The typed CI/CD vocabulary that powers the pleme-io fleet. All actions auto-publish to free public GitHub-hosted compute.
# .github/workflows/auto-release.yml
on:
push: { branches: [main] }
jobs:
release:
uses: pleme-io/substrate/.github/workflows/auto-release.yml@main
secrets: inheritcargo install pleme-io-releaser
pleme-release detect / plan / onboardnix eval --raw github:pleme-io/substrate#lib.aarch64-darwin.release.patternsπ Akeyless secret management
akeyless-authβ Akeyless login via access-id + (access-key | SAML | JWT). Exports AKEYLESS_TOKEN to subsequent steps so siblings (secret-fetch / rotate / etc) can reuse.akeyless-export-configβ Export an Akeyless gateway config snapshot (auth methods + roles + items) for audit / diff / backup.akeyless-injector-validateβ Validate Akeyless sidecar injector annotations on a set of k8s manifests. Sanity-check that secret references point at valid Akeyless paths before applying.akeyless-rotateβ Rotate a rotated-secret in Akeyless. Reads $AKEYLESS_TOKEN.akeyless-secret-fetchβ Fetch a static / dynamic / rotated secret from Akeyless. Reads $AKEYLESS_TOKEN (set by akeyless-auth) β operator typically invokes akeyless-auth in a prior step.
π °οΈ Ansible Collection
ansible-collection-buildβ Build an Ansible collection tarball via substrate flake (nix run .#build)ansible-collection-publishβ Publish an Ansible collection to Galaxy via substrate flake (nix run .#publish)
π‘οΈ Backup β restic
restic-backupβ Run a restic backup to any supported repo (s3/b2/sftp/etc).
π¨ Build β cross-compile / OCI / Ansible
rust-cross-buildβ cargo build --release for a target, stage binary + sha256 into ./dist
β¬οΈ Version bumping
rust-workspace-bumpβ Bump a Rust workspace.package.version viacargo set-version --workspace --bump <type>, regen Cargo.nix, commit + tag locally. No shell β composes existing rust + tatara-script + git primitives.substrate-bumpβ Bump version using substrate flakebumpapp (nix run .#bump -- )
π¦ caixa β canonical SDLC primitive
caixa-bumpβ Bump the :version field inside a (defcaixa ...) form. Sibling of cargo-bump / npm-bump for the tatara-lisp + caixa SDLC primitive.caixa-publishβ Publish caixa-rendered Helm chart to an OCI registry. Wraps helm-publish but consumes the caixa-render output dir.caixa-renderβ Render cluster artifacts (Helm chart + Kubernetes manifests + Flux + CI workflows) from a (defcaixa ...) form via thefeiraCLI.caixa-render-prβ Render every .caixa.lisp at the repo root via pleme-doc-gen + open a PR if the rendered artifacts drift from on-disk files. The META-PRIMITIVE that closes the typed-source β mechanical-render β PR loop without operator intervention.
βοΈ Cloud providers
aws-assume-roleβ Assume an AWS IAM role via OIDC (no long-lived creds). Exports AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY + AWS_SESSION_TOKEN to subsequent steps.aws-s3-uploadβ Upload a file or directory to S3. Pairs with aws-assume-role for IAM. Useful for build-artifact ship, backup, SBOM archive, etc.azure-deployβ Deploy via Azure CLI (az deployment group create).cloudflare-pages-deployβ Deploy a static build dir to Cloudflare Pages via wrangler. Universal β works with any output dir (Vite, mkdocs, cargo doc, hand-built static).cloudflare-r2-uploadβ Upload a file or directory to Cloudflare R2 via wrangler r2 object put. S3-compatible alternative.cloudflare-worker-deployβ Deploy a Cloudflare Worker via wrangler. Reads wrangler.toml at repo root or at the given path.doctl-deployβ Deploy a DigitalOcean App Platform app.fly-deployβ Deploy a Fly.io app via flyctl. Uses fly.toml at repo root; honors $FLY_API_TOKEN env var.gcp-authβ GCP Workload Identity Federation login (no service-account JSON key). Exports GOOGLE_APPLICATION_CREDENTIALS to subsequent steps.heroku-deployβ Deploy via git push heroku main.netlify-deployβ Deploy to Netlify via netlify CLI.railway-upβ Deploy via railway up.render-deployβ Trigger a Render service deploy via API.vercel-deployβ Deploy to Vercel via vercel CLI.
π¬ Notifications across N channels
discord-notifyβ Post a typed release event to a Discord webhook. Sibling of slack-notify.email-notifyβ Send a plain-text email via SMTP. Sibling of slack-notify / discord-notify for ops contexts where webhooks aren''t available.matrix-notifyβ Send a message to a Matrix room via the appservice REST API.mattermost-notifyβ POST to a Mattermost webhook.pagerduty-notifyβ Trigger / resolve a PagerDuty incident via the Events API v2. Useful for CI-driven on-call paging.slack-notifyβ Post a typed release event to a Slack webhook. Universal β works for any release flow that wants typed notifications.teams-notifyβ Post an adaptive card to a Microsoft Teams incoming webhook.telegram-notifyβ Send a message to a Telegram chat via bot API.twilio-smsβ Send an SMS via Twilio.
π Container build (Docker / ko / buildah / podman)
buildah-buildβ Build an OCI image with buildah (rootless alternative).buildkit-cache-warmβ Pre-warm buildkit''s registry-mounted layer cache for an image. Useful for cold-start CD runners or fan-out builds.crane-mutateβ Mutate an OCI image's labels/tags via crane.docker-build-and-pushβ Multi-arch docker buildx build + push to ghcr.io (or any OCI registry). Universal β works on any Dockerfile-bearing repo.ko-buildβ Containerless Go image build + push via ko. No Dockerfile required.oci-image-pushβ Push an OCI image tarball (Nix dockerTools output) to a registry β skopeo fallbackpodman-buildβ Build a container image with podman (rootless, daemonless alternative to docker).skopeo-copyβ Copy an OCI image between registries via skopeo copy.
π Data validation
json-schema-checkβ Validate JSON files against JSON Schema.yaml-lintβ Run yamllint on yaml files.
ποΈ Database β migrations + backups
atlas-migrateβ Apply schema migrations via Atlas.db-backupβ Dump a database to a backup artifact. PostgreSQL via pg_dump, MySQL via mysqldump.db-migrateβ Polymorphic DB migration β sqlx-migrate / alembic / knex / etc by detect.flyway-migrateβ Run flyway migrate.prisma-migrateβ Run prisma migrate deploy.sqitch-deployβ Run sqitch deploy.
π οΈ Developer experience
devcontainer-buildβ Build a devcontainer image via @devcontainers/cli.pre-commit-runβ Run pre-commit on all files.
π Repo-type dispatch
caixa-detectβ Find caixa.tlisp (or any .tlisp file containing (defcaixa ...)) at repo root. Emits the file path + the caixa kind (Biblioteca | Binario | Servico | Supervisor | Aplicacao).detect-repo-typeβ Auto-detect the repo type from manifest file presence at the root. Emits a typed identifier (rust-workspace / rust-single-crate / npm / python / helm / ansible-collection / ruby-gem / github-action / unknown) that downstream jobs route on.
π Documentation generation + publishing
api-spec-diffβ Detect breaking changes in an OpenAPI / GraphQL / gRPC spec between base + head refs. Useful PR-time gate for API surface stability.changelog-generateβ Generate a CHANGELOG.md (or fragment) from git log since a base ref. Universal primitive β language-agnostic, used by every release flow that wants typed changelogs.docs-publishβ Polymorphic doc generation + deploy to GitHub Pages. Detects repo type + routes to cargo doc / mkdocs / typedoc. The third compounding leg of the publish-side primitives (release + sbom + docs).docusaurus-buildβ Build a Docusaurus site.hugo-buildβ Build a Hugo site.mdbook-buildβ Build an mdBook.mkdocs-buildβ Build mkdocs site.toc-updateβ Auto-update markdown table-of-contents between markers. Idempotent β re-runs are no-op when TOC matches headings.vitepress-buildβ Build a VitePress site.zola-buildβ Build a Zola site.
π₯οΈ Frontend testing + deployment
cypress-testβ Run cypress run.lighthouse-ciβ Run Lighthouse CI on a URL list + assert score thresholds.percy-snapshotβ Capture Percy visual regression snapshots.playwright-testβ Run @playwright/test suite.storybook-deployβ Build + deploy a Storybook to gh-pages.
π GitHub API
derive-version-from-tagβ Strip leading "v" from a tag ref to derive a SemVer version stringgh-release-createβ Create a GitHub Release for a tag with optional auto-generated notes + asset uploads. Universal primitive β any language, any package shape.
