|
| 1 | +.. include:: /Includes.rst.txt |
| 2 | + |
| 3 | +=================================================== |
| 4 | +ADR-003: Versioning Strategy for Shared Workflows |
| 5 | +=================================================== |
| 6 | + |
| 7 | +Status |
| 8 | +====== |
| 9 | + |
| 10 | +Proposed — requesting feedback from maintainers |
| 11 | + |
| 12 | +Context |
| 13 | +======= |
| 14 | + |
| 15 | +The shared reusable workflows in this repository are referenced by consumer |
| 16 | +repositories using GitHub's ``uses:`` syntax: |
| 17 | + |
| 18 | +.. code-block:: yaml |
| 19 | +
|
| 20 | + uses: TYPO3-Documentation/.github/.github/workflows/reusable-backport.yml@<ref> |
| 21 | +
|
| 22 | +GitHub supports three reference types: |
| 23 | + |
| 24 | +1. **Branch** (``@main``) — always uses the latest version |
| 25 | +2. **Tag** (``@v1``, ``@v1.2.0``) — uses a specific release |
| 26 | +3. **SHA** (``@bfd07ddb...``) — uses an exact commit |
| 27 | + |
| 28 | +The current PRs use ``@main``. One already-merged workflow uses a full SHA pin. |
| 29 | +A clear strategy is needed for consistency. |
| 30 | + |
| 31 | +Decision |
| 32 | +======== |
| 33 | + |
| 34 | +**Recommended: Use ``@main`` for all consumer references.** |
| 35 | + |
| 36 | +Use tags (``@v1``, ``@v2``) only if breaking changes are introduced, following |
| 37 | +semantic versioning: |
| 38 | + |
| 39 | +* **Patch/minor changes** (action version bumps, bug fixes): consumers on |
| 40 | + ``@main`` receive updates automatically — this is the primary benefit. |
| 41 | +* **Breaking changes** (renamed inputs, removed workflows): create a new major |
| 42 | + tag, update consumers explicitly. |
| 43 | + |
| 44 | +**Avoid SHA-pinning shared workflows.** SHA pins reintroduce the exact problem |
| 45 | +shared workflows solve: |
| 46 | + |
| 47 | +.. csv-table:: |
| 48 | + :header: "Approach", "Action update effort", "Consumer update effort", "Total" |
| 49 | + |
| 50 | + "Inline workflows", "N/A", "Update each repo", "O(repos)" |
| 51 | + "Shared + @main", "Update once", "None (automatic)", "O(1)" |
| 52 | + "Shared + @SHA", "Update once", "Update each repo's SHA", "O(repos)" |
| 53 | + |
| 54 | +With SHA-pinning, a workflow change requires updating the SHA in every consumer |
| 55 | +repository — the same per-repo maintenance burden as inline workflows. |
| 56 | + |
| 57 | +Alternatives Considered |
| 58 | +======================= |
| 59 | + |
| 60 | +**SHA-pinning (rejected)** |
| 61 | + |
| 62 | +Provides maximum reproducibility but defeats the core value proposition: |
| 63 | + |
| 64 | +* When ``actions/checkout`` releases a new version, the shared workflow is |
| 65 | + updated once, and all ``@main`` consumers benefit immediately. |
| 66 | +* With SHA pins, every consumer must update its pin — requiring the same |
| 67 | + multi-repo maintenance we are trying to eliminate. |
| 68 | + |
| 69 | +**Tag-only (partially adopted)** |
| 70 | + |
| 71 | +Tags provide a middle ground but add ceremony: |
| 72 | + |
| 73 | +* Every change requires creating a tag. |
| 74 | +* Non-breaking changes (the vast majority) do not benefit from versioning. |
| 75 | +* Tags are appropriate for breaking changes but overkill for routine updates. |
| 76 | + |
| 77 | +Consequences |
| 78 | +============ |
| 79 | + |
| 80 | +* **Positive:** Consumers receive fixes and action updates automatically. |
| 81 | +* **Positive:** Zero maintenance burden for non-breaking changes across ~29 |
| 82 | + repos. |
| 83 | +* **Positive:** Incident response is immediate — fix the shared workflow, all |
| 84 | + repos benefit. |
| 85 | +* **Negative:** A broken push to ``main`` breaks all consumers immediately. |
| 86 | +* **Mitigation:** Require PR review for all changes to this repository. |
| 87 | + Consider branch protection rules. |
| 88 | +* **Negative:** No version pinning for reproducibility. |
| 89 | +* **Mitigation:** GitHub Actions logs record the exact commit SHA used for |
| 90 | + each run, enabling post-hoc debugging. |
0 commit comments