Skip to content
Docs Builder

CI/CD and Governance

The repository uses four GitHub Actions workflows and a centralized template system for governance.

Workflows

Section titled “Workflows”
WorkflowFileTriggerPurpose
GitHub Pages Deploygithub-pages-deploy.ymlPush to main (docs/**), manual dispatchBuilds and deploys the documentation site to GitHub Pages
Build and Publish Docker Imagebuild-image.ymlPush to main (docker/**, package*.json), daily cron, repository_dispatchBuilds the Docker image, pushes to GHCR, and dispatches rebuilds to downstream repos
Require Linked Issuerequire-linked-issue.ymlPull request eventsBlocks PRs that do not reference a GitHub issue
Enforce Repository Settingsenforce-repo-settings.ymlEvery 6 hours, push to settings config, manual dispatchApplies standardized repo settings from the template

GitHub Pages Deploy

Section titled “GitHub Pages Deploy”
on:
  push:
    branches: [main]
    paths:
      - 'docs/**'
  workflow_dispatch:

Delegates to a reusable workflow in the template repository:

jobs:
  docs:
    uses: f5xc-salesdemos/docs-control/.github/workflows/github-pages-deploy.yml@main

Permissions: contents: read, packages: read, pages: write, id-token: write. Uses concurrency group pages with cancel-in-progress: true to avoid stale deployments.

Only triggers on push when files under docs/ change. Can also be triggered manually via workflow_dispatch, which is how the dispatch job in build-image.yml triggers downstream rebuilds.

Build and Publish Docker Image

Section titled “Build and Publish Docker Image”
on:
  push:
    branches: [main]
    paths:
      - 'docker/**'
      - 'package.json'
      - 'package-lock.json'
  schedule:
    - cron: '0 6 * * *'
  repository_dispatch:
    types: [rebuild-image]

Steps:

  1. Checkout code
  2. Log in to ghcr.io using docker/login-action
  3. Build and push using docker/build-push-action with context . and file docker/Dockerfile
  4. Tags: ghcr.io/<owner>/<repo>:latest and ghcr.io/<owner>/<repo>:<sha>

After a successful build, the dispatch job triggers github-pages-deploy.yml via workflow_dispatch on every downstream repo listed in the template repository’s downstream-repos.json config. This ensures all content repos rebuild their docs with the updated builder image.

The daily cron ensures the image stays current even without code changes (picks up dependency updates). The repository_dispatch event allows external systems to trigger a rebuild.

Only triggers on push when docker/ files or package*.json change. Docs-only changes do not trigger an image rebuild.

Require Linked Issue

Section titled “Require Linked Issue”
on:
  pull_request_target:
    types: [opened, edited, reopened, synchronize]

Uses nearform-actions/github-action-check-linked-issues@v1 to enforce that every PR references a GitHub issue (e.g., Closes #42 in the description). Dependabot PRs are excluded via:

exclude-branches: "dependabot/**"

A custom message tells contributors the expected format if the check fails. See CONTRIBUTING.md for the full contributor workflow.

Enforce Repository Settings

Section titled “Enforce Repository Settings”
on:
  schedule:
    - cron: '0 */6 * * *'
  push:
    branches: [main]
    paths:
      - '.github/config/repo-settings.json'
  workflow_dispatch:

Delegates to a reusable workflow in the template repository:

jobs:
  enforce:
    uses: f5xc-salesdemos/docs-control/.github/workflows/enforce-repo-settings.yml@main
    secrets:
      repo-admin-token: ${{ secrets.REPO_ADMIN_TOKEN }}

Runs every 6 hours and on changes to the settings config file. Applies branch protection rules, merge settings, and other repository configuration from .github/config/repo-settings.json.

Governance Model

Section titled “Governance Model”

Centralized Template

Section titled “Centralized Template”

The f5xc-salesdemos/docs-control repository is the single source of truth for:

  • Reusable workflow definitions (docs deploy, repo settings enforcement)
  • Managed files synced across all repos in the organization
  • Standard configurations and branch protection rules

This builder and all content repos inherit their CI/CD behavior from the template.

Managed File Sync

Section titled “Managed File Sync”

The template repository can push managed files (like workflow definitions and config files) to downstream repos. This keeps all repositories aligned without manual updates. The sync runs via a separate workflow in the template repo.

Branch Protection

Section titled “Branch Protection”

The enforce-repo-settings workflow applies branch protection rules from the template, including:

  • Required status checks before merge
  • Required linked issue check
  • Squash merge preferred
  • Auto-delete head branches after merge

Secrets

Section titled “Secrets”
SecretSourcePurpose
GITHUB_TOKENAutomatic (GitHub)Used by most workflows for checkout, package publishing, and API calls
REPO_ADMIN_TOKENManual (repository secret)Required by enforce-repo-settings and the dispatch job to modify branch protection, repo settings, and trigger downstream workflows (needs admin scope)