π Git operations
git-commit-tagβ Configure github-actions bot identity, stage typed paths, commit with a typed message template, and create an annotated tag. Composes with git-push-with-token for the push half.git-push-with-tokenβ Rewrite origin URL with the given token, push branch + tags so downstream workflows can be triggered
β΅ Helm β chart packaging + deployment
helm-bumpβ Bump a Helm Chart.yaml version field via in-place yaml-edit. Sibling of cargo-bump for the Helm ecosystem.helm-oci-publishβ Lint, package, and push a Helm chart to an OCI registryhelm-publishβ Publish a Helm chart to an OCI registry (default ghcr.io/pleme-io/helm); skip if (name, version) already exists.
π§Ή Repo hygiene
branch-protect-syncβ Apply branch-protection rules from a JSON spec.codeowners-validateβ Validate .github/CODEOWNERS against repo file tree (catch unowned paths).gh-team-syncβ Sync GitHub team membership from a declarative YAML spec via gh api. Source-of-truth for org RBAC.stale-issue-botβ Mark stale issues + close after threshold.
ποΈ IaC β Terraform / Pulumi
iac-forgeβ Run iac-forge codegen against a spec + provider TOMLpulumi-upβ Run pulumi up on a stack.terraform-applyβ Run terraform apply against a previously-generated plan file. Pairs with terraform-plan.terraform-planβ Run terraform init + plan + emit plan file. Pairs with terraform-apply for the GitOps split-flow.
βΈοΈ Kubernetes β apply / deploy / reconcile / wait
argocd-syncβ Trigger argocd app sync + wait for Healthy/Synced. Sibling of flux-reconcile.flux-reconcileβ Trigger FluxCD reconcile on a HelmRelease / Kustomization / GitRepository / OCIRepository. Useful in CD pipelines that want to force-converge after a release lands.helm-deployβ helm upgrade --install with --wait. Sibling of helm-publish β this is for in-cluster installation, not registry push.helmfile-applyβ Run helmfile apply.k8s-rollout-waitβ Wait for a single k8s rollout to converge. Sibling of kubectl-apply (which applies + waits on detected resources); this targets a single named resource for finer-grained gating.kubectl-applyβ Apply k8s manifests + wait for rollout. Universal β works with any kubectl-reachable cluster.kustomize-renderβ kustomize build β emit rendered manifests. Optional in-place commit to a target branch for GitOps workflows.tanka-applyβ Run tk apply on a Tanka environment.velero-backupβ Run velero backup create.
π Multi-language (Go/Java/.NET/Swift/Elixir/Zig/WASM)
dotnet-publishβ dotnet publish + push to NuGet.go-buildβ Build Go binaries with go build.go-testβ Run go test with coverage.golangci-lintβ Run golangci-lint with configurable preset.goreleaserβ Run goreleaser to publish Go binaries to GH Releases.gradle-buildβ Build a Gradle project (Java/Kotlin/Scala).hex-publishβ Publish an Elixir package to hex.pm.maven-buildβ Build a Maven project.mix-testβ Run mix test on an Elixir project.swift-buildβ Run swift build on a Swift package.wasm-buildβ Build a Rust crate to wasm32 (wasm32-unknown-unknown / wasm32-wasi). Universal β wraps cargo + wasm-pack when needed.xcodebuildβ Build an Xcode project/workspace.zig-testβ Run zig build test.
π‘ Message brokers β NATS / Kafka
kafka-publishβ Publish a message to a Kafka topic via kcat.nats-publishβ Publish a message to a NATS subject via natscli.
πͺ Meta β directive enforcement + audit + renderer
action-shell-lintβ Enforce the β β NO-SHELL directive on pleme-io/actions/* β scans every action.yml + counts shell-line bodies outside the canonical loader; rejects PRs that exceed threshold.adoption-auditβ Scan a GH org for AUTO-RELEASE directive adoption β counts repos with/without the canonical 3-workflow surface. Emits a markdown report + sets typed outputs. Runs cheap on free public CI.defaction-renderβ Render a typed (defaction ...) or (defworkflow ...) .lisp source into the action triple (action.yml + run.tlisp + README.md) or workflow yaml. The Pillar 12 (generation over composition) primitive at the CI layer.
π± Mobile β Fastlane / App Store / EAS / Flutter
app-store-connectβ Upload an iOS build to App Store Connect via altool.eas-buildβ Run expo eas build for iOS/Android.fastlane-deployβ Run a fastlane lane to deploy iOS/Android build.flutter-buildβ Build a Flutter app for a target.
π Networking β WireGuard / Tailscale
tailscale-authβ Authenticate runner with Tailscale via OAuth or auth-key.wireguard-upβ Bring up a WireGuard tunnel for ephemeral runner access.
