The Linux Foundation Release Engineering team maintains this organisation. It provides a comprehensive collection of GitHub Actions and CI/CD tooling used across Linux Foundation hosted projects.
All actions follow Conventional Commits, use pinned dependencies, and ship with signed tags and provenance attestations.
| Action | Description |
|---|---|
| python-build-action | Build a Python project |
| python-test-action | Test a Python project and generate coverage reports |
| python-audit-action | Audit Python dependencies for known security vulnerabilities |
| python-twine-check-action | Verify Python build artefacts with Twine before publishing |
| python-notebook-test-action | Check Jupyter Notebooks with pytest and nbmake |
| python-sbom-action | Generate CycloneDX SBOM reports for Python projects |
| tox-run-action | Run tox with specified Python version and environments |
| gradle-build-action | Set up a specific JDK version and run a Gradle build |
| maven-build-action | Set up Maven and build a Java project |
| maven-make-build-action | Set up Maven and run make |
| node-build-action | Set up Node.js and build a project with npm or yarn |
| make-action | Execute the steps described in a Makefile |
| Action | Description |
|---|---|
| pypi-publish-action | Publish a Python project to PyPI |
| pypi-version-check-action | Check PyPI for a given package and optional build/release |
| draft-release-promote-action | Promote a draft GitHub release to a full release |
| release-assets-action | Upload build artefacts and assets to a GitHub release |
| nexus-publish-action | Publish content to Sonatype Nexus Repository servers |
| nexus-docker-login-action | Docker login for all registries in Nexus3 and DockerHub |
| helm-chart-publish-action | Publish Helm Charts to an OCI container repository |
| chartmuseum-action | Start and run a ChartMuseum Helm Chart repository |
| Action | Description |
|---|---|
| python-project-metadata-action | Extract Python project metadata from a repository |
| python-project-name-action | Extract a Python project name and derive the package name |
| python-project-version-action | Return the version of a Python project |
| python-project-version-patch-action | Replace/update the Python project version string |
| python-dynamic-version-action | Check dynamic versioning setup in pyproject.toml |
| python-supported-versions-action | Extract supported Python versions for build/matrix jobs |
| python-dependencies-update-action | Update the dependencies of a Python project |
| Action | Description |
|---|---|
| tag-validate-action | Unified tag validation for SemVer/CalVer and cryptographic signatures |
| tag-validate-semantic-action | Check a string/tag for Semantic Versioning conformity |
| tag-validate-calver-action | Check a string/tag for Calendar Versioning conformity |
| tag-push-verify-action | Verify a workflow trigger was a tag push of a given type |
| python-project-tag-push-verify-action | Check a pushed tag matches the declared Python project version |
| version-extract-action | Extract version strings from supported software project types |
| Action | Description |
|---|---|
| github2gerrit-action | Create Gerrit changes from GitHub pull requests |
| gerrit-clone-action | Bulk clone repositories from Gerrit with multi-threading and retry logic |
| checkout-gerrit-change-action | Checkout a mirrored Gerrit change |
| gerrit-review-action | Set review votes on a Gerrit system |
| gerrit-change-info | Retrieve Gerrit change request information |
| gerrit-action | Start Gerrit server containers with pull-replication for CI testing |
| Action | Description |
|---|---|
| 1password-secrets-action | Securely retrieve secrets from 1Password vaults |
| credential-load-action | Retrieve project/repository specific credentials from a 1Password vault |
| harden-runner-block-action | Load an egress allow-list for step-security/harden-runner block mode |
| sigul-sign-docker | Sign build packages, artefacts, and git tags using Sigul |
| spdx-verify-action | Verify files contain the required SPDX license headers |
| sonarqube-cloud-scan-action | Perform a SonarQube Cloud scan and upload the results |
| sonatype-lifecycle-scan-action | Run a Sonatype Lifecycle (Nexus IQ) scan |
| zizmor-scan-action | Audit GitHub Actions workflows for security defects with zizmor |
| Action | Description |
|---|---|
| repository-metadata-action | Gather repository metadata |
| repository-content-action | Scan a repository for different content types |
| repository-tags | Fetch tags, count them, identify the latest tag, and determine type |
| build-metadata-action | Capture and verify comprehensive build metadata across languages |
| project-name-action | Compare project name to GitHub repository name |
| openssf-scorecard-summary-action | Generate OpenSSF Scorecard summary output with report URL |
| pinned-versions-action | Verify action/workflow calls use pinned SHA commit values |
| standalone-linting-action | Run linting tools that do not run under pre-commit.ci |
| gha-workflow-linter | Lint and verify GitHub workflow/action calls |
| action-semantic-pull-request | Ensure PR titles match the Conventional Commits specification |
| Action | Description |
|---|---|
| git-configure-action | Configure Git settings from inside a GitHub Action |
| git-commit-message-action | Retrieve a Git commit message and check for Change-Id and DCO |
