init4tech · rswanson · Nov 26, 2025
@@ -1,4 +1,4 @@
-# github-release-binaries.yml
+# auto-release.yml
 
 ## Base Usage
 

@@ -0,0 +1,81 @@
+# ecr-build-and-push.yml
+
+## Base Usage
+
+```yml
+docker-ecr-push:
+  uses: init4tech/actions/.github/workflows/ecr-build-and-push.yml@main
+  with:
+    rust-binary-name: 'my-binary'
+    environment: 'dev'
+  secrets:
+    aws-ecr-repository: ${{ secrets.AWS_ECR_REPOSITORY }}
+    aws-ecr-deployer-role-arn: ${{ secrets.AWS_ECR_DEPLOYER_ROLE_ARN }}
+```
+
+## Required Parameters
+
+### `rust-binary-name`
+
+**Description:** Name of the Rust binary to build
+
+**Type**: `string`
+
+### `environment`
+
+**Description:** Environment to deploy to (used for GitHub environment secrets)
+
+**Type**: `string`
+
+## Optional Parameters
+
+### `requires-private-deps`
+
+**Description:** Requires private dependencies to be fetched, sets up ssh-agent
+
+**Type**: `boolean`
+
+**Default Value:** `false`
+
+### `dockerfile-path`
+
+**Description:** Path to the Dockerfile to use
+
+**Type**: `string`
+
+**Default Value:** `Dockerfile`
+
+## Required Secrets
+
+### `aws-ecr-repository`
+
+**Description:** ECR repository to push to
+
+**Type**: `string`
+
+### `aws-ecr-deployer-role-arn`
+
+**Description:** Role ARN to assume for ECR access
+
+**Type**: `string`
+
+## Optional Secrets
+
+### `SSH_PRIVATE_KEY`
+
+**Description:** SSH private key for fetching private dependencies (required if `requires-private-deps` is `true`)
+
+**Type**: `string`
+
+### `SSH_PRIVATE_KEY_2`
+
+**Description:** Additional SSH private key for fetching private dependencies
+
+**Type**: `string`
+
+### `SSH_PRIVATE_KEY_3`
+
+**Description:** Additional SSH private key for fetching private dependencies
+
+**Type**: `string`
+
@@ -1,13 +1,13 @@
-# github-release-binaries.yml
+# forge-script.yml
 
 ## Base Usage
 
 ```yml
 forge-script:
-  uses: init4tech/actions/.github/workflows/auto-release.yml@main
+  uses: init4tech/actions/.github/workflows/forge-script.yml@main
   with:
     github-environment: 'dev'
-    forge-script-contract: '0x0000000000000000000000000000000000000000'
+    forge-script-contract: 'MyScript'
     forge-script-signature: 'myFunction(address,uint256)'
     forge-script-params: '0x0000000000000000000000000000000000000000 123'
 ```
@@ -16,13 +16,13 @@ forge-script:
 
 ### `github-environment`
 
-**Description:** The github environment to use for the release
+**Description:** The GitHub environment to use (contains required secrets)
 
 **Type**: `string`
 
 ### `forge-script-contract`
 
-**Description:** The forge script contract to use for the release
+**Description:** Name of the script contract to run
 
 **Type**: `string`
 

@@ -0,0 +1,34 @@
+# ghcr.yml
+
+## Base Usage
+
+```yml
+build-and-push:
+  uses: init4tech/actions/.github/workflows/ghcr.yml@main
+```
+
+## Description
+
+This workflow builds and pushes a Docker image to GitHub Container Registry (GHCR). It builds multi-platform images for both `linux/amd64` and `linux/arm64` architectures and generates artifact attestations for supply chain security.
+
+The workflow automatically:
+- Builds the Docker image from the repository's `Dockerfile`
+- Tags the image based on the git reference (branch, PR, tag, etc.)
+- Pushes to `ghcr.io/<repository-name>`
+- Generates artifact attestations for provenance
+
+## Required Permissions
+
+The calling workflow must have the following permissions:
+
+- `contents: read` - To checkout the repository
+- `packages: write` - To push to GHCR
+- `attestations: write` - To create attestations
+- `id-token: write` - For OIDC authentication
+
+## Notes
+
+- The image name is automatically set to `ghcr.io/<repository-name>`
+- The workflow uses the repository's default Dockerfile in the root directory
+- Multi-platform builds are performed for both AMD64 and ARM64 architectures
+
@@ -0,0 +1,34 @@
+# ghcr.yml
+
+## Base Usage
+
+```yml
+build-and-push:
+  uses: init4tech/actions/.github/workflows/ghcr.yml@main
+```
+
+## Description
+
+This workflow builds and pushes a Docker image to GitHub Container Registry (GHCR). It builds multi-platform images for both `linux/amd64` and `linux/arm64` architectures and generates artifact attestations for supply chain security.
+
+The workflow automatically:
+- Builds the Docker image from the repository's `Dockerfile`
+- Tags the image based on the git reference (branch, PR, tag, etc.)
+- Pushes to `ghcr.io/<repository-name>`
+- Generates artifact attestations for provenance
+
+## Required Permissions
+
+The calling workflow must have the following permissions:
+
+- `contents: read` - To checkout the repository
+- `packages: write` - To push to GHCR
+- `attestations: write` - To create attestations
+- `id-token: write` - For OIDC authentication
+
+## Notes
+
+- The image name is automatically set to `ghcr.io/<repository-name>`
+- The workflow uses the repository's default Dockerfile in the root directory
+- Multi-platform builds are performed for both AMD64 and ARM64 architectures
+
@@ -5,13 +5,18 @@ Welcome to the documentation for the shared Github Actions workflows provided by
 ## Workflow Docs
 
