Contributing¶
This guide explains how to report issues, propose changes, and submit pull requests for the reusable workflows and composite actions in this library.
Security Review¶
All changes that introduce or update a third-party action, change permissions, or affect the security posture of the library must be reviewed against the controls documented in the Security section.
When the security docs apply¶
| Change type | Required review |
|---|---|
| New third-party action | Full action selection criteria evaluation; document in issue or PR |
| Updated SHA pin | Confirm the new SHA is reachable from a release tag |
| Permission change | Verify against the Permissions reference; justify any increase |
| Vulnerability fix | Follow the mitigation steps and notification process |
| Any other change | Work through the security items in the PR checklist |
Quarterly ENISA alignment review¶
Once per quarter, a maintainer should open an Update Workflow issue with type Security improvement to:
- Check the EUVD and OSV.dev for new advisories affecting actions used in this library.
- Verify all open Dependabot alerts have been reviewed and are within the response time thresholds in Vulnerability Management.
- Update the compliance matrix if any control status has changed.
- Review and triage any
security-labelled open issues.
Reporting Issues¶
Use the structured issue templates to open requests:
| Template | When to use |
|---|---|
| Bug Report | A workflow behaves incorrectly or fails unexpectedly |
| New Workflow | You want to add a new reusable workflow to the library |
| Update Workflow | A workflow needs a new input, a tool version bump, or a behavior change |
| EOL / Deprecate | A workflow should be deprecated or removed |
Workflow Lifecycle¶
A workflow belongs in this library when it is (or will be) useful to more than one potos repository — the goal is that all pipelines come from this repository.
Adding a workflow¶
- Open a New Workflow issue to discuss the proposal before writing code.
- Create
.github/workflows/<verb>-<subject>.yamlwithon: workflow_call(test-,release-, orsmoke-test-prefix). - Document it under
docs/workflows/(see the page structure indocs/AGENTS.md) and register the page inzensical.tomlundernav. - Add the workflow to the permissions reference.
- Add a smoke-test job to
smoke-test.yamlorsmoke-test-release.yaml, or document why it cannot be smoke-tested. - Evaluate new third-party actions against the action selection criteria and pin them by full commit SHA.
- If consuming repositories need new
allowed_actionsentries, update the OpenTofu repo config accordingly. - Update
AGENTS.mdif the repository structure or conventions change, then submit a pull request.
Updating a workflow¶
- Open an Update Workflow issue for non-trivial changes to discuss the approach first.
- Edit the workflow YAML under
.github/workflows/. - Keep the documentation in sync in the same PR: inputs table, permissions table, and usage example.
- For breaking changes, include a migration path in the docs and add a
BREAKING CHANGE:footer to the commit message to trigger a major version bump.
Deprecating or removing a workflow¶
- Open an EOL / Deprecate issue to announce intent and gather feedback from users.
- Add a deprecation notice to the workflow YAML (as a comment) and to its docs page.
- After the deprecation window (at least one minor release), remove the workflow file, its
documentation page, its nav entry in
zensical.toml, and its row indocs/security/permissions.md.
Pull Requests¶
All work happens on feature branches and is merged via pull request to main. The PR
template prompts you through the required checklist: documentation and permissions table in
sync, smoke-test coverage, permissions: {} in caller examples, SHA-pinned third-party
actions evaluated against the
selection criteria, and
allowed_actions updates in the OpenTofu repo config.
Releases are automated: go-semantic-release creates one
on every push to main, so do not create version tags manually. Commit messages follow
Conventional Commits:
| Commit type | Version bump |
|---|---|
feat: |
minor |
fix: |
patch |
BREAKING CHANGE: footer |
major |
docs:, ci:, chore: |
none |
Downstream Projects¶
Projects that adopt these workflows can copy and adapt .github/ISSUE_TEMPLATE/ and
.github/PULL_REQUEST_TEMPLATE.md from this repository to standardise their own CI/CD
configuration changes, and should add the
Renovate configuration to keep workflow SHA pins up to date
automatically.