| inject-issue-id-action | Add issue tracker reference to a commit message body |
| path-check-action | Check if a given path exists in the repository and report its type |
| file-grep-regex-action | Extract a string from a file using grep and a regular expression |
| file-sed-regex-action | Perform string substitutions in a file using sed |
| json-key-value-lookup-action | Look up a value in a JSON key/value table |
| url-download-action | Download content from a URL using wget |
| url-validity-action | Check a URL for a valid server response |
| verify-release-schema-action | Verify release file contents against an approved schema |
| github-list-releases-action | Return a list of releases for a GitHub repository |
| http-api-tool-docker | Test HTTP/HTTPS API endpoints for service availability |
| go-httpbin-action | Create a local go-httpbin service with HTTPS support |
| hw-bom-javascript | Generate a hardware bill of materials |
| Tool | Description |
|---|---|
| project-reporting-tool | Comprehensive multi-repository analysis tool for Linux Foundation projects |
| project-reporting-artifacts | Generated reports and data artefacts from the Project Reporting Tool |
| github-report | GitHub organisation posture reporting |
| github-network-audit | Build harden-runner egress allowlists from StepSecurity endpoint data |
These repositories provide test fixtures and sample projects that verify the actions and workflows in this organisation:
| Repository | Purpose |
|---|---|
| test-python-project | Sample Python project (Typer CLI) |
| test-go-project | Sample Go project (calculator CLI) |
| test-node-project | Sample Node.js project (Express HTTP server) |
| test-docker-project | Sample project that builds a Docker image |
| test-makefile-helm-chart | Template Makefile for building a sample Helm Chart |
| test-deploy-gerrit | Gerrit server connectivity and pull-replication testing |
| test-http-api-tool | Workflow tests for the HTTP API testing tool |
| test-pypi-publish-action | PyPI publishing workflow tests |
| test-python-audit-action | Python dependency audit workflow tests |
| test-draft-release-promote-action | Draft release promotion workflow tests |
| test-release-process | End-to-end release workflow testing |
| test-tags-semantic | SemVer tag signature test fixtures |
| test-tags-calver | CalVer tag signature test fixtures |
| Repository | Purpose |
|---|---|
| actions-template | Template repository for creating new GitHub Actions |
| .github | Organisation-wide configuration (default community health files, shared release-drafter configuration) |
| releng-reusable-workflows | Shared/common workflows leveraging these actions (hosted in the lfit org) |
| Tool | Description |
|---|---|
| dependamerge | Bulk merge/close pull requests and Gerrit changes across an org |
| docs-conf | Sphinx build configuration for Release Engineering documentation |
| gerrit-to-platform | Gerrit hooks to allow using GitHub and GitLab as CI platforms |
| lftools-uv | Release Engineering management tooling/utilities (Python) |
| markdown-table-fixer | Fix markdown table formatting as a CLI tool or pre-commit hook |
| pull-request-fixer | Fix pull request titles, bodies, and files across a GitHub org |
The actions published here are designed for projects using both GitHub and Gerrit as the source of code/truth. They all work in native GitHub environments, and can also be used in Gerrit environments with some adaptation to the workflows.
Workflow adaptation for Gerrit is documented in the gerrit-to-platform documentation. Some example workflows are also available.
| Workflow | Description |
|---|---|
github-vanilla-verify.yaml |
A simple workflow that verifies PRs with no Gerrit integration |
gerrit-verify.yaml |
A workflow with Gerrit integration that verifies pull requests |
gerrit-verify-manual-dispatch.yaml |
A Gerrit integrated verify workflow that can also be manually invoked |
gerrit-merge.yaml |
A GitHub workflow that handles merged changes in Gerrit |
- Merge all open/pending pull requests
- Sync your fork with upstream:
git fetch upstream
git checkout main
git merge --ff-only upstream/main
git push origin mainCreate and push a signed, annotated tag:
git tag -s -a v1.2.3 -m "v1.2.3"
git push upstream v1.2.3The tag push triggers one of two release workflows:
| Workflow | Use case |
|---|---|
tag-push.yaml |
Generic (non-language-specific) actions |
build-test-release.yaml |
Python actions that publish to PyPI |
Note: These workflows live in each action repository, not in this
.githubrepo.
Verifies the tag is valid semver then promotes the corresponding draft GitHub release.
Runs the full Python release pipeline:
- Tag format and signature validation
- Python build with Sigstore signing and attestations
- Pytest test suite
- SBOM generation and Grype vulnerability scan
- pip-audit for known security issues
- Publish to test.pypi.org then pypi.org
- Attach build artefacts to the GitHub release
- Promote the draft release
Note: Release workflows for other language types (Go, Maven, etc.) still need authoring.
Contributions are welcome. Please open an issue or pull request against the relevant repository. All repositories follow the Conventional Commits specification for commit messages and PR titles. The Apache-2.0 license applies to all repositories unless otherwise stated.