 - [auto-release](./auto-release)
+- [auto-release-rust](./auto-release-rust)
+- [ecr-build-and-push](./ecr-build-and-push)
 - [forge-script](./forge-script)
+- [ghcr](./ghcr)
 - [github-release-binaries](./github-release-binaries)
 - [hugo-build-deploy](./hugo-build-deploy)
 - [release-crates](./release-crates)
 - [release-docker-ghcr](./release-docker-ghcr)
 - [release-rust-bin](./release-rust-bin)
 - [rust-base](./rust-base)
+- [rust-library-base](./rust-library-base)
 - [solidity-base](./solidity-base)
+- [solidity-coverage](./solidity-coverage)
 - [solidity-deployment](./solidity-deployment)
 - [solidity-static-analysis](./solidity-static-analysis)
@@ -1,10 +1,26 @@
-# github-release-binaries.yml
+# release-docker-ghcr.yml
 
 ## Base Usage
 
 ```yml
 release-docker-ghcr:
-  uses: init4tech/actions/.github/workflows/release-rust-bin.yml@main
+  uses: init4tech/actions/.github/workflows/release-docker-ghcr.yml@main
 ```
 
-## Optional Parameters
+## Description
+
+This workflow builds and pushes a Docker image to GitHub Container Registry (GHCR) for multiple platforms. It builds images for both `linux/amd64` and `linux/arm64` architectures, creates a multi-platform manifest, and generates artifact attestations.
+
+The workflow automatically:
+- Builds Docker images for multiple platforms (AMD64 and ARM64)
+- Tags images based on git references (branch, PR, semver tags, SHA)
+- Pushes to `ghcr.io/<repository-name>`
+- Creates a multi-platform manifest list
+- Generates artifact attestations for provenance
+
+## Required Permissions
+
+The calling workflow must have the following permissions:
+
+- `contents: write` - To create releases and tags
+- `packages: write` - To push to GHCR
@@ -1,4 +1,4 @@
-# github-release-binaries.yml
+# release-rust-bin.yml
 
 ## Base Usage
 

@@ -0,0 +1,98 @@
+# rust-library-base.yml
+
+## Base Usage
+
+```yml
+rust-library-base:
+  uses: init4tech/actions/.github/workflows/rust-library-base.yml@main
+```
+
+## Description
+
+This workflow extends `rust-base.yml` with additional feature checks. It runs all the checks from `rust-base.yml` (tests, doctests, rustfmt, clippy, docs) plus additional clippy checks for all feature combinations.
+
+## Optional Parameters
+
+### `rust-channel`
+
+**Description:** Sets the rust-toolchain channel if no toolchain file present
+
+**Type**: `string`
+
+**Default Value:** `stable`
+
+**Allowed values:** `stable`, `beta`, `nightly`
+
+### `install-foundry`
+
+**Description:** Will install `foundry` as a pre-test step to all use of the binary during the test phase
+
+**Type**: `boolean`
+
+**Default Value:** `false`
+
+**Allowed values:** `false`,`true`
+
+### `require-lockfile`
+
+**Description:** Will require a `Cargo.lock` file to be present in the repository
+
+**Type**: `boolean`
+
+**Default Value:** `false`
+
+**Allowed values:** `false`,`true`
+
+### `os`
+
+**Description:** Sets the OS for the runner
+
+**Type**: `string`
+
+**Default Value:** `ubuntu-latest`
+
+### `requires-private-deps`
+
+**Description:** Will require the use of private dependencies in the repository, meaning an ssh key needs to be added to ssh-agent
+
+**Type**: `boolean`
+
+**Default Value:** `false`
+
+**Allowed values:** `false`,`true`
+
+### `rust-profile`
+
+**Description:** The profile to give to cargo for running
+
+**Type**: `string`
+
+**Default Value:** `dev`
+
+## Optional Secrets
+
+### `SSH_PRIVATE_KEY`
+
+**Description:** The SSH private key to be used for private dependencies, required if `requires-private-deps` is set to `true`
+
+**Type**: `string`
+
+### `SSH_PRIVATE_KEY_2`
+
+**Description:** Additional SSH private key for fetching private dependencies
+
+**Type**: `string`
+
+### `SSH_PRIVATE_KEY_3`
+
+**Description:** Additional SSH private key for fetching private dependencies
+
+**Type**: `string`
+
+## Jobs
+
+This workflow runs two jobs:
+
+1. **rust-base-checks**: Runs all checks from `rust-base.yml` (tests, doctests, rustfmt, clippy, docs)
+2. **feature-checks**: Runs clippy with `--all-features` and `--no-default-features` to ensure code compiles with different feature combinations
+
@@ -0,0 +1,33 @@
+# solidity-coverage.yml
+
+## Base Usage
+
+```yml
+coverage:
+  uses: init4tech/actions/.github/workflows/solidity-coverage.yml@main
+```
+
+## Description
+
+This workflow checks code coverage for Solidity contracts using Foundry's coverage tools. It generates a coverage report and compares it against a committed `.coverage-report` file to ensure coverage doesn't regress.
+
+The workflow:
+- Generates a code coverage report using `forge coverage`
+- Filters out test files, script files, and library files from the report
+- Compares the generated report against the committed `.coverage-report` file
+- Fails if there are differences, ensuring coverage is maintained
+
+## Required Files
+
+The repository must have a `.coverage-report` file committed that contains the expected coverage report. This file is used as a baseline for comparison.
+
+## Environment Variables
+
+The workflow uses `FOUNDRY_PROFILE: ci` for the coverage generation.
+
+## Notes
+
+- The workflow filters out coverage for test files (`test/`), script files (`script/`), and the `BytesLib` library
+- Coverage is checked using the `--ir-minimum` flag for more accurate reporting
+- The workflow will fail if the generated coverage differs from the committed `.coverage-report` file
+