![]() |
Shared GitHub Actions: reusable workflows under .github/workflows/ and composite actions under composite/. Consumed by other repositories via pinned refs (for example release tags).
| What | Where |
|---|---|
| Reusable workflows | .github/workflows/*.yml |
| Composite actions | composite/**/action.yml (each folder usually has a README.md) |
| Agent / contributor rules | AGENTS.md |
| Detailed conventions | .cursor/composite-actions.mdc, .cursor/reusable-workflows.mdc |
Composites are grouped by domain under composite/<domain>/… (Terraform, config/bootstrap-style steps, shared hub utilities, etc.). Domains may grow over time — the tree in the repo is the source of truth.
Workflows that only run in this repository often use a self- prefix and call local reusables with ./.github/workflows/….
Reference a reusable workflow with your org, this repo name, file path, and a pinned ref (release tag recommended):
jobs:
ci:
uses: <org>/modules-hub/.github/workflows/<workflow>.yml@v1
secrets: inheritThe reusable validate.yml keeps PR hygiene and governance checks on by default, but product repositories can disable platform-oriented checks when they do not want workflow/YAML linting or CodeQL wired through the reusable layer.
Caller example for a product repository:
jobs:
base:
uses: Bedatty-Engineering/modules-hub/.github/workflows/validate.yml@v1
secrets: inherit
with:
is_pull_request: ${{ github.event_name == 'pull_request' }}
enforce_source_branches: true
allowed_source_branches: "dev|hotfix/*"
target_branches_for_source_check: "main"
enable_actionlint: false
enable_yamllint: false
enable_codeql: falseNew validate.yml platform-check inputs:
enable_actionlint(defaulttrue): lint changed workflow files with actionlint.enable_yamllint(defaulttrue): lint changed YAML files with yamllint.enable_codeql(defaulttrue): run the reusable CodeQL workflow when the changed-file detector finds supported languages.
When these are disabled, the reusable still runs PR hygiene, commitlint, PR title/description validation, source-branch validation, advisory checks, and PR summary. The internal changed-file detector still runs so downstream conditionals remain stable, but the disabled platform jobs are intentionally skipped.
Composites under composite/ are normally reached through those workflows (uses: ./composite/… inside this repo). To call a composite directly from your own workflow YAML, use <org>/modules-hub/composite/<domain>/<action>@<ref> — see the README.md next to that action for inputs.
Versions are published with semantic-release (Git tags). Prefer semver tags (@v1, @v1.2.3) over branch names when wiring uses: in production.
See AGENTS.md for commit style, security expectations, and where the detailed rules live.
- Workflow and action metadata use the
.ymlextension (not.yaml). - Third-party actions should be pinned by commit SHA where possible; this repo’s workflows are typically referenced by version tag from consumers.
- Changes that affect callers should be described in PRs and, when needed, in the relevant composite
README.mdor docs next to the feature.
