Skip to content

Roadmap: a consistent, secure, reliable reusable-workflow library (2026 H1 refresh) #305

Description

@devantler

🤖 Generated by the Daily AI Assistant

Roadmap: a consistent, secure, reliable reusable-workflow library (2026 H1 refresh)

This is the second strategy review for devantler-tech/reusable-workflows, refreshing the now-delivered first roadmap #252 ("complete · consistent · secure", closed 2026-06-01, all four children #253#256 shipped). The sibling composite-action library's first epic (actions#181) is likewise closed — both shared CI libraries cleared their v1 direction, so this epic sets the next one rather than re-stating it.

Where the library is today

A mature, well-conventioned CI backbone consumed by every devantler-tech repo: 17 reusable workflows, each workflow_call, SHA-pinned, harden-runner-fronted, permissions: {} at top level, and exercised by a [Test] dry-run job in ci.yaml aggregated under the single required CI - Required Checks. The v1 gaps are closed — publish-app.yaml now has its [Test] job (#253) and README entry (#254); the AGENTS.md test convention is reconciled (#255); the zizmor.yml ignore list is audited (#256). The recent merge stream (dependency-review hardening #286#290/#298, govulncheck allowlist proofs #287/#294/#300, free-disk-space #285, internal-dep cooldown exemption #297) shows security & supply-chain is the live, active theme.

Direction — consistent · secure · reliable

Completeness is now a standing invariant rather than a theme (see below); the open direction is three pillars, two carried forward and one new. Each child is additive and backward-compatible — the blast radius is every consumer repo, so no breaking input/output/secret change ships without a deliberate, maintainer-promoted decision.

  1. Consistency — one App-token identifier across the suite. create-release.yaml is the lone outlier on client-id/vars.APP_CLIENT_ID; the other seven App-token workflows use app-id/vars.APP_ID, so a consuming repo must provision both variables. Converge on one convention. (S — tracked in Converge App-token workflows on a single identifier (client-id/APP_CLIENT_ID vs app-id/APP_ID) #303; maintainer-gated: needs APP_CLIENT_ID provisioned org-wide before the flip, a coordinated rollout this epic can't self-serve.)

  2. Security — harden the Go vulnerability-scan gate. Keep tightening the govulncheck path (.govulncheck-allow.txt allowlist semantics, the frozen self-test fixture) so a required security gate is both trustworthy and non-bypassable. (S–M — tracked in Harden & stabilize the Go vulnerability-scan gate (govulncheck allow-file) #282; partially delivered (Add a self-test proving .govulncheck-allow.txt is honored #283/test(govulncheck): prove .govulncheck-allow.txt allowlist is honored #287/ci: freeze govulncheck self-test fixture from Dependabot #294/docs(agents): document the govulncheck allowlist as a tested invariant #300); remaining item — retiring the delete-workflow-runs fork — overlaps pillar 3 and is upstream-gated.)

  3. Reliability — a required check must never red on transient infrastructure (NEW). A reusable workflow that calls an external API on a required-check path can fail the gate on a transient GitHub-API 5xx, blocking unrelated PRs portfolio-wide with no code defect. delete-workflow-runs (no retry on 5xx) is the open instance. The general invariant: every reusable workflow on a required-check path tolerates transient upstream failures (bounded retry / --retry-all-errors-style resilience) so flakiness can't masquerade as a real failure. This dimension was absent from v1 and is the highest-leverage new direction for a backbone whose checks gate the whole org. (S–M — open instance delete-workflow-runs: transient GitHub API 5xx fails the job (no retry) — flaky required check #292, a bug; durable fix is upstream in the delete-workflow-runs action per the contribute-upstream-don't-fork principle.)

Standing invariants (the bar for any change, not themes to "finish")

  • Completeness. Every new reusable workflow ships in the same PR with its [Test] dry-run job in ci.yaml and its README.md catalogue entry (inputs/secrets/outputs). v1 closed the historical gap; this keeps it from reopening.
  • Consistency of conventions. New workflows match the house pattern: workflow_call, SHA-pinned uses, harden-runner first step, top-level permissions: {}, App-token least-privilege.

Children / triage

The three open issues above are this epic's actionable children — no new duplicating issues are filed. Incoming issues/PRs triage into these three pillars (or surface a genuinely new gap, which refreshes this epic on the next per-product strategy cadence). This epic is a living document.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    No status

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions