🤖 Generated by the Daily AI Assistant
Roadmap: a complete, consistent, secure reusable-workflow library
This is the first strategy review for devantler-tech/reusable-workflows. The repo had no roadmap and no open issues; this epic sets a direction. It mirrors the sibling devantler-tech/actions roadmap (#181) — same three pillars (complete · consistent · secure) applied to reusable workflows rather than composite actions, so the two shared CI libraries stay aligned without overlapping.
Where the library is today
A mature, well-conventioned library: every reusable workflow is workflow_call, SHA-pinned, harden-runner-fronted, permissions: {} at top level, and exercised by a [Test] job in ci.yaml aggregated under CI - Required Checks. AGENTS.md documents the conventions clearly. The .NET 10 SDK provisioning (run-dotnet-tests / publish-dotnet-library) and App-token least-privilege scoping landed recently.
Gaps this roadmap closes
- Completeness — test coverage. Every reusable workflow has a
[Test] job in ci.yaml except the newest one, publish-app.yaml (keyless cosign OCI image+manifests publish). An untested publish path that does Fulcio/Rekor signing is the highest-value coverage gap.
- Completeness — docs.
publish-app.yaml has zero mentions in README.md; the README catalogue is otherwise the contract consumers read for inputs/secrets/outputs and should be audited for parity against each workflow_call definition.
- Consistency — test convention drift.
AGENTS.md → Test Workflows prescribes standalone test-<workflow-name>.yaml files, but tests actually live as [Test] jobs inside ci.yaml. The doc and the reality should be reconciled.
- Security — disabled-rule rationale.
zizmor.yml's secrets-outside-env ignore list carries 12 entries under a single blanket comment, and at least one (lint-documentation.yaml:35) points at a workflow that no longer exists. Each suppression should be justified, audited for re-enablement, and stale entries dropped — mirroring actions#184.
Children
Each is additive, backward-compatible — blast radius is every consumer repo, so no breaking input/output change without a deliberate, maintainer-promoted decision.
Rough size
Small–medium. One child per PR; actionlint-clean; validate via the existing ci.yaml [Test] jobs.
Roadmap: a complete, consistent, secure reusable-workflow library
This is the first strategy review for
devantler-tech/reusable-workflows. The repo had noroadmapand no open issues; this epic sets a direction. It mirrors the siblingdevantler-tech/actionsroadmap (#181) — same three pillars (complete · consistent · secure) applied to reusable workflows rather than composite actions, so the two shared CI libraries stay aligned without overlapping.Where the library is today
A mature, well-conventioned library: every reusable workflow is
workflow_call, SHA-pinned,harden-runner-fronted,permissions: {}at top level, and exercised by a[Test]job inci.yamlaggregated underCI - Required Checks.AGENTS.mddocuments the conventions clearly. The .NET 10 SDK provisioning (run-dotnet-tests / publish-dotnet-library) and App-token least-privilege scoping landed recently.Gaps this roadmap closes
[Test]job inci.yamlexcept the newest one,publish-app.yaml(keyless cosign OCI image+manifests publish). An untested publish path that does Fulcio/Rekor signing is the highest-value coverage gap.publish-app.yamlhas zero mentions inREADME.md; the README catalogue is otherwise the contract consumers read for inputs/secrets/outputs and should be audited for parity against eachworkflow_calldefinition.AGENTS.md→ Test Workflows prescribes standalonetest-<workflow-name>.yamlfiles, but tests actually live as[Test]jobs insideci.yaml. The doc and the reality should be reconciled.zizmor.yml'ssecrets-outside-envignore list carries 12 entries under a single blanket comment, and at least one (lint-documentation.yaml:35) points at a workflow that no longer exists. Each suppression should be justified, audited for re-enablement, and stale entries dropped — mirroring actions#184.Children
Each is additive, backward-compatible — blast radius is every consumer repo, so no breaking input/output change without a deliberate, maintainer-promoted decision.
[Test]job forpublish-app.yaml(completeness · coverage)publish-app+ audit README input/secret/output parity (completeness · docs)AGENTS.md"Test Workflows" with theci.yaml[Test]-job reality (consistency)zizmor.ymlsecrets-outside-envignores; drop the stalelint-documentationentry (security)Rough size
Small–medium. One child per PR;
actionlint-clean; validate via the existingci.yaml[Test]jobs.