Skip to content

The `nexa-ci` Repository

nexa-ci/
├── .github/
│ ├── workflows/
│ │ ├── node-ci.yml
│ │ ├── react-ci.yml
│ │ ├── python-ci.yml
│ │ ├── source-security.yml
│ │ ├── container-build-publish.yml
│ │ ├── push-ecr.yml
│ │ ├── push-acr.yml
│ │ ├── push-spcs.yml
│ │ ├── defectdojo-upload.yml
│ │ ├── dispatch-spcs-deployment.yml
│ │ ├── dispatch-release-manifest.yml
│ │ └── service-container.yml
├── examples/
│ ├── actg-ai/ci.yml
│ ├── nexa-agents-api/ci.yml
│ ├── nexa-backend/ci.yml
│ ├── nexa-databricks-api/ci.yml
│ ├── nexa-stt-service/ci.yml
│ ├── nexa-web/ci.yml
│ ├── COMPLETE-CALLER.yml
│ └── service-catalog.yml
├── docs/
│ └── REFERENCE-IMPLEMENTATION.md
└── README.md

GitHub requires reusable workflows to reside directly in .github/workflows; subdirectories are not supported. service-container.yml is a compatibility wrapper for existing callers. New callers compose node-ci.yml or python-ci.yml, container-build-publish.yml, and the required publisher workflows directly.

source-security.yml generates source-security reports and applies their gate after the DefectDojo reimport jobs complete. defectdojo-upload.yml is the shared API adapter; it is not a scanner. The current container-service starter does not yet include Kubernetes or Terraform workflow families.

The handbook does not maintain a second copy of these runnable examples. Its examples/nexa-ci/ directory links readers to the canonical nexa-ci implementation.

  • v1.x.y immutable releases.
  • v1 movable major alias updated only after compatibility testing.
  • Consumer repositories use @v1 during broad adoption or an immutable SHA for highest assurance.
  • Breaking input or behavior changes require v2.

The repository maintains small fixture projects for each supported type. Every change runs self-tests against fixtures before a release tag is updated.