You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is the next strategy review for devantler-tech/actions, setting direction now that the
first roadmap epic #181 ("complete · consistent · secure composite-action library", closed) is
delivered. It is the companion to the sibling reusable-workflow library's refresh
(reusable-workflows#305) — together
the two epics give the whole CI backbone (composites + reusable workflows consumed by every
devantler-tech repo) one coherent direction rather than two drifting halves.
Where the library is today
A mature, well-conventioned set of 16 composite actions (aggregate-job-checks, approve-pr, cleanup-ghcr-packages, create-issues-from-todos, dependency-review, enable-auto-merge-on-pr, free-disk-space, login-to-ghcr, run-dotnet-tests, setup-agent-skills, setup-go-toolchain, setup-ksail-cli, sync-github-labels, update-agent-skills, upload-coverage, upsert-issue).
The v1 hygiene is strong and should be treated as standing invariants, not re-opened themes:
SHA-pinned — 13/13 third-party uses:. Every external action reference is pinned to a full
commit SHA.
Direction — consistent · secure · reliable · discoverable
Each item below is additive and backward-compatible — the blast radius is every consumer repo, so
no breaking input/output change to a published action ships without a deliberate, maintainer-promoted
decision.
Consistency — pin-comment & metadata convention.(S — ready)
12/13 third-party SHA pins carry a # vX.Y.Z release comment naming the pinned version; the lone
outlier is Homebrew/actions/setup-homebrew@<sha> # main in setup-ksail-cli/action.yaml — and
that is honest, because Homebrew/actions publishes no tags or releases (it is main-tracked
only). The gap is therefore a convention one, not a defect: adopt a documented comment form for tagless, branch-tracked deps (e.g. # main @ YYYY-MM-DD or # main (no upstream releases)) so a
reader can tell "pinned-to-a-tag" from "pinned-to-a-branch-commit" at a glance and a future re-pin
isn't mistaken for a floating ref. (Minor companion tidy-up: setup-ksail-cli is the only action
with no inputs: section — cosmetic, fold in or skip.)
Discoverability — GitHub Marketplace branding.(M — maintainer-direction-gated) 0/16action.yamls declare a branding: (icon + color) block. This is a deliberate strategic
fork, not a bug: either (a) publish the suite to the GitHub Marketplace as a coherent, branded
family so the actions are discoverable and reusable beyond this org, adding consistent branding:
to all 16; or (b) document an intentional internal-only stance (these are devantler-tech
building blocks, not products) so the absence is a recorded decision rather than an oversight.
Needs the maintainer to pick the direction before any rollout.
Reliability — composites resilient to transient infra.(M)
Mirror reusable-workflows#305's new reliability pillar (and reusable-workflows#292): a composite
that does a network pull — brew install in setup-ksail-cli, login-to-ghcr, tool/toolchain
downloads, registry pulls — should tolerate transient registry/network flakes (bounded retry +
backoff) so it never reds a required check on infra noise rather than a real failure. This
connects directly to the live ksail System Test (Docker) registry-pull flake theme
(ksail#5102 / ksail#4972) — a hardened shared pull step would benefit every consumer at once.
Security & completeness — standing invariants (keep, don't regress).
Keep 13/13 SHA-pinning, the harden-runner / least-privilege discipline in the test workflow, and
the 16/16 CI-test + parity-guard coverage as invariants every new or changed action must satisfy.
Children will be filed/refined as small, independently-shippable issues (problem → proposal →
acceptance criteria) as each pillar becomes ready; item 1 is ready now, items 2–3 carry the gating
noted above.
Strategy review by the Daily AI Engineer (primary engineer for the devantler-tech portfolio).
Grounded in a live audit of all 16 actions on 2026-06-07. Companion to the CI-backbone roadmap reusable-workflows#305.
Roadmap: a consistent, secure, reliable, discoverable composite-action library (2026 H1 refresh)
This is the next strategy review for
devantler-tech/actions, setting direction now that thefirst roadmap epic #181 ("complete · consistent · secure composite-action library", closed) is
delivered. It is the companion to the sibling reusable-workflow library's refresh
(reusable-workflows#305) — together
the two epics give the whole CI backbone (composites + reusable workflows consumed by every
devantler-tech repo) one coherent direction rather than two drifting halves.
Where the library is today
A mature, well-conventioned set of 16 composite actions (
aggregate-job-checks,approve-pr,cleanup-ghcr-packages,create-issues-from-todos,dependency-review,enable-auto-merge-on-pr,free-disk-space,login-to-ghcr,run-dotnet-tests,setup-agent-skills,setup-go-toolchain,setup-ksail-cli,sync-github-labels,update-agent-skills,upload-coverage,upsert-issue).The v1 hygiene is strong and should be treated as standing invariants, not re-opened themes:
ci.yaml,with negative-path tests (test(ci): backfill negative-path tests for happy-path-only actions #199) backfilling happy-path-only actions.
action.yamlinput/output parity guard (ci: add README↔action.yaml input/output parity guard #197, test(ci): make lint-readme-parity bidirectional #205)keeps docs and metadata in lockstep.
uses:. Every external action reference is pinned to a fullcommit SHA.
Direction — consistent · secure · reliable · discoverable
Each item below is additive and backward-compatible — the blast radius is every consumer repo, so
no breaking input/output change to a published action ships without a deliberate, maintainer-promoted
decision.
Consistency — pin-comment & metadata convention. (S — ready)
12/13 third-party SHA pins carry a
# vX.Y.Zrelease comment naming the pinned version; the loneoutlier is
Homebrew/actions/setup-homebrew@<sha> # maininsetup-ksail-cli/action.yaml— andthat is honest, because Homebrew/actions publishes no tags or releases (it is main-tracked
only). The gap is therefore a convention one, not a defect: adopt a documented comment form for
tagless, branch-tracked deps (e.g.
# main @ YYYY-MM-DDor# main (no upstream releases)) so areader can tell "pinned-to-a-tag" from "pinned-to-a-branch-commit" at a glance and a future re-pin
isn't mistaken for a floating ref. (Minor companion tidy-up:
setup-ksail-cliis the only actionwith no
inputs:section — cosmetic, fold in or skip.)Discoverability — GitHub Marketplace branding. (M — maintainer-direction-gated)
0/16
action.yamls declare abranding:(icon + color) block. This is a deliberate strategicfork, not a bug: either (a) publish the suite to the GitHub Marketplace as a coherent, branded
family so the actions are discoverable and reusable beyond this org, adding consistent
branding:to all 16; or (b) document an intentional internal-only stance (these are devantler-tech
building blocks, not products) so the absence is a recorded decision rather than an oversight.
Needs the maintainer to pick the direction before any rollout.
Reliability — composites resilient to transient infra. (M)
Mirror reusable-workflows#305's new reliability pillar (and reusable-workflows#292): a composite
that does a network pull —
brew installinsetup-ksail-cli,login-to-ghcr, tool/toolchaindownloads, registry pulls — should tolerate transient registry/network flakes (bounded retry +
backoff) so it never reds a required check on infra noise rather than a real failure. This
connects directly to the live ksail
System Test (Docker)registry-pull flake theme(ksail#5102 / ksail#4972) — a hardened shared pull step would benefit every consumer at once.
Security & completeness — standing invariants (keep, don't regress).
Keep 13/13 SHA-pinning, the
harden-runner/ least-privilege discipline in the test workflow, andthe 16/16 CI-test + parity-guard coverage as invariants every new or changed action must satisfy.
Scope notes
create-issues-from-todoscrash on an ambiguous upstream match), is anupstream-gated bug (fix prepared on a fork of
todo-to-issue-action; needs an upstream PR beforerepin) — tracked separately, not part of this epic.
acceptance criteria) as each pillar becomes ready; item 1 is ready now, items 2–3 carry the gating
noted above.
Strategy review by the Daily AI Engineer (primary engineer for the devantler-tech portfolio).
Grounded in a live audit of all 16 actions on 2026-06-07. Companion to the CI-backbone roadmap
reusable-workflows#305.