backbase-common/gc-ai-workflows that are used in Agentic AI platform CI/CD pipelines.
Overview
Thegc-ai-workflows repository provides standardized, reusable GitHub Actions workflows and actions for Python AI/ML projects using uv for package management. These components ensure consistency across all agent projects.
[!IMPORTANT]
Always use secrets: inherit when calling reusable workflows to pass secrets to the called workflow.
Reusable Workflows
Build and Publish
A comprehensive workflow that builds Docker images, runs quality checks, performs security scanning, and publishes to Azure Container Registry. Workflow:backbase-common/gc-ai-workflows/.github/workflows/build-publish.yaml@main
Usage
Input Parameters
| Parameter | Description | Default |
|---|---|---|
timeout | Workflow timeout in minutes | 600 |
pythonVersion | Python version to use | 3.x |
sourcePath | Source path for code quality checks | src/ |
enableSonar | Enable SonarCloud analysis | true |
sonarHostUrl | SonarCloud host URL | https://sonarcloud.io |
stableAcr | Azure ACR name on stable cluster | cragbs508 |
enablePromptfoo | Enable promptfoo evaluation | true |
promptfooConfig | Path to promptfoo config file | promptfooconfig.yaml |
enableRedteam | Enable promptfoo redteaming | true |
redteamConfig | Path to redteam config file | redteam.yaml |
redteamNumTests | Number of redteam tests to run | 5 |
Output Parameters
image: Full Docker image reference
Workflow Steps
- Setup project environment
- Check action SHA pinning
- Code quality checks (pylint, pytest, hadolint)
- Optional: Setup and run Promptfoo evaluation
- Optional: Run Promptfoo redteaming
- Optional: Run SonarCloud analysis
- Build Docker image
- Security check (Trivy image scan)
- Push Docker image to Azure ACR
Pull Request Check
A comprehensive validation workflow for pull requests that runs code quality checks, tests, security scans, and optional promptfoo evaluations. Workflow:backbase-common/gc-ai-workflows/.github/workflows/pull-request-check.yaml@main
Usage
Input Parameters
| Parameter | Description | Default |
|---|---|---|
ref | GitHub reference (branch/tag) | ${{ github.ref }} |
timeout | Workflow timeout in minutes | 600 |
pythonVersion | Python version to use | 3.x |
sourcePath | Source path for code quality checks | src/ |
enableSonar | Enable SonarCloud analysis | true |
sonarHostUrl | SonarCloud host URL | https://sonarcloud.io |
enablePromptfoo | Enable promptfoo evaluation | true |
promptfooConfig | Path to promptfoo config file | promptfooconfig.yaml |
enableRedteam | Enable promptfoo redteaming | true |
redteamConfig | Path to redteam config file | redteam.yaml |
redteamNumTests | Number of redteam tests to run | 5 |
Workflow Steps
- Setup project environment
- Check action SHA pinning
- Code quality checks (pylint, pytest, hadolint)
- Optional: Setup and run Promptfoo evaluation
- Optional: Run Promptfoo redteaming
- Optional: Run SonarCloud analysis
- Security check (filesystem scan)
Reusable Actions
Setup Project
Sets up the Python project environment, including checkout, Python installation,uv setup, dependency installation, and version resolution.
