π€ Generated by the Daily AI Engineer
Strategy review (2026-07-12)
Where the product is: healthy steady-state. 15 composite actions + 18 reusable workflows serve the whole portfolio; every action has per-input self-test jobs in ci.yaml; releases flow continuously (v9.0.9); Renovate propagates SHA pins to consumers. The reusable-workflows merge-in is complete and the old repo archived.
Where it should improve β themes from operational evidence (every finding below was hit in real portfolio runs), each to be worked as its own child issue, oldest-first:
T1 β Reliability against external-endpoint rate limits
Recurring CI failures come from endpoints we don't control: api.github.com secondary rate limits (zizmor advisories, agent-skills blob 403s) and raw.githubusercontent.com CDN 429s (TODOs scan, kubeconform schema fetches β retry shipped in #484, caching in #476). Direction: a consistent retry/backoff/cache convention across all actions that touch external endpoints. Child: #514 (open, startable). Size: M.
T2 β Supply-chain pinning completion
Self-references are SHA-pinned; the remaining accommodation (CodeQL unpinned-tag exclusion, zizmor scope) is tracked in #426 β its org-policy AC is blocked upstream (crossplane-contrib/provider-upjet-github#288, verified open), the rest landed via #541. Direction: finish the revert when the provider ships. Child: #426 (open, partially blocked β cite the upstream PR when skipping). Size: S.
T3 β Auto-merge trust-gate hardening
The enable-auto-merge workflow's App approval used to satisfy required reviews for ANY non-draft PR (review bypass, fixed by the exact-login bot gate #546) and could still arm on stale review state β #548's current-head pentad gate is in flight as PR #553. Direction: land #553, then keep the gate's fixture suite in step with new review surfaces (CodeRabbit summary shapes, Codex output forms). Child: #548 (PR open). Size: S (remainder).
T4 β Workflow-file-PR operational friction (new)
GitHub Apps without the workflows permission cannot push to or merge PRs that touch .github/workflows/**. This recurring class (auto-merge can't arm them β #418; mega-linter auto-fix can't push its own fix; Template Sync fails portfolio-wide β devantler-tech/.github#68) costs manual intervention every time it appears. Direction: document the constraint + detection in this repo's AGENTS.md and README (which workflows are affected and the manual fallback per case), and where feasible have affected workflows detect-and-degrade gracefully (skip + explain instead of failing red). Size: SβM. (Child issue to be filed when picked up.)
Non-goals: no new actions without a proven 2+ product pattern (the shared-library extraction rule); no bespoke retry frameworks where a maintained wrapper action (e.g. wretry) fits.
Cadence: revisit this review ~monthly or when a new cross-portfolio CI pattern emerges.
Strategy review (2026-07-12)
Where the product is: healthy steady-state. 15 composite actions + 18 reusable workflows serve the whole portfolio; every action has per-input self-test jobs in
ci.yaml; releases flow continuously (v9.0.9); Renovate propagates SHA pins to consumers. The reusable-workflows merge-in is complete and the old repo archived.Where it should improve β themes from operational evidence (every finding below was hit in real portfolio runs), each to be worked as its own child issue, oldest-first:
T1 β Reliability against external-endpoint rate limits
Recurring CI failures come from endpoints we don't control:
api.github.comsecondary rate limits (zizmor advisories, agent-skills blob 403s) andraw.githubusercontent.comCDN 429s (TODOs scan, kubeconform schema fetches β retry shipped in #484, caching in #476). Direction: a consistent retry/backoff/cache convention across all actions that touch external endpoints. Child: #514 (open, startable). Size: M.T2 β Supply-chain pinning completion
Self-references are SHA-pinned; the remaining accommodation (CodeQL unpinned-tag exclusion, zizmor scope) is tracked in #426 β its org-policy AC is blocked upstream (crossplane-contrib/provider-upjet-github#288, verified open), the rest landed via #541. Direction: finish the revert when the provider ships. Child: #426 (open, partially blocked β cite the upstream PR when skipping). Size: S.
T3 β Auto-merge trust-gate hardening
The enable-auto-merge workflow's App approval used to satisfy required reviews for ANY non-draft PR (review bypass, fixed by the exact-login bot gate #546) and could still arm on stale review state β #548's current-head pentad gate is in flight as PR #553. Direction: land #553, then keep the gate's fixture suite in step with new review surfaces (CodeRabbit summary shapes, Codex output forms). Child: #548 (PR open). Size: S (remainder).
T4 β Workflow-file-PR operational friction (new)
GitHub Apps without the
workflowspermission cannot push to or merge PRs that touch.github/workflows/**. This recurring class (auto-merge can't arm them β #418; mega-linter auto-fix can't push its own fix; Template Sync fails portfolio-wide β devantler-tech/.github#68) costs manual intervention every time it appears. Direction: document the constraint + detection in this repo's AGENTS.md and README (which workflows are affected and the manual fallback per case), and where feasible have affected workflows detect-and-degrade gracefully (skip + explain instead of failing red). Size: SβM. (Child issue to be filed when picked up.)Non-goals: no new actions without a proven 2+ product pattern (the shared-library extraction rule); no bespoke retry frameworks where a maintained wrapper action (e.g. wretry) fits.
Cadence: revisit this review ~monthly or when a new cross-portfolio CI pattern emerges.