HOW-TO-USE: Chef Common GitHub Actions

February 25, 2026 ยท View on GitHub

This guide explains how to use the reusable workflows from the chef/common-github-actions repository in your own projects.

๐Ÿ“– For detailed pipeline architecture, tool reference, and mermaid diagrams, see PIPELINE-REFERENCE.md


Table of Contents


Quick Start

Step 1: Copy the Stub Workflow

Copy the stub file to your repository's .github/workflows/ directory:

# .github/workflows/ci-main-pull-request.yml
name: CI Pull Request on Main Branch

on: 
  pull_request:
    branches: [ main, release/** ]
  push:
    branches: [ main, release/** ]
  workflow_dispatch:

permissions:
  contents: read
  
jobs: 
  call-ci-main-pr-check-pipeline:
    # Pin to a specific version for stability
    uses: chef/common-github-actions/.github/workflows/ci-main-pull-request.yml@v1.0.7
    secrets: inherit
    permissions: 
      id-token: write
      contents: read
    with:   
      visibility: ${{ github.event.repository.visibility }}
      language: 'go'  # go, ruby, rust
      perform-complexity-checks: true
      perform-trufflehog-scan: true
      perform-trivy-scan: true
      perform-sonarqube-scan: true
      generate-sbom: true

Step 2: Configure Required Secrets

Ensure your repository or organization has the required secrets configured. See Required Secrets below.

Step 3: Add sonar-project.properties

Copy the appropriate template from workflow-supporting-files/sonar-templates/ to your repository root:

# For Go projects
cp GO-sonar-project.properties sonar-project.properties

# For Ruby projects
cp RUBY-sonar-project.properties sonar-project.properties

# For Rust projects
cp RUST-sonar-project.properties sonar-project.properties

Versioning with Tags

The common-github-actions repository uses semantic versioning tags to allow projects to reference specific versions:

# Reference a specific version (recommended for stability)
uses: chef/common-github-actions/.github/workflows/ci-main-pull-request.yml@v1.0.7

# Reference the latest from main (use with caution)
uses: chef/common-github-actions/.github/workflows/ci-main-pull-request.yml@main

Tag Format

Tags follow semantic versioning: v{MAJOR}.{MINOR}.{PATCH}

Bump TypeWhen to Use
MAJORBreaking changes
MINORNew features, backward compatible
PATCHBug fixes, backward compatible

Automatic Tagging

When code is merged to main in common-github-actions, a new patch tag is automatically created via the create-release-tag.yml workflow. Manual version bumps can be triggered via workflow dispatch.


Available Workflows

WorkflowPurposeFile
CI Main Pull RequestComplete CI pipeline with security scansci-main-pull-request.yml
Create Release TagAuto-tag on merge to maincreate-release-tag.yml
SCCSource code complexity analysisscc.yml
TruffleHogSecret scanningtrufflehog.yml
TrivyVulnerability scanningtrivy.yml
SonarQube (Public)SAST for public repossonarqube-public-repo.yml
SonarQube (Internal)SAST for internal repossonarqube-internal-repo.yml
SBOMSoftware Bill of Materialssbom.yml
Quality DashboardAtlassian quality reportingirfan-quality-dashboard.yml

See PIPELINE-REFERENCE.md for detailed documentation on each tool, including workflow diagrams and job mappings.


Required Secrets

Configure these secrets at the repository or organization level:

SecretUsed ByPurpose
SONAR_TOKENSonarQubeAuthentication token
SONAR_HOST_URLSonarQubeServer URL (progress.sonar.com)
AKEYLESS_JWT_IDSonarQubeAzure firewall rules (public/internal)
POLARIS_SERVER_URLBlackDuck PolarisServer URL
POLARIS_ACCESS_TOKENBlackDuck PolarisAuthentication token
BLACKDUCK_SBOM_URLBlackDuck SCAServer URL
BLACKDUCK_SCA_TOKENBlackDuck SCAAuthentication token
HAB_PUBLIC_BLDR_PATHabitat/GrypeBuilder access token
GH_TOKENGo modulesPrivate module access

Configuration Examples

Go Project (CLI Application)

name: CI Pipeline

on:
  pull_request:
    branches: [ main ]
  push:
    branches: [ main ]

jobs:
  ci:
    uses: chef/common-github-actions/.github/workflows/ci-main-pull-request.yml@v1.0.7
    secrets: inherit
    permissions:
      id-token: write
      contents: read
    with:
      visibility: ${{ github.event.repository.visibility }}
      language: 'go'
      version: '1.0.0'
      build-profile: 'cli'
      
      # Code Quality
      perform-complexity-checks: true
      perform-language-linting: true
      
      # Security Scans
      perform-trufflehog-scan: true
      perform-trivy-scan: true
      perform-sonarqube-scan: true
      
      # BlackDuck Polaris
      perform-blackduck-polaris: true
      polaris-application-name: 'Chef-Chef360'
      polaris-project-name: ${{ github.event.repository.name }}
      polaris-assessment-mode: 'SAST'
      