Action: backbase-common/gc-ai-workflows/setup-project@main
Usage
Input Parameters
| Parameter | Description | Default |
|---|---|---|
ref | GitHub reference (branch/tag) | ${{ github.ref }} |
pythonVersion | Python version to use | 3.x |
githubPrivateKey | GitHub App private key (PEM) | Required |
githubAppId | GitHub App ID | Required |
fetchDepth | Number of commits to fetch (0 = all) | 1 |
gitUsername | Git username for commits | baasbot-ecos_backbase |
gitEmail | Git email for commits | [email protected] |
Output Parameters
version: Raw version fromuv versionreleaseVersion: Release version (without dev/alpha/beta/rc)nextVersion: Next version (incremented patch with .dev0)devVersion: Development version with branch and commit infobuildVersion: Build version (release or dev)isStable: Whether this is a stable versionmajor,minor,patch: Version componentsname: Project name from git repositoryprojectKey: Sonar project keyorganization: GitHub organizationgithubToken: Generated GitHub App token
Code Quality
Runs code quality checks including pylint, pytest, and hadolint. Action:backbase-common/gc-ai-workflows/code-quality@main
Usage
Input Parameters
| Parameter | Description | Default |
|---|---|---|
sourcePath | Path to source code for pylint | src/ |
runPylint | Whether to run pylint | true |
runTests | Whether to run tests | true |
runHadolint | Whether to run hadolint on Dockerfile | true |
dockerfilePath | Path to Dockerfile | Dockerfile |
Sonar Check
Runs SonarCloud analysis on Python projects. Action:backbase-common/gc-ai-workflows/sonar-check@main
Usage
Input Parameters
| Parameter | Description | Default |
|---|---|---|
sonarToken | SonarCloud authentication token | Required |
sonarHostUrl | SonarCloud host URL | https://sonarcloud.io |
projectName | Project name | Required |
projectKey | Sonar project key | Required |
organization | GitHub organization | Required |
coverageReportPaths | Comma-separated coverage report paths | coverage.xml |
Security Check
Performs security checks of artifact dependencies and Docker images with Trivy vulnerability scanner. Action:backbase-common/gc-ai-workflows/security-check@main
Usage
Input Parameters
| Parameter | Description | Default |
|---|---|---|
sbomPath | Path to produced SBOM | bom.json |
scanType | Type: image or fs | fs |
scanReference | Filesystem reference to scan | . |
imageReference | Container image name to scan | (empty) |
ignoreUnfixedVulnerabilities | Skip unfixed vulnerabilities | true |
severities | Severities to scan for | CRITICAL |
hideProgress | Hide scanning progress | true |
outputFormat | Trivy output format | sarif |
debug | Print scanner results | false |
exitCode | Exit code on error | 0 |
trivyignorePath | Path to Trivy ignore list | ./.trivyignore |
ignore | Comma-separated CVEs to ignore | CVE-2024-28752 |
Output Parameters
sbomPath: Path to generated SBOM
Promptfoo Evaluation
Runs promptfoo evaluation against agent endpoints. Only runs if promptfoo config files have changed. Action:backbase-common/gc-ai-workflows/promptfoo-evaluation@main
[!TIP] See the Promptfoo Configuration section for detailed setup instructions, including provider files, prompt functions, and test configuration.
Usage
Input Parameters
| Parameter | Description | Default |
|---|---|---|
config | Path to promptfoo config file | promptfooconfig.yaml |
aiGatewayEndpoint | AI Gateway endpoint URL | Required |
aiGatewayApiKey | AI Gateway API key | Required |
githubToken | GitHub token for PR comments | Required |
Promptfoo Redteaming
Runs promptfoo redteaming evaluation against a local FastAPI server. Action:backbase-common/gc-ai-workflows/promptfoo-redteaming@main
[!TIP] See the Redteam Configuration section for detailed setup instructions, including redteam.yaml structure, plugins, and testing configuration.
