一键导入
github-actions-workflows
Create secure CI/CD workflows with GitHub Actions for Java 26/Maven/PostgreSQL builds, security scans, and deployments
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Create secure CI/CD workflows with GitHub Actions for Java 26/Maven/PostgreSQL builds, security scans, and deployments
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
Identity and access management: RBAC, least privilege, MFA, quarterly reviews per ISO 27001 A.5.15, A.8.2, A.8.3
Business continuity and disaster recovery: 30-day retention, quarterly restore tests, RTO/RPO targets per ISO 27001 A.17
Political psychology, cognitive biases, group dynamics, leadership analysis, decision-making patterns for Swedish political intelligence
Risk-based data and asset classification framework: PUBLIC, INTERNAL, CONFIDENTIAL, RESTRICTED aligned with ISO 27001 A.5.12 and CIA triad
Unified compliance verification across ISO 27001, NIST CSF, CIS Controls, NIS2, EU CRA, GDPR, SOC 2, PCI DSS, and HIPAA for cybersecurity consulting
Cryptographic controls implementation: TLS 1.3, AES-256-GCM, bcrypt, RSA-4096, key management per NIST FIPS 140-2 and ISO 27001 A.8.24
| name | github-actions-workflows |
| description | Create secure CI/CD workflows with GitHub Actions for Java 26/Maven/PostgreSQL builds, security scans, and deployments |
| license | Apache-2.0 |
Create and maintain secure, efficient CI/CD pipelines using GitHub Actions for the CIA platform. Covers build, test, security scanning, deployment, and agentic workflow integration.
gh-aw)| Component | Version | Notes |
|---|---|---|
| Java JDK | 26 (Temurin) | Source level 21 |
| Maven | 3.9.15 | Multi-module reactor build |
| PostgreSQL | 18 | Extensions: pgaudit, pgcrypto, pg_stat_statements |
| Node.js | 24 | MCP servers, Playwright |
| Runner | ubuntu-latest | GitHub Actions hosted |
name: CI/CD Pipeline
on:
push:
branches: [master]
pull_request:
branches: [master]
permissions:
contents: read
security-events: write
actions: read
jobs:
build:
permissions:
contents: read
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up JDK 26
uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
with:
java-version: '26'
distribution: 'temurin'
cache: 'maven'
- name: Build with Maven
run: mvn clean install -DskipTests
- name: Run Tests
run: mvn test -Dtest='!**ITest*,!**/XmlDateTypeAdapterTest,!**/XmlTimeTypeAdapterTest,!**/XmlDateTimeTypeAdapterTest'
- name: Upload Coverage
uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
with:
files: '**/target/site/jacoco/jacoco.xml'
security:
runs-on: ubuntu-latest
needs: build
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Initialize CodeQL
uses: github/codeql-action/init@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
with:
languages: java
- name: Autobuild
uses: github/codeql-action/autobuild@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
# Note: The actual codeql-analysis.yml uses a custom Maven build instead of autobuild.
# Replace this step with a manual build if autobuild fails for your project.
- name: CodeQL Analysis
uses: github/codeql-action/analyze@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
- name: OWASP Dependency Check
run: mvn org.owasp:dependency-check-maven:check
deploy:
runs-on: ubuntu-latest
needs: [build, security]
if: github.ref == 'refs/heads/master'
permissions:
id-token: write # Required for OIDC
contents: read
steps:
- name: Deploy to AWS
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
aws-region: eu-north-1
Always pin actions to full SHA commit hashes, never tags:
# ✅ Correct - pinned to SHA
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
# ❌ Wrong - mutable tag
- uses: actions/checkout@v4
Always declare minimal permissions at workflow and job level:
permissions:
contents: read # Default for most jobs
security-events: write # Only for security scan uploads
issues: write # Only for issue management jobs
# ✅ Use GitHub secrets
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
# ✅ Use OIDC for cloud access (no long-lived keys)
- uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
# ❌ Never hardcode credentials
# SLSA 3 build provenance (pin to a specific commit SHA)
- uses: slsa-framework/slsa-github-generator/.github/workflows/builder_maven.yml@3c58c41cab36161dc53f223132d1f59f1df67cf9 # v2
with:
rekor-log-public: true
| Workflow | Purpose | Trigger |
|---|---|---|
codeql-analysis.yml | Security vulnerability scanning | Push/PR to master + scheduled |
dependency-review.yml | Dependency security checks | PR only |
scorecards.yml | OpenSSF Scorecard assessment | Scheduled |
release.yml | Build artifacts + SLSA attestations | Manual (workflow_dispatch) |
copilot-setup-steps.yml | Copilot agent build environment | Copilot sessions |
javadoc-generation.yml | JavaDoc generation | Push/scheduled |
site-generation.yml | Maven site generation | Push/scheduled |
zap-scan.yml | OWASP ZAP security scan | Scheduled |
generate-intelligence-changelog.yml | Intelligence changelog generation | Manual (workflow_dispatch) |
labeler.yml | Pull request auto-labeling | pull_request_target |
validate-field-completeness.yml | JSON export field completeness | Push (path-filtered) |
validate-json-schemas.yml | JSON schema validation | Push/PR (path-filtered) + scheduled |
validate-view-documentation.yml | View documentation validation | Scheduled (monthly) + PR (path-filtered) |
services:
postgres:
image: postgres:18
env:
POSTGRES_USER: eris
POSTGRES_PASSWORD: ${{ secrets.DB_PASSWORD }}
POSTGRES_DB: cia_dev
options: >-
--health-cmd pg_isready
--health-interval 10s
--health-timeout 5s
--health-retries 5
ports:
- 5432:5432
# Multi-level caching for resilience
- name: Cache Maven repository
uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with:
path: ~/.m2/repository
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
restore-keys: |
${{ runner.os }}-maven-
# Parallel builds for multi-module projects
- name: Build
run: mvn -T 1C clean install -DskipTests
GitHub Agentic Workflows (gh-aw) complement traditional Actions:
| Aspect | Traditional Actions | Agentic Workflows |
|---|---|---|
| Logic | Deterministic YAML | Natural language AI |
| Decisions | Pre-programmed conditionals | Context-aware reasoning |
| Format | .yml files | .md files → compiled to .lock.yml |
| Security | Manual permission management | Built-in 5-layer security |
| Best for | Build, test, deploy | Triage, review, docs, analysis |
Use both together: traditional Actions for deterministic build/test/deploy, agentic workflows for intelligent automation.
| Control | Implementation |
|---|---|
| ISO 27001 A.8.8 | Change management via PR-gated workflow changes |
| ISO 27001 A.8.15 | Audit logging via Actions run logs |
| NIST CSF PR.IP-1 | Baseline configuration via pinned action versions |
| CIS Control 16 | Application security via CodeQL + OWASP in pipeline |
.github/workflows/