).
- Every job sets
timeout-minutesto prevent indefinite hangs. CI jobs: 10–15 minutes. CD jobs: 20–30 minutes. Adjust only with justification in a comment. - CI workflows set
concurrencywithgroupscoped to the PR andcancel-in-progress: trueto avoid redundant runs. - CD workflows set
concurrencywithgroupscoped to the environment andcancel-in-progress: falseto prevent interrupted deployments. - CD workflows use
if: ${{ !cancelled() }}to allow to deploy after optional build steps. - Inline logic longer than 3 lines is extracted to a script in
scripts/ci/orscripts/cd/.
- All text (workflow names, step names, input descriptions, comments) uses American English with correct spelling and punctuation. Sentences and descriptions end with a period.
- Callers trigger on
pull_requesttargetingmainonly. Nopushtrigger. - Callers in service repos are static (~10 lines) and pass only
service-nameorapp-name. - Callers reference workflows with
@mainduring development. Pin to a tag or SHA for production.
- CD deploy builds:
<environment>-sha-<short-hash>+latest.
- Migrations run before service deployment (schema first, code second).
cd-migrate.ymlsupportsdry-runmode (flyway validate) for pre-flight checks.- Database credentials are fetched from SSM at runtime, never stored in workflow files.