βοΈ Nix β build / cache push
nix-attic-pushβ Push a built nix path to an Attic binary cache.nix-buildβ Build a flake output (universal). Optionally pushes to cachix/attic afterward.nix-cachix-pushβ Push a built nix path to a Cachix binary cache.
π¦ npm ecosystem
npm-bumpβ Bump an npm package.json version vianpm version --no-git-tag-version <type>, refresh package-lock.json. Sibling of cargo-bump for the npm ecosystem.npm-publishβ Publish an npm package to npmjs.org; skip if (name, version) already exists; auto-rename to @pleme-io/ on name conflict.
π Observability β markers / metrics / logs / profiles
datadog-eventβ Post a typed event to Datadog Events API. Universal for release markers, deploy events, alert correlations.grafana-annotationβ Create a Grafana annotation (release marker, deploy event, incident note). Visible on every dashboard that overlaps the time range.honeycomb-markerβ Add a Honeycomb marker (release/deploy correlation).loki-log-pushβ Push a batch of log lines to a Loki ingester.otel-collector-deployβ Deploy an OpenTelemetry Collector config to a k8s ConfigMap.prometheus-pushβ Push metrics to a Prometheus pushgateway. Useful for emitting deploy/release counters from CI.pyroscope-pushβ Push a profiling sample to a Pyroscope server.sentry-releaseβ Create a Sentry release + associate commits.
π€ Registry publishing
rust-workspace-publishβ Ship every workspace member to the Rust registry in topological dependency order. Auto-renames any conflicting crate to pleme-io- + commits the rename back to main + retries. Pure tlisp logic, no shell beyond install glue.
π Python ecosystem
python-bumpβ Bump a Python pyproject.toml version field via uv version --bump. Sibling of cargo-bump for the Python ecosystem.python-publishβ Publish a Python package to pypi.org via uv publish; skip if (name, version) already exists; sleep + retry on rate limit.
β Code quality β mutation / benchmark / SonarQube / accessibility
benchmark-runnerβ Polymorphic benchmark runner β criterion for Rust, pytest-benchmark for Python. Pushes results to a benches branch for trend tracking.mutation-testβ Polymorphic mutation testing β cargo-mutants for Rust, stryker for npm/python. Surface real test gaps the regular test-gate doesn''t catch.pa11y-ciβ Run pa11y-ci accessibility scan.sonarqube-scanβ Run SonarQube/SonarCloud scan + push results.
π¦ Release management β Changesets / semantic-release
changesetsβ Run npm/changesets version + publish flow.release-pleaseβ Run google/release-please-action.release-promoteβ Promote a built artifact between environments (dev β staging β prod). Re-tags an existing image/version rather than rebuilding β ensures bit-identical artifact at each stage.semantic-releaseβ Run semantic-release (conventional-commits β version).yank-versionβ Polymorphic yank/unpublish β cargo yank / npm deprecate / pip remove. Surgical rollback for a single bad version (does NOT delete previous versions).
π Ruby gem
gem-publishβ Build & push a Ruby gem to RubyGems.org, tolerating identical-version re-pushes
βοΈ Runtime β tatara-script
tatara-scriptβ Execute an embedded .tlisp source string with tatara-script (binary-first, cargo-install fallback)
π¦ Rust ecosystem
cargo-bumpβ Bump a single-crate Rust repo via cargo set-version --bump , regenerate Cargo.nix, refresh Cargo.lock. Sibling of rust-workspace-bump for non-workspace Rust repos.cargo-publish-crateβ Publish a single Rust crate to crates.io; skips if (name, version) already exists; sleeps + retries on 429 rate-limit. Sibling of rust-workspace-publish for non-workspace Rust repos.
π SDLC automation
dependabot-triggerβ Trigger Dependabot to re-evaluate dependency updates via gh api.dependency-updateβ Polymorphic dependency lock refresh + open PR if anything changed. Detects ecosystem (rust β cargo update; npm β npm update; python β uv lock --upgrade; nix β nix flake update). Idempotent β exits 0 with no PR when nothing to update.issue-createβ Create (or reuse) a GitHub issue for a typed event. Useful for workflow auto-reporting (test failures, broken deps, drift, etc.). Idempotent via title-match deduplication.nix-flake-updateβ Runnix flake update+ open PR if flake.lock changed. Idempotent β exits 0 with no PR when lock is current. Specific case of dependency-update for nix-only repos.onboard-auto-releaseβ Scaffold the canonical 3-workflow pleme-io auto-release surface into a repo (auto-release.yml + pre-merge-gate.yml + security-gate.yml). Idempotent β skips files that already exist unless --force is set.pr-commentβ Post or update a comment on a pull request. Idempotent via a magic marker β re-running updates the existing comment instead of spamming.status-badgeβ Generate an SVG status badge (shields.io-style) for a label/value pair. Universal β used to render build/test/coverage/version badges into a repo or a static site.
