Currently, OpenMRS backend modules use a variety of GitHub Actions workflows, and things feel a bit messy. For example, the Billing module follows a setup similar to Core, while other modules each do their own thing.
As part of improving OpenMRS security, especially supply chain security, we’re planning to standardize the build configuration across modules. The idea is to create a central GitHub Actions workflow that individual modules can reuse via workflow_call.
This shared workflow would expose configurable inputs such as:
- Java versions to build and test against
- The primary Java version used to publish artifacts
- The Java distribution to use
- The Maven command to run
I’ve already opened a PR that introduces a basic version of this shared workflow: Create a Standard GitHub Workflow to Build Backend Modules by wikumChamith · Pull Request #1 · openmrs/openmrs-contrib-gha-workflows · GitHub
Once the base workflow is in place, we can gradually extend it with additional features, for example:
- Security checks when publishing artifacts
- Hash signing of artifacts so consumers can verify that what they downloaded is exactly what was built in CI
- Automated integrity verification for releases
I’d really appreciate your feedback, and feel free to suggest any additional features you’d like to see included.
cc: @dkayiwa, @ibacher, @burke, @raff, @jayasanka, @paul, @janflowers, @dev4, @dev5