|
| 1 | +# Workflow Enhancement Opportunities |
| 2 | + |
| 3 | +This document tracks potential future improvements for GitHub workflows. |
| 4 | + |
| 5 | +## Low Priority Enhancements |
| 6 | + |
| 7 | +### 1. Replace Third-Party Actions with GitHub Script |
| 8 | + |
| 9 | +Some workflows currently use third-party actions that could be replaced with `actions/github-script@v7` for improved security and reduced external dependencies: |
| 10 | + |
| 11 | +#### pr-size-labeler.yml |
| 12 | +- **Current:** Uses `codelytv/pr-size-labeler@v1` |
| 13 | +- **Status:** CodelyTV is a reputable organization, action works well |
| 14 | +- **Future:** Could implement with github-script (~50 lines) |
| 15 | +- **Benefit:** One less external dependency |
| 16 | +- **Priority:** Low (current solution is secure and well-maintained) |
| 17 | + |
| 18 | +#### changelog-preview.yml |
| 19 | +- **Current:** Uses `thollander/actions-comment-pull-request@v2` |
| 20 | +- **Status:** Popular action, widely used in ecosystem |
| 21 | +- **Future:** Could use github-script for commenting |
| 22 | +- **Benefit:** One less external dependency |
| 23 | +- **Priority:** Low (current solution is simple and reliable) |
| 24 | + |
| 25 | +#### benchmark.yml |
| 26 | +- **Current:** Uses `benchmark-action/github-action-benchmark@v1` |
| 27 | +- **Status:** Specialized benchmark tool with historical tracking |
| 28 | +- **Future:** Custom implementation would be complex (100+ lines) |
| 29 | +- **Benefit:** Full control over benchmark storage/comparison |
| 30 | +- **Priority:** Very Low (current solution provides features that would be hard to replicate) |
| 31 | + |
| 32 | +### 2. Coverage Integration Enhancements |
| 33 | + |
| 34 | +- **Current:** Basic Codecov integration |
| 35 | +- **Future Options:** |
| 36 | + - Add coverage badges to README |
| 37 | + - Set minimum coverage thresholds |
| 38 | + - Block PRs that decrease coverage |
| 39 | + - Generate coverage reports as PR comments |
| 40 | + |
| 41 | +### 3. Benchmark Integration |
| 42 | + |
| 43 | +- **Current:** Infrastructure ready but no benchmarks implemented |
| 44 | +- **Future:** |
| 45 | + - Add benchmark scripts to key packages |
| 46 | + - Define performance budgets |
| 47 | + - Alert on regressions |
| 48 | + |
| 49 | +### 4. Advanced PR Automation |
| 50 | + |
| 51 | +- **Future Ideas:** |
| 52 | + - Auto-assign reviewers based on files changed |
| 53 | + - Auto-label based on commit message keywords |
| 54 | + - Integration with project boards |
| 55 | + - Automatic milestone assignment |
| 56 | + |
| 57 | +## Security Considerations |
| 58 | + |
| 59 | +All current third-party actions: |
| 60 | +- ✅ Are from reputable sources |
| 61 | +- ✅ Have limited permissions |
| 62 | +- ✅ Handle non-sensitive operations |
| 63 | +- ✅ Don't have write access to code |
| 64 | +- ✅ Are properly scoped with explicit permissions |
| 65 | + |
| 66 | +## Maintenance Notes |
| 67 | + |
| 68 | +- Review third-party action versions quarterly |
| 69 | +- Monitor for security advisories |
| 70 | +- Consider migration to github-script if: |
| 71 | + - Action becomes unmaintained |
| 72 | + - Security vulnerability is discovered |
| 73 | + - Significant breaking changes occur |
| 74 | + |
| 75 | +## Implementation Priority |
| 76 | + |
| 77 | +1. **High:** None currently |
| 78 | +2. **Medium:** Coverage enhancements, Benchmark implementation |
| 79 | +3. **Low:** Replace third-party actions with github-script |
| 80 | + |
| 81 | +--- |
| 82 | + |
| 83 | +*Last Updated: 2026-01-15* |
| 84 | +*Next Review: 2026-04-15* |
0 commit comments