Bret’s Reusable Workflow Conventions

Store all reusable workflows in a single repo
- actions, gha-reusable, or reusable-workflows are all fine names
Standardize naming of "calling" versus "callable" workflow files
- Called/callable reusable workflows: reusable-*.yml
- Calling workflows: call-*.yml
Permissions should be set in both calling --> reusable
- Reusable workflow (at workflow level) sets required permissions to run
- Calling workflow (at job level) sets permissions it gives to reusable
Don’t mix workflow_call with push or pull_request events in the same file
Reusable workflow repos should have a local calling workflow to test it
- This may mean adding a sample Dockerfile and other file types as test data
Reusable workflow repos- should have a ./template/ full of calling workflow examples
Example of these conventions bretfisher/docker-build-workflow

Permissions in reusable workflows!

Below is a "calling" workflow. Notice the Job-based permissions
We always need to pass necessary permissions to the reusable workflow
The reusable "called" workflow gets the calling "context", including GITHUB_TOKEN and these perms
ProTip: Also set required perms in Reusable Workflow. Then, it’ll fail earily if calling doesn’t give them

name: Docker Build
on:
push:
  branches:
    - main
  pull_request:
jobs:
  call-docker-build:
    name: Call Docker Build
    uses: mostlydevops/actions/.github/workflows/reusable-docker-build.yaml@main
    permissions:
      packages: write
      pull-requests: write
    with:
      image-name: ghcr.io/mostlydevops/wordsmith-web

Bret’s Reusable Workflow Conventions

Permissions in reusable workflows!

Homework

Move to Reusable Workflow for Docker Build