Code Quality Workflows

Three workflows keep your repository and workflow files consistent and well-documented.

yml-lint

Lint YAML files with strict formatting standards — validates YAML syntax and style across your repository, catching issues like duplicate keys, trailing spaces, and inconsistent indentation.

View workflow →

When to use: On every pull request in repositories with YAML configuration files (GitHub Actions workflows, Kubernetes manifests, Helm values, etc.).

on:
  pull_request:
    paths:
      - '**.yml'
      - '**.yaml'

jobs:
  yaml-lint:
    uses: clouddrove/github-shared-workflows/.github/workflows/yml-lint.yml@master

No inputs or secrets required.

Internal variant

yml-lint-internal.yml is used within the shared-workflows repo itself. Use yml-lint.yml in your own repositories.

readme

Generate, validate, and publish README documentation — typically used with Terraform modules to auto-generate the README.md from code comments and terraform-docs, then commits the result back to the repository.

View workflow →

When to use: On pushes to main/master for Terraform module repositories where documentation is auto-generated from code.

on:
  push:
    branches: [master]
    paths:
      - '**.tf'

jobs:
  readme:
    uses: clouddrove/github-shared-workflows/.github/workflows/readme.yml@master
    secrets:
      TOKEN: ${{ secrets.GITHUB_TOKEN }}
      SLACK_WEBHOOK_TERRAFORM: ${{ secrets.SLACK_WEBHOOK }}

The workflow:

Runs terraform-docs to generate documentation from .tf files
Validates the generated README
Commits the updated README.md back to the branch
Sends a Slack notification when complete

ci

Comprehensive CI pipeline for the shared-workflows repository itself — validates all 44 workflow files using 11 parallel jobs covering YAML validation, security scanning, actionlint, documentation generation, and permission validation.

View workflow →

This workflow runs automatically on every push and pull request to the clouddrove/github-shared-workflows repository. It is an internal workflow and is not typically called from external repositories.

Jobs run:

Job	What it checks
YAML validation	Syntax and formatting of all workflow files
Security scanning	Workflow permissions, secrets handling
Actionlint	GitHub Actions-specific lint rules
Documentation generation	Auto-generated workflow reference docs
Permission validation	Ensure least-privilege permissions

Recommended quality stack

Combine these workflows for a comprehensive quality gate on every pull request:

on:
  pull_request:

jobs:
  yaml-lint:
    uses: clouddrove/github-shared-workflows/.github/workflows/yml-lint.yml@master

  secrets-scan:
    uses: clouddrove/github-shared-workflows/.github/workflows/pr-gitleaks-scan.yml@master
    secrets:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  pr-checks:
    uses: clouddrove/github-shared-workflows/.github/workflows/pr-checks.yml@master
    secrets:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  checkov:
    uses: clouddrove/github-shared-workflows/.github/workflows/security-checkov.yml@master
    with:
      directory: ./
    secrets:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

yml-lint​

readme​

ci​

Recommended quality stack​

yml-lint

readme

ci

Recommended quality stack