Skip to content

Roadmap: shared CI/CD library β€” reliability, trust gates, and operational frictionΒ #558

Description

@devantler

πŸ€– Generated by the Daily AI Engineer

Strategy review (2026-07-12)

Where the product is: healthy steady-state. 15 composite actions + 18 reusable workflows serve the whole portfolio; every action has per-input self-test jobs in ci.yaml; releases flow continuously (v9.0.9); Renovate propagates SHA pins to consumers. The reusable-workflows merge-in is complete and the old repo archived.

Where it should improve β€” themes from operational evidence (every finding below was hit in real portfolio runs), each to be worked as its own child issue, oldest-first:

T1 β€” Reliability against external-endpoint rate limits

Recurring CI failures come from endpoints we don't control: api.github.com secondary rate limits (zizmor advisories, agent-skills blob 403s) and raw.githubusercontent.com CDN 429s (TODOs scan, kubeconform schema fetches β€” retry shipped in #484, caching in #476). Direction: a consistent retry/backoff/cache convention across all actions that touch external endpoints. Child: #514 (open, startable). Size: M.

T2 β€” Supply-chain pinning completion

Self-references are SHA-pinned; the remaining accommodation (CodeQL unpinned-tag exclusion, zizmor scope) is tracked in #426 β€” its org-policy AC is blocked upstream (crossplane-contrib/provider-upjet-github#288, verified open), the rest landed via #541. Direction: finish the revert when the provider ships. Child: #426 (open, partially blocked β€” cite the upstream PR when skipping). Size: S.

T3 β€” Auto-merge trust-gate hardening

The enable-auto-merge workflow's App approval used to satisfy required reviews for ANY non-draft PR (review bypass, fixed by the exact-login bot gate #546) and could still arm on stale review state β€” #548's current-head pentad gate is in flight as PR #553. Direction: land #553, then keep the gate's fixture suite in step with new review surfaces (CodeRabbit summary shapes, Codex output forms). Child: #548 (PR open). Size: S (remainder).

T4 β€” Workflow-file-PR operational friction (new)

GitHub Apps without the workflows permission cannot push to or merge PRs that touch .github/workflows/**. This recurring class (auto-merge can't arm them β€” #418; mega-linter auto-fix can't push its own fix; Template Sync fails portfolio-wide β€” devantler-tech/.github#68) costs manual intervention every time it appears. Direction: document the constraint + detection in this repo's AGENTS.md and README (which workflows are affected and the manual fallback per case), and where feasible have affected workflows detect-and-degrade gracefully (skip + explain instead of failing red). Size: S–M. (Child issue to be filed when picked up.)

Non-goals: no new actions without a proven 2+ product pattern (the shared-library extraction rule); no bespoke retry frameworks where a maintained wrapper action (e.g. wretry) fits.

Cadence: revisit this review ~monthly or when a new cross-portfolio CI pattern emerges.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    No status

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions