Reusable GitHub Actions workflows and composite actions for L3DigitalNet repositories. Implements the track-latest tool pinning discipline — local dev and CI track the same upstream "latest" with a daily cache-bypass, optimized for never lagging behind security fixes or new lints.
Authoritative pattern reference: chrisdpurcell/projects/_docs/conventions.md §1 (mise) and §2 (setup-uv).
.github/
├── workflows/ # reusable workflows (workflow_call trigger)
│ ├── bash-ci.yml # shellcheck + bats + bash -n via mise
│ └── python-ci.yml # uv sync + ruff + black + pytest
└── actions/ # composite actions (step bundles)
├── install-tools-mise/ # wraps jdx/mise-action + cache-bypass logic
└── install-tools-uv/ # wraps astral-sh/setup-uv + uv tool install
Always SHA-pin internal references, same as third-party actions:
# In a consumer repo's .github/workflows/ci.yml
jobs:
ci:
uses: L3DigitalNet/shared-workflows/.github/workflows/bash-ci.yml@<SHA>
with:
shellcheck-paths: "*.sh _tests/run_tests.sh"Resolve the SHA with:
gh api repos/L3DigitalNet/shared-workflows/git/refs/heads/main --jq '.object.sha'main is the rolling latest. Tags v1, v1.1, v2 mark stability boundaries. Major versions never break interfaces; minor versions add inputs. Pin to a SHA in production; pin to @v1 only after a stability period.
Exact-pinning of CLI tools (shellcheck = "0.11.0" in .mise.toml) is the opposite discipline: maximum reproducibility, accepts lag on security fixes and new lints. Track-latest accepts occasional one-day spikes when an upstream release breaks something, in exchange for never being stale. Both are valid; this org chose the latter on 2026-04-24 after the SC2120 false-positive incident on chrisdpurcell/projects (CI's apt-shipped shellcheck 0.9.0 vs Fedora workstation's 0.11.0).
Every reusable workflow carries:
on:
push: { branches: [main] }
pull_request:
schedule:
- cron: '0 6 * * *'
timezone: "America/New_York"
workflow_dispatch:The schedule event runs with caching disabled (cache: ${{ github.event_name != 'schedule' }}) so the daily run forces a fresh resolve of latest. This compensates for jdx/mise-action's default cache key hashing .mise.toml content — which never changes when tools are declared as "latest".
Initial scaffold — 2026-04-24. Two reusable workflows, two composite actions. See commit history for evolution.