Automationcicd_setup.py
Generates .github/workflows/ci.yml and cd.yml with OIDC federation, SHA-pinned actions, per-job minimum permissions, and concurrency cancel-in-progress. No static cloud credentials in GitHub Secrets — ever.
What it does
Selects the correct OIDC authentication action for the target cloud, generates two workflow files, and writes a SECRETS.md listing every GitHub secret and repository variable that needs to be configured.
Every action step is pinned to a full commit SHA, not a floating tag. Permissions follow least-privilege: each job only gets the permissions it needs.
CLI Usage
bash
python3 tools/cicd_setup.py \
--repo-path ./my-app \
--cloud aws \
--service payment-api
OIDC Setup (No Static Credentials)
CloudAction UsedKey Config
awsaws-actions/configure-aws-credentialsrole-to-assume
azureazure/loginclient-id, tenant-id, subscription-id
gcpgoogle-github-actions/authworkload_identity_provider
CI Pipeline Jobs
lintESLint / pylint / golangci-lint depending on language detected
testUnit tests with coverage upload to Codecov
docker-buildMulti-stage build, Docker layer caching via GitHub cache
trivy-scanHIGH/CRITICAL CVE scan — fails the workflow if any found
pushPush to ECR / ACR / Artifact Registry (only on main or tag)
CD Pipeline Jobs
terraform-planRuns on every PR — posts plan summary as PR comment
terraform-applyRuns on merge to main — applies the plan
helm-upgradehelm upgrade --install --atomic --wait --timeout 5m
Also generated
SECRETS.md — a checklist of every GitHub Actions secret and repository variable to configure, including the OIDC role ARN / client ID and the container registry URL. Nothing is left for you to guess.