# Resources — CI/CD & Delivery

High-trust sources only. Every non-trivial claim in a lesson links to one of these. The GitHub
Actions docs are the spine; GCP docs cover keyless auth + binary authorization.

## Primary — GitHub Actions docs (docs.github.com)

### Fundamentals
- **Understanding GitHub Actions** — https://docs.github.com/en/actions/get-started/understanding-github-actions
  — workflows, events, jobs, steps, actions, runners. *(Lesson 1–2)*
- **Workflows** — https://docs.github.com/en/actions/concepts/workflows-and-actions/workflows *(Lesson 2)*
- **Workflow syntax** — https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions
  — the full YAML reference. *(Lesson 2)*
- **Events that trigger workflows** — https://docs.github.com/en/actions/reference/events-that-trigger-workflows
  — push / pull_request / workflow_dispatch / schedule / workflow_call. *(Lesson 2)*

### Reuse & structure
- **Reusing workflows (workflow_call)** — https://docs.github.com/en/actions/how-tos/reuse-automations/reuse-workflows *(Lesson 4)*
- **Composite actions** — https://docs.github.com/en/actions/tutorials/create-actions/create-a-composite-action *(Lesson 4)*
- **Reusable workflow vs composite action** — https://docs.github.com/en/actions/concepts/workflows-and-actions/reusable-workflows *(Lesson 4)*

### Runners
- **Self-hosted runners** — https://docs.github.com/en/actions/how-tos/manage-runners/self-hosted-runners *(Lesson 7)*
- **Choosing the runner for a job** — https://docs.github.com/en/actions/how-tos/write-workflows/choose-what-workflows-do/choose-the-runner-for-a-job *(Lesson 7)*
- **Actions Runner Controller (ARC)** — https://docs.github.com/en/actions/how-tos/manage-runners/actions-runner-controller *(Lesson 7)*

### Security
- **OIDC / hardening with OpenID Connect** — https://docs.github.com/en/actions/concepts/security/openid-connect *(Lesson 9)*
- **OIDC with Google Cloud** — https://docs.github.com/en/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-google-cloud-platform *(Lesson 9)*
- **Security hardening for GitHub Actions** — https://docs.github.com/en/actions/concepts/security/security-hardening-for-github-actions *(Lesson 12)*
- **Concurrency** — https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#concurrency *(Lesson 12)*
- **Caching dependencies** — https://docs.github.com/en/actions/how-tos/write-workflows/choose-what-workflows-do/cache-dependencies *(Lesson 12)*
- **Environments (protection rules)** — https://docs.github.com/en/actions/how-tos/manage-workflow-runs/manage-environments *(Lesson 6)*

## GCP — keyless auth & supply chain
- **google-github-actions/auth (Workload Identity Federation)** — https://github.com/google-github-actions/auth *(Lesson 9)*
- **Enabling keyless auth from GitHub Actions (Google blog)** — https://cloud.google.com/blog/products/identity-security/enabling-keyless-authentication-from-github-actions *(Lesson 9)*
- **Binary Authorization overview** — https://cloud.google.com/binary-authorization/docs/overview *(Lesson 10)*
- **Binary Authorization docs** — https://cloud.google.com/binary-authorization/docs *(Lesson 10)*
- **Sigstore / cosign** — https://docs.sigstore.dev/ *(Lesson 10)*
- **Skaffold — Continuous Delivery** — https://skaffold.dev/docs/workflows/ci-cd/ *(Lessons 5, 8)*

## Concepts & best practice
- **Trunk-Based Development** — https://trunkbaseddevelopment.com/ *(Lesson 6)*
- **CI/CD (GitHub guide)** — https://resources.github.com/devops/ci-cd/ *(Lesson 1)*
- **SLSA (supply-chain levels)** — https://slsa.dev/ *(Lesson 10)*

## In-repo ground truth
- [reference/repo-cicd-map.md](./reference/repo-cicd-map.md) — the workflows, composite actions,
  deploy scripts, runner setup, and binauthz, with paths and line anchors.

## Communities (for wisdom)
- **GitHub Community — Actions** (github.com/orgs/community/discussions/categories/actions).
- **r/devops** — practical pipeline Q&A.
- Internally: the platform team owning `.github/` and `deployments/` — *why the delivery model is
  push-based and how binauthz is enforced*.