Usage
Input Parameters
| Parameter | Description | Default |
|---|---|---|
redteamConfig | Path to redteam config file | redteam.yaml |
redteamNumTests | Number of redteam tests to run | 5 |
aiGatewayEndpoint | AI Gateway endpoint URL | Required |
aiGatewayApiKey | AI Gateway API key | Required |
githubToken | GitHub token for PR comments | Required |
Build Docker Image
Builds Docker images locally without pushing to a registry. Use this before running security checks. Action:backbase-common/gc-ai-workflows/build-docker@main
Usage
Input Parameters
| Parameter | Description | Default |
|---|---|---|
acrName | Azure ACR name (for image naming) | Required |
projectName | Project name from resolve-metadata | Required |
buildVersion | Build version from resolve-metadata | Required |
imageGroup | Image group/namespace in ACR | images |
Output Parameters
image: Full Docker image reference
Push Docker Image
Pushes Docker images to Azure Container Registry. Use this after building and running security checks. Action:backbase-common/gc-ai-workflows/push-docker@main
Usage
Input Parameters
| Parameter | Description | Default |
|---|---|---|
acrName | Azure ACR name | Required |
azureCredentials | Azure credentials secret (JSON) | Required |
image | Full Docker image reference to push | Required |
Create Release Draft
Prepares release draft by merging branches, updating versions, creating tags, and generating release notes using release-drafter. Action:backbase-common/gc-ai-workflows/create-release-draft@main
[!NOTE]
Requires .github/release-drafter.yml configuration file.
Usage
Input Parameters
| Parameter | Description | Default |
|---|---|---|
baseBranch | Git base branch to run release from | develop |
headBranch | Destination (head) git branch | main |
githubToken | GitHub token from setup-project | Required |
Output Parameters
releaseVersion: Result release version
Provision Python Project
Provisions a Python project template by updatingpyproject.toml with the correct package name, version, description, and URLs. Also creates initial CHANGELOG.md and README.md files.
Action: backbase-common/gc-ai-workflows/provision-python-project@main
Usage
Input Parameters
| Parameter | Description | Default |
|---|---|---|
githubToken | Access token to manage GitHub repositories | Required |
packageName | Package name for pyproject.toml | Required |
packageVersion | Package version for pyproject.toml | 0.1.0.dev0 |
pyprojectPath | Path to pyproject.toml file | . |
baseBranch | Git base branch for provisioning | develop |
mainBranch | Main branch to create | main |
What It Does
- Updates
pyproject.tomlwith package name, version, description, and URLs - Regenerates
uv.lockfile - Creates
CHANGELOG.mdwith initial version entry - Creates/updates
README.mdwith build badges and SonarCloud integration - Commits and pushes all changes to both base and main branches
Validate Pull Request Body
Validates pull request body description and content against the PR template. Action:backbase-common/gc-ai-workflows/validate-pull-request-body@main
[!NOTE]
Requires .github/pull_request_template.md file.
Usage
Input Parameters
| Parameter | Description | Default |
|---|---|---|
githubToken | Access token to manage GitHub repositories | Required |
Check Action SHA Pinning
Validates that external GitHub Actions are pinned to SHA versions for security.
[!IMPORTANT]
This action will not raise an exception in default configuration and validates actions and workflows in .github folder by default.
Action: backbase-common/gc-ai-workflows/check-action-pinning@main
Usage
Input Parameters
| Parameter | Description | Default |
|---|---|---|
path | Relative path to GitHub actions location | .github |
fail-on-error | Fail if violation is found | false |
skip-organisation-name | Organization to skip during validation | backbase-common |
Output Parameters
valid: Validation result ("true"or"false")violations: List of violations in format:file path:external action, comma-separated
Resolve Metadata
Resolves project version and metadata frompyproject.toml using uv version.
Action: backbase-common/gc-ai-workflows/resolve-metadata@main
Usage
Output Parameters
version: Raw version fromuv versionreleaseVersion: Release version (without dev/alpha/beta/rc)nextVersion: Next version (incremented patch with .dev0)devVersion: Development version with branch and commit infobuildVersion: Build version (release or dev)isStable: Whether this is a stable versionmajor,minor,patch: Version componentsname: Project name from git repositoryprojectKey: Sonar project keyorganization: GitHub organization
Setup Promptfoo
Sets up Node.js and installs promptfoo globally for LLM prompt evaluation. Action:backbase-common/gc-ai-workflows/setup-promptfoo@main
Usage
Input Parameters
| Parameter | Description | Default |
|---|---|---|
nodeVersion | Node.js version to use | 20 |