Hi all,
Maintaining CI workflows across more than 40 Commons repositories creates significant maintenance overhead and Dependabot noise. I’d like to propose refactoring our four common workflows, CodeQL Analysis, Dependency Review, Java CI, and Scorecards Analysis, to use reusable workflows defined in `commons-parent` instead. As an example, I’ve opened commons-parent#681 [1], which refactors maven.yml, and triggered a demo run in commons-lang [2]. If there’s agreement, I can refactor the remaining three workflows as well. Adopting shared workflows raises the question of how they should be updated across projects. Some existing approaches in Apache projects include: 1. Pinning to a commit (SHA-1): reliable but reintroduces Dependabot churn. 2. Pinning to release tags: used by the Logging Services PMC. Updates happen with parent releases, useful if workflow and POM changes must align. 3. Branch-based sharing: used by the Maven PMC in `maven-gh-actions-shared` [3], where branches correspond to workflow major versions. To start simple, I suggest we reference the master branch of commons-parent. This provides automatic propagation of workflow improvements with zero maintenance effort in downstream repositories. What do you think? Piotr [1] https://github.com/apache/commons-parent/pull/681 [2] https://github.com/apache/commons-lang/actions/runs/19098960862 [3] https://github.com/apache/maven-gh-actions-shared --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
