원클릭으로
github-actions-workflows
Create secure CI/CD workflows with GitHub Actions for Java 26/Maven/PostgreSQL builds, security scans, and deployments
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Create secure CI/CD workflows with GitHub Actions for Java 26/Maven/PostgreSQL builds, security scans, and deployments
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Identity and access management: RBAC, least privilege, MFA, quarterly reviews per ISO 27001 A.5.15, A.8.2, A.8.3
Business continuity and disaster recovery: 30-day retention, quarterly restore tests, RTO/RPO targets per ISO 27001 A.17
Political psychology, cognitive biases, group dynamics, leadership analysis, decision-making patterns for Swedish political intelligence
Risk-based data and asset classification framework: PUBLIC, INTERNAL, CONFIDENTIAL, RESTRICTED aligned with ISO 27001 A.5.12 and CIA triad
Unified compliance verification across ISO 27001, NIST CSF, CIS Controls, NIS2, EU CRA, GDPR, SOC 2, PCI DSS, and HIPAA for cybersecurity consulting
Cryptographic controls implementation: TLS 1.3, AES-256-GCM, bcrypt, RSA-4096, key management per NIST FIPS 140-2 and ISO 27001 A.8.24
| name | github-actions-workflows |
| description | Create secure CI/CD workflows with GitHub Actions for Java 26/Maven/PostgreSQL builds, security scans, and deployments |
| license | Apache-2.0 |
Create and maintain secure, efficient CI/CD pipelines using GitHub Actions for the CIA platform. Covers build, test, security scanning, deployment, and agentic workflow integration.
gh-aw)| Component | Version | Notes |
|---|---|---|
| Java JDK | 26 (Temurin) | Source level 21 |
| Maven | 3.9.15 | Multi-module reactor build |
| PostgreSQL | 18 | Extensions: pgaudit, pgcrypto, pg_stat_statements |
| Node.js | 24 | MCP servers, Playwright |
| Runner | ubuntu-latest | GitHub Actions hosted |
name: CI/CD Pipeline
on:
push:
branches: [master]
pull_request:
branches: [master]
permissions:
contents: read
security-events: write
actions: read
jobs:
build:
permissions:
contents: read
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up JDK 26
uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
with:
java-version: '26'
distribution: 'temurin'
cache: 'maven'
- name: Build with Maven
run: mvn clean install -DskipTests
- name: Run Tests
run: mvn test -Dtest='!**ITest*,!**/XmlDateTypeAdapterTest,!**/XmlTimeTypeAdapterTest,!**/XmlDateTimeTypeAdapterTest'
- name: Upload Coverage
uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
with:
files: '**/target/site/jacoco/jacoco.xml'
security:
runs-on: ubuntu-latest
needs: build
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Initialize CodeQL
uses: github/codeql-action/init@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
with:
languages: java
- name: Autobuild
uses: github/codeql-action/autobuild@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
# Note: The actual codeql-analysis.yml uses a custom Maven build instead of autobuild.
# Replace this step with a manual build if autobuild fails for your project.
- name: CodeQL Analysis
uses: github/codeql-action/analyze@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
- name: OWASP Dependency Check
run: mvn org.owasp:dependency-check-maven:check
deploy:
runs-on: ubuntu-latest
needs: [build, security]
if: github.ref == 'refs/heads/master'
permissions:
id-token: write # Required for OIDC
contents: read
steps:
- name: Deploy to AWS
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
aws-region: eu-north-1
Always pin actions to full SHA commit hashes, never tags:
# ✅ Correct - pinned to SHA
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
# ❌ Wrong - mutable tag
- uses: actions/checkout@v4
Always declare minimal permissions at workflow and job level:
permissions:
contents: read # Default for most jobs
security-events: write # Only for security scan uploads
issues: write # Only for issue management jobs
# ✅ Use GitHub secrets
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
# ✅ Use OIDC for cloud access (no long-lived keys)
- uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
# ❌ Never hardcode credentials
# SLSA 3 build provenance (pin to a specific commit SHA)
- uses: slsa-framework/slsa-github-generator/.github/workflows/builder_maven.yml@3c58c41cab36161dc53f223132d1f59f1df67cf9 # v2
with:
rekor-log-public: true
| Workflow | Purpose | Trigger |
|---|---|---|
codeql-analysis.yml | Security vulnerability scanning | Push/PR to master + scheduled |
dependency-review.yml | Dependency security checks | PR only |
scorecards.yml | OpenSSF Scorecard assessment | Scheduled |
release.yml | Build artifacts + SLSA attestations | Manual (workflow_dispatch) |
copilot-setup-steps.yml | Copilot agent build environment | Copilot sessions |
javadoc-generation.yml | JavaDoc generation | Push/scheduled |
site-generation.yml | Maven site generation | Push/scheduled |
zap-scan.yml | OWASP ZAP security scan | Scheduled |
generate-intelligence-changelog.yml | Intelligence changelog generation | Manual (workflow_dispatch) |
labeler.yml | Pull request auto-labeling | pull_request_target |
validate-field-completeness.yml | JSON export field completeness | Push (path-filtered) |
validate-json-schemas.yml | JSON schema validation | Push/PR (path-filtered) + scheduled |
validate-view-documentation.yml | View documentation validation | Scheduled (monthly) + PR (path-filtered) |
services:
postgres:
image: postgres:18
env:
POSTGRES_USER: eris
POSTGRES_PASSWORD: ${{ secrets.DB_PASSWORD }}
POSTGRES_DB: cia_dev
options: >-
--health-cmd pg_isready
--health-interval 10s
--health-timeout 5s
--health-retries 5
ports:
- 5432:5432
# Multi-level caching for resilience
- name: Cache Maven repository
uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with:
path: ~/.m2/repository
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
restore-keys: |
${{ runner.os }}-maven-
# Parallel builds for multi-module projects
- name: Build
run: mvn -T 1C clean install -DskipTests
GitHub Agentic Workflows (gh-aw) complement traditional Actions:
| Aspect | Traditional Actions | Agentic Workflows |
|---|---|---|
| Logic | Deterministic YAML | Natural language AI |
| Decisions | Pre-programmed conditionals | Context-aware reasoning |
| Format | .yml files | .md files → compiled to .lock.yml |
| Security | Manual permission management | Built-in 5-layer security |
| Best for | Build, test, deploy | Triage, review, docs, analysis |
Use both together: traditional Actions for deterministic build/test/deploy, agentic workflows for intelligent automation.
| Control | Implementation |
|---|---|
| ISO 27001 A.8.8 | Change management via PR-gated workflow changes |
| ISO 27001 A.8.15 | Audit logging via Actions run logs |
| NIST CSF PR.IP-1 | Baseline configuration via pinned action versions |
| CIS Control 16 | Application security via CodeQL + OWASP in pipeline |
.github/workflows/