π Security β vuln scans / SBOM / signing / secrets
banditβ Run bandit Python security scan.checkovβ Run checkov IaC security scan.conftestβ Run conftest OPA-based policy check.cosign-verifyβ Verify a cosign signature on an artifact or image.cyclonedx-mergeβ Merge multiple CycloneDX SBOMs into a single combined doc.gh-secrets-syncβ Sync GitHub repo/org/env secrets from a typed YAML spec (encrypted).gosecβ Run gosec Go security scan.image-scanβ Scan a container image for vulnerabilities + secrets via Trivy. Emits typed severity + vuln-count outputs. Configurable fail-on-severity gate.kics-scanβ Run KICS IaC security scan.license-finderβ Scan dependencies for license compatibility via license_finder.license-header-checkβ Verify every source file has a typed SPDX-License-Identifier header. Universal β works on any source tree; configurable extensions + license set.provenance-attestβ Sign artifacts with sigstore/cosign keyless OIDC. Universal β works on any file (binary, tarball, SBOM, container image digest). Produces a .sig + .cert pair downstream consumers can verify with cosign verify-blob.sbom-generateβ Generate a CycloneDX or SPDX SBOM from the repo via syft. Universal β works on any source tree (Rust, Node, Python, Helm, Docker context, etc).secrets-scanβ gitleaks-based secret scan across the repo. Emits typed finding count + severity. Configurable fail-on-found gate.security-auditβ Polymorphic dependency-vulnerability audit. Detects repo type + routes to cargo-audit / npm-audit / pip-audit / etc. Emits a typed severity summary.slsa-attestβ Generate SLSA provenance attestation for a build artifact (Level 3 via in-toto).snyk-testβ Snyk dependency vulnerability scan with severity gate.tfsecβ Run tfsec on Terraform code.vault-fetchβ Fetch a secret from HashiCorp Vault via JWT-OIDC auth.
π Spec watching
spec-watchβ Detect changes in an upstream OpenAPI/JSON spec by sha256 against a cached value
πΎ Storage β S3 / GCS / cross-workflow
artifact-fetchβ Fetch an artifact from a previous workflow run (cross-workflow handoff).gcs-syncβ Sync a local directory to GCS via gsutil rsync.s3-mirrorβ Mirror a local directory tree to S3 with --delete semantics (aws s3 sync).
π§ Uncategorized β needs a home
codeql-scanβ GitHub CodeQL SAST scan. Polymorphic β auto-detects language; uploads SARIF to GitHub Code Scanning.coverage-uploadβ Generate test coverage + upload to Codecov. Polymorphic β detects ecosystem (rust uses cargo-tarpaulin, npm uses jest --coverage, python uses pytest --cov).k6-load-testβ Run a k6 load test script + emit summary JSON. Pairs with thresholds for PR-time perf regression gating.onepassword-fetchβ Fetch a secret from 1Password via Service Account token. Sibling of akeyless-secret-fetch.semgrep-scanβ Semgrep SAST scan with configurable rule set.
π¦ Validation β per-language gates + universal lints
nix-flake-checkβ Runnix flake checkwith DeterminateSystems Nixnpm-gateβ PR-time quality gate for an npm repo: prettier --check + eslint + npm test (each conditionally run based on script presence in package.json).python-gateβ PR-time quality gate for a Python repo: ruff format --check + ruff check + pytest. Universal across uv/poetry/hatch layouts.rust-gateβ PR-time quality gate for a Rust repo: cargo fmt --check + cargo clippy + cargo test. Universal for both workspace + single-crate shapes.tlisp-lintβ Validate every *.tlisp file under the repo: balanced parens, balanced strings, balanced comments, and (when tatara-script is installed) a parser-level dry-run. Catches the parse-error class of bug at PR time instead of after-tag.typecheck-gateβ Polymorphic typecheck gate β runs cargo check / tsc --noEmit / mypy based on repo type. Faster than the full test-gate when you just want type validity.
βοΈ Workflow orchestration β Temporal / Airflow
airflow-triggerβ Trigger an Airflow DAG via REST API.temporal-triggerβ Start a Temporal workflow via tctl/temporal CLI.
Per the β
β
generation-over-composition prime directive:
this README.md is mechanically auto-generated from action.yml files
via pleme-doc-gen (Rust binary,
published to crates.io via the directive's own dogfood).
MIT.