      # Build
      build: true
      unit-tests: true
      
      # SBOM
      generate-sbom: true
      perform-blackduck-sca-scan: true
      blackduck-project-group-name: 'Chef-Chef360'

Ruby Project (Gem)

jobs:
  ci:
    uses: chef/common-github-actions/.github/workflows/ci-main-pull-request.yml@v1.0.7
    secrets: inherit
    permissions:
      id-token: write
      contents: read
    with:
      visibility: ${{ github.event.repository.visibility }}
      language: 'ruby'
      version: '1.0.0'
      
      perform-complexity-checks: true
      perform-language-linting: true
      perform-trufflehog-scan: true
      perform-trivy-scan: true
      perform-sonarqube-scan: true
      
      build: true
      unit-tests: true
      run-bundle-install: true  # For projects without committed Gemfile.lock
      
      generate-sbom: true
      license_scout: true

Habitat Package

jobs:
  ci:
    uses: chef/common-github-actions/.github/workflows/ci-main-pull-request.yml@v1.0.7
    secrets: inherit
    permissions:
      id-token: write
      contents: read
    with:
      visibility: ${{ github.event.repository.visibility }}
      language: 'rust'
      
      perform-trufflehog-scan: true
      perform-trivy-scan: true
      
      # Packaging
      package-binaries: true
      habitat-build: true
      publish-habitat-packages: true
      publish-habitat-hab_package: 'myorg/mypackage'
      publish-habitat-hab_channel: 'stable'
      habitat-grype-scan: true
      
      generate-sbom: true

Minimal Security Scan Only

jobs:
  security:
    uses: chef/common-github-actions/.github/workflows/ci-main-pull-request.yml@v1.0.7
    secrets: inherit
    with:
      visibility: ${{ github.event.repository.visibility }}
      language: 'go'
      
      # Disable everything except security scans
      perform-complexity-checks: false
      perform-language-linting: false
      build: false
      unit-tests: false
      package-binaries: false
      habitat-build: false
      generate-sbom: false
      report-to-atlassian-dashboard: false
      
      # Enable security scans only
      perform-trufflehog-scan: true
      perform-trivy-scan: true

Input Reference

Core Inputs

InputTypeDefaultDescription
visibilitystringpublicRepository visibility (public/private/internal)
languagestringrubyBuild language (go/ruby/rust)
versionstring1.0.0Project version
go-private-modulesstringgithub.com/progress-platform-services/*GOPRIVATE setting

Security Scan Flags

InputTypeDefaultDescription
perform-complexity-checksbooleantrueRun SCC complexity checks
perform-language-lintingbooleantrueRun language-specific linting
perform-trufflehog-scanbooleantrueRun TruffleHog secret scan
perform-trivy-scanbooleantrueRun Trivy vulnerability scan
perform-sonarqube-scanbooleantrueRun SonarQube scan
perform-blackduck-polarisbooleanfalseRun BlackDuck Polaris SAST
perform-docker-scanbooleanfalseRun Docker scan

Build Configuration

InputTypeDefaultDescription
buildbooleantrueRun CI build
build-profilestringcliBuild profile
unit-testsbooleantrueRun unit tests
run-bundle-installbooleanfalseRun bundle install (Ruby)

BlackDuck Polaris

InputTypeDefaultDescription
polaris-application-namestring-Application name (Chef-Chef360, etc.)
polaris-project-namestringrepo nameProject name
polaris-working-directorystring.Working directory
polaris-assessment-modestringCIMode (SAST/CI/SOURCE_UPLOAD)
wait-for-scanbooleantrueWait for scan completion

SBOM & SCA

InputTypeDefaultDescription
generate-sbombooleantrueGenerate SBOM
export-github-sbombooleantrueExport GitHub SBOM
generate-msft-sbombooleantrueGenerate Microsoft SBOM
license_scoutbooleantrueRun license scout
perform-blackduck-sca-scanbooleanfalseRun BlackDuck SCA scan
blackduck-project-group-namestringChefBlackDuck project group
blackduck-project-namestringrepo nameBlackDuck project name

Habitat Packaging

InputTypeDefaultDescription
package-binariesbooleantruePackage binaries
habitat-buildbooleantrueCreate Habitat packages
publish-habitat-packagesbooleanfalsePublish to Builder
publish-habitat-hab_packagestringcore/nginxPackage name
publish-habitat-hab_channelstringstableChannel
habitat-grype-scanbooleanfalseScan with Grype

Quality Dashboard

InputTypeDefaultDescription
report-to-atlassian-dashboardbooleantrueReport to dashboard
report-unit-test-coveragebooleantrueReport coverage
quality-product-namestringChef360Product name

For a complete list of all inputs with detailed descriptions, see PIPELINE-REFERENCE.md


Support

For issues or questions:

  1. Check PIPELINE-REFERENCE.md for detailed tool documentation
  2. Review DEV-README.md for development notes
  3. Open an issue in this repository

Version History

VersionDateChanges
v1.0.72025Added Polaris configuration options, Go build/test, Habitat Grype scanning
v1.0.52024Initial release with core security scanning