What does this repo signal mean?

NVIDIA published NVIDIA/dsx-github-actions (Dockerfile). This repository signal exposes tooling, eval, infrastructure, or model-adjacent work before it may appear in a launch post. High-signal details: repo NVIDIA/dsx-github-actions · language Dockerfile · Routine utility repo with minimal traction.. onlylabs links this event to 1 captured evidence page and 6 related repo signals. It also maps to Infrastructure in the data-business radar.

NVIDIA Repo: NVIDIA/dsx-github-actions

Captured source

source ↗

GitHub/github.com/NVIDIA/dsx-github-actions

NVIDIA/dsx-github-actions repository metadata

Source ↗

published Nov 25, 2025seen 1dcaptured 1dhttp 200method plain

NVIDIA/dsx-github-actions

Description: Github Action infrastructure for DSX

Language: Dockerfile

License: Apache-2.0

Stars: 4

Forks: 1

Open issues: 1

Created: 2025-11-25T10:33:22Z

Pushed: 2026-06-25T02:42:33Z

Default branch: main

Fork: no

Archived: no

README:

DSX GitHub Actions

A collection of reusable GitHub Actions for standardizing CI/CD workflows across NVIDIA projects.

🚀 Available Actions

| Action | Description | Use Case | | ------------------------------------------------------- | --------------------------------- | --------------------------------- | | [codeql-scan](.github/actions/codeql-scan/) | Static code analysis with CodeQL | Security vulnerability detection | | [trufflehog-scan](.github/actions/trufflehog-scan/) | Secret scanning with TruffleHog | Leaked credentials detection | | [security-container-scan](.github/actions/security-container-scan/) | Container vuln scan (SBOM + Grype) | Container image CVE detection | | [security-container-scan-aggregate](.github/actions/security-container-scan-aggregate/) | Aggregate multi-image Grype reports into one summary | Per-PR consolidated scan summary + sticky comment | | [semantic-release](.github/actions/semantic-release/) | Automated versioning and releases | Semantic versioning and changelog | | [resource-push-ngc](.github/actions/resource-push-ngc/) | Push resources to NGC | Artifact publishing | | [docker-build](.github/actions/docker-build/) | Docker Buildx build/push wrapper | Build/push multi-arch OCI images | | [git-tag](.github/actions/git-tag/) | Create and push git tag | Tagging releases | | [slack-notify](.github/actions/slack-notify/) | Send notifications to Slack | CI/CD status notifications | | [go-lint](.github/actions/go-lint/) | Go linting (golangci-lint, fmt, vet) | Go code quality checks | | [go-test](.github/actions/go-test/) | Go tests with coverage and JUnit | Go test execution and reporting | | [license-headers](.github/actions/license-headers/) | SPDX license header checks | License compliance | | [commitlint](.github/actions/commitlint/) | Conventional commit validation | Commit message enforcement |

♻️ Available Workflows

| Workflow | Description | Use Case | | ------------------------------------------------------------------------ | ----------------------------------------------------- | --------------------------------------- | | [promote-image](.github/workflows/promote-image.yml) | Re-tag and re-publish multi-arch images via skopeo | Promote OCI images across registries | | [docker-build](.github/workflows/docker-build.yml) | Reusable workflow wrapper for Docker build/push | Share Docker build logic across repos |

⚠️ Important: GitHub Advanced Security Required

The security scanning actions (codeql-scan, security-container-scan with upload-sarif: true) upload results to GitHub's Code Scanning feature, which requires GitHub Advanced Security (GHAS) to be enabled:

✅ Public repositories: Free and automatically available
⚠️ Private repositories: Requires GHAS license

Without GHAS enabled, scans will run successfully but uploads will fail. See individual action documentation for workarounds and details:

[CodeQL Prerequisites](.github/actions/codeql-scan/README.md#️-prerequisites)
[Security Container Scan Prerequisites](.github/actions/security-container-scan/README.md#prerequisites)

> Note: trivy-scan has been removed due to a supply chain compromise (March 2026). > See: https://github.com/aquasecurity/trivy/discussions/10425 — use security-container-scan (Anchore Grype) as the replacement.

📖 Quick Start

Security Scanning (Rust)

name: Security Checks

on: [push, pull_request]

permissions:
contents: read
security-events: write

jobs:
security:
runs-on: linux-amd64-cpu4
steps:
- uses: actions/checkout@v4

- name: CodeQL Analysis
uses: NVIDIA/dsx-github-actions/.github/actions/codeql-scan@main
with:
languages: "rust"
build-command: "cargo build --workspace"

Security Scanning (Go)

- name: CodeQL Analysis
uses: NVIDIA/dsx-github-actions/.github/actions/codeql-scan@main
with:
languages: "go"
build-command: "go build ./..."

Image Promotion

name: Promote OCI Image

on:
workflow_dispatch:
inputs:
new-tag:
type: string
required: true

jobs:
promote:
uses: NVIDIA/dsx-github-actions/.github/workflows/promote-image.yml@main
with:
source: nvcr.io/acme/dev/service
source_tag: faf3d1
destination: nvcr.io/acme/stg/service
destination_tag: ${{ github.event.inputs.new-tag }}
secrets:
SOURCE_USERNAME: ${{ secrets.NVCR_DEV_USER }}
SOURCE_PASSWORD: ${{ secrets.NVCR_DEV_TOKEN }}
DEST_USERNAME: ${{ secrets.NVCR_STG_USER }}
DEST_PASSWORD: ${{ secrets.NVCR_STG_TOKEN }}

This reusable workflow wraps skopeo copy, so it copies the entire manifest list (multi-arch) by default, supports tag-to-tag retagging, and also allows pinning a specific digest by supplying the optional digest input. Pass GitHub Container Registry (GHCR) or NVIDIA Container Registry (NGC) credentials through the required secrets block to authenticate against different registries, and consume the resulting ${{ needs.promote.outputs.destination_digest }} output if downstream jobs need the promoted digest.

📚 Documentation

[CodeQL Scan Action](.github/actions/codeql-scan/README.md)
[TruffleHog Secret Scan Action](.github/actions/trufflehog-scan/README.md)
[Security Container Scan Action](.github/actions/security-container-scan/README.md)
[Security Container Scan Aggregate Action](.github/actions/security-container-scan-aggregate/README.md)
[Semantic Release Action](.github/actions/semantic-release/README.md)
[Resource Push NGC Action](.github/actions/resource-push-ngc/README.md)
[Docker Build Action](.github/actions/docker-build/README.md)
[Slack Notify Action](.github/actions/slack-notify/README.md)
[Go Lint Action](.github/actions/go-lint/README.md)
[Go Test Action](.github/actions/go-test/README.md)
[License Headers Action](.github/actions/license-headers/README.md)
[Commitlint Action](.github/actions/commitlint/README.md)
[Workflows Guide](.github/workflows/README.md)

🎯 Features

✅ Composite Actions: Lightweight, reusable, and flexible
✅ Multi-language Support: Go, Rust, Python, JavaScript, C++, Java, C#
✅ Comprehensive Security: CodeQL and TruffleHog scanning
✅ Secret Detection: 700+ credential types with verification
✅ Security Integration:...

Excerpt shown — open the source for the full document.

Notability

notability 3.0/10

Routine utility repo with minimal traction.