You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Roadmap: a consistent, secure, reliable reusable-workflow library (2026 H1 refresh)
This is the second strategy review for devantler-tech/reusable-workflows, refreshing the now-delivered first roadmap #252 ("complete · consistent · secure", closed 2026-06-01, all four children #253–#256 shipped). The sibling composite-action library's first epic (actions#181) is likewise closed — both shared CI libraries cleared their v1 direction, so this epic sets the next one rather than re-stating it.
Where the library is today
A mature, well-conventioned CI backbone consumed by every devantler-tech repo: 17 reusable workflows, each workflow_call, SHA-pinned, harden-runner-fronted, permissions: {} at top level, and exercised by a [Test] dry-run job in ci.yaml aggregated under the single required CI - Required Checks. The v1 gaps are closed — publish-app.yaml now has its [Test] job (#253) and README entry (#254); the AGENTS.md test convention is reconciled (#255); the zizmor.yml ignore list is audited (#256). The recent merge stream (dependency-review hardening #286–#290/#298, govulncheck allowlist proofs #287/#294/#300, free-disk-space #285, internal-dep cooldown exemption #297) shows security & supply-chain is the live, active theme.
Direction — consistent · secure · reliable
Completeness is now a standing invariant rather than a theme (see below); the open direction is three pillars, two carried forward and one new. Each child is additive and backward-compatible — the blast radius is every consumer repo, so no breaking input/output/secret change ships without a deliberate, maintainer-promoted decision.
Consistency — one App-token identifier across the suite.create-release.yaml is the lone outlier on client-id/vars.APP_CLIENT_ID; the other seven App-token workflows use app-id/vars.APP_ID, so a consuming repo must provision both variables. Converge on one convention. (S — tracked in Converge App-token workflows on a single identifier (client-id/APP_CLIENT_ID vs app-id/APP_ID) #303; maintainer-gated: needs APP_CLIENT_ID provisioned org-wide before the flip, a coordinated rollout this epic can't self-serve.)
Reliability — a required check must never red on transient infrastructure (NEW). A reusable workflow that calls an external API on a required-check path can fail the gate on a transient GitHub-API 5xx, blocking unrelated PRs portfolio-wide with no code defect. delete-workflow-runs (no retry on 5xx) is the open instance. The general invariant: every reusable workflow on a required-check path tolerates transient upstream failures (bounded retry / --retry-all-errors-style resilience) so flakiness can't masquerade as a real failure. This dimension was absent from v1 and is the highest-leverage new direction for a backbone whose checks gate the whole org. (S–M — open instance delete-workflow-runs: transient GitHub API 5xx fails the job (no retry) — flaky required check #292, a bug; durable fix is upstream in the delete-workflow-runs action per the contribute-upstream-don't-fork principle.)
Standing invariants (the bar for any change, not themes to "finish")
Completeness. Every new reusable workflow ships in the same PR with its [Test] dry-run job in ci.yamland its README.md catalogue entry (inputs/secrets/outputs). v1 closed the historical gap; this keeps it from reopening.
Consistency of conventions. New workflows match the house pattern: workflow_call, SHA-pinned uses, harden-runner first step, top-level permissions: {}, App-token least-privilege.
Children / triage
The three open issues above are this epic's actionable children — no new duplicating issues are filed. Incoming issues/PRs triage into these three pillars (or surface a genuinely new gap, which refreshes this epic on the next per-product strategy cadence). This epic is a living document.
Roadmap: a consistent, secure, reliable reusable-workflow library (2026 H1 refresh)
This is the second strategy review for
devantler-tech/reusable-workflows, refreshing the now-delivered first roadmap #252 ("complete · consistent · secure", closed 2026-06-01, all four children #253–#256 shipped). The sibling composite-action library's first epic (actions#181) is likewise closed — both shared CI libraries cleared their v1 direction, so this epic sets the next one rather than re-stating it.Where the library is today
A mature, well-conventioned CI backbone consumed by every devantler-tech repo: 17 reusable workflows, each
workflow_call, SHA-pinned,harden-runner-fronted,permissions: {}at top level, and exercised by a[Test]dry-run job inci.yamlaggregated under the single requiredCI - Required Checks. The v1 gaps are closed —publish-app.yamlnow has its[Test]job (#253) and README entry (#254); theAGENTS.mdtest convention is reconciled (#255); thezizmor.ymlignore list is audited (#256). The recent merge stream (dependency-review hardening #286–#290/#298, govulncheck allowlist proofs #287/#294/#300, free-disk-space #285, internal-dep cooldown exemption #297) shows security & supply-chain is the live, active theme.Direction — consistent · secure · reliable
Completeness is now a standing invariant rather than a theme (see below); the open direction is three pillars, two carried forward and one new. Each child is additive and backward-compatible — the blast radius is every consumer repo, so no breaking input/output/secret change ships without a deliberate, maintainer-promoted decision.
Consistency — one App-token identifier across the suite.
create-release.yamlis the lone outlier onclient-id/vars.APP_CLIENT_ID; the other seven App-token workflows useapp-id/vars.APP_ID, so a consuming repo must provision both variables. Converge on one convention. (S — tracked in Converge App-token workflows on a single identifier (client-id/APP_CLIENT_ID vs app-id/APP_ID) #303; maintainer-gated: needsAPP_CLIENT_IDprovisioned org-wide before the flip, a coordinated rollout this epic can't self-serve.)Security — harden the Go vulnerability-scan gate. Keep tightening the govulncheck path (
.govulncheck-allow.txtallowlist semantics, the frozen self-test fixture) so a required security gate is both trustworthy and non-bypassable. (S–M — tracked in Harden & stabilize the Go vulnerability-scan gate (govulncheck allow-file) #282; partially delivered (Add a self-test proving .govulncheck-allow.txt is honored #283/test(govulncheck): prove .govulncheck-allow.txt allowlist is honored #287/ci: freeze govulncheck self-test fixture from Dependabot #294/docs(agents): document the govulncheck allowlist as a tested invariant #300); remaining item — retiring thedelete-workflow-runsfork — overlaps pillar 3 and is upstream-gated.)Reliability — a required check must never red on transient infrastructure (NEW). A reusable workflow that calls an external API on a required-check path can fail the gate on a transient GitHub-API 5xx, blocking unrelated PRs portfolio-wide with no code defect.
delete-workflow-runs(no retry on 5xx) is the open instance. The general invariant: every reusable workflow on a required-check path tolerates transient upstream failures (bounded retry /--retry-all-errors-style resilience) so flakiness can't masquerade as a real failure. This dimension was absent from v1 and is the highest-leverage new direction for a backbone whose checks gate the whole org. (S–M — open instance delete-workflow-runs: transient GitHub API 5xx fails the job (no retry) — flaky required check #292, abug; durable fix is upstream in thedelete-workflow-runsaction per the contribute-upstream-don't-fork principle.)Standing invariants (the bar for any change, not themes to "finish")
[Test]dry-run job inci.yamland itsREADME.mdcatalogue entry (inputs/secrets/outputs). v1 closed the historical gap; this keeps it from reopening.workflow_call, SHA-pinneduses,harden-runnerfirst step, top-levelpermissions: {}, App-token least-privilege.Children / triage
The three open issues above are this epic's actionable children — no new duplicating issues are filed. Incoming issues/PRs triage into these three pillars (or surface a genuinely new gap, which refreshes this epic on the next per-product strategy cadence). This epic is a living document.