github-workflows

GitHub reusable workflows for public Shopify repositories. Not specific to any language or ecosystem.

Using a workflow

We suggest you reference workflows by their git commit. If you include a commit and tag on the same line, Dependabot will maintain both references. Example: uses: Shopify/github-workflows/.github/workflows/scorecard.yaml@0cd53e568340d24a2aefc65236f0973b47402c14 # v0.0.1

Dependabot Configuration

Create/modify the .github/dependabot.yaml file in your repository. Make sure the updates block contains a github-actions entry.

version: 2
updates:
  - package-ecosystem: github-actions
    directory: /
    schedule:
      interval: weekly

Available workflows

cla.yaml

Ensure any code contributors have signed the Shopify CLA.

Example Workflow

name: Contributor License Agreement (CLA)

on:
  pull_request_target:
    types: [opened, synchronize]
  issue_comment:
    types: [created]

permissions: {}

jobs:
  cla:
    uses: Shopify/github-workflows/.github/workflows/cla.yaml@c142f2dd84228c90bd716e4b5eafc68bd812f467 # v0.0.3
    permissions:
      pull-requests: write
    secrets:
      token: ${{secrets.GITHUB_TOKEN}}
      cla-token: ${{secrets.CLA_TOKEN}}

dependabot-automerge.yaml

Automatically approve and merge Dependabot PRs matching certain criteria. Supports filtering by ecosystem and semver gap, such as "all actions minor+patch updates".

Repositories using this workflow must:

• Have Allow auto-merge enabled.
• Have branch protection enabled, with the Require status checks to pass before merging option enforcing CI.

Example Workflow

name: Dependabot auto-merge
on:
  pull_request:
    types:
      - opened
      - reopened
      - synchronize
    paths:
      - '.github/workflows/**'

permissions: {}

jobs:
  automerge:
    permissions:
      contents: write
      pull-requests: write
    uses: Shopify/github-workflows/.github/workflows/dependabot-automerge.yaml@c395c2cfd65be9a36f5dcfd21f4a2498a477fed4 # v0.0.6
    with:
      actions: minor

scorecard.yaml

Publish an OpenSSF Scorecard for a project. Use this in public repositories, so that consumers can be assured of Shopify's security practices.

Consider adding a badge like https://api.securityscorecards.dev/projects/github.com/Shopify/github-workflows/badge.

Example Workflow

name: Scorecard
on:
  branch_protection_rule:
  schedule:
    - cron: "30 1 * * 6"

permissions: {}

jobs:
  analysis:
    permissions:
      contents: read
      id-token: write
    uses: Shopify/github-workflows/.github/workflows/scorecard.yaml@0cd53e568340d24a2aefc65236f0973b47402c14 # v0.0.1
    secrets:
      token: ${{secrets.GITHUB_TOKEN}}