|
| 1 | +# Adopting shared & reusable GitHub Actions for default CI/CD pipelines |
| 2 | + |
| 3 | +## Summary |
| 4 | + |
| 5 | +This RFC proposes that all default CI/CD workflows across the Express.js organization should be built using shared, reusable GitHub Actions rather than defining separate workflows in each repository. These workflows will be centrally maintained, versioned, and consumed by individual repositories to ensure consistency, reliability, and easier maintenance. |
| 6 | + |
| 7 | +## Motivation |
| 8 | + |
| 9 | +Currently, each repository in the Express.js organization maintains its own GitHub Actions workflows. This leads to: |
| 10 | + |
| 11 | +- Inconsistent CI/CD practices (different Node versions, test commands, caching, verification steps, etc.) |
| 12 | +- Duplicated effort across repositories |
| 13 | +- Increased probability of misconfiguration or security vulnerabilities |
| 14 | +- Difficulty onboarding new contributors and maintainers |
| 15 | +- Harder organization-wide upgrades (e.g., Node.js version updates or introducing new security validations) |
| 16 | + |
| 17 | +By moving to shared reusable workflows, we expect to: |
| 18 | + |
| 19 | +- Ensure consistent build, test, and release standards across all repositories |
| 20 | +- Reduce maintenance overhead and simplify updates |
| 21 | +- Improve security by enforcing centralized best practices |
| 22 | +- Enable shared improvements for all repositories (e.g., adding `npm audit`, code coverage, publishing automation) |
| 23 | +- Support future capabilities such as automated dependency updates and release pipelines |
| 24 | + |
| 25 | +## Detailed Explanation |
| 26 | + |
| 27 | +### Proposal |
| 28 | + |
| 29 | +- Create and maintain centralized reusable workflows under a repository such as: |
| 30 | + - `expressjs/ci-workflows` |
| 31 | + |
| 32 | +- These workflows will include: |
| 33 | + - `ci.yml` — install dependencies, lint, test, build |
| 34 | + - `release.yml` — publish to npm and create GitHub releases (optional approval gates) |
| 35 | + - `security.yml` — package audit, CodeQL (if required) |
| 36 | + - `nightly.yml` — scheduled CI runs on latest Node.js versions or branches |
| 37 | + |
| 38 | +- Each repository will consume them using `workflow_call`, for example: |
| 39 | + |
| 40 | + ```yaml |
| 41 | + name: CI |
| 42 | + |
| 43 | + on: |
| 44 | + push: |
| 45 | + branches: [main] |
| 46 | + pull_request: |
| 47 | + |
| 48 | + jobs: |
| 49 | + build: |
| 50 | + uses: expressjs/ci-workflows/.github/workflows/ci.yml@v1 |
| 51 | + with: |
| 52 | + node-version: 24 |
| 53 | + ``` |
| 54 | +
|
| 55 | +- Customization will still be possible using workflow inputs and conditionals. |
| 56 | +- Workflows will be versioned (`v1`, `v1.1`, etc.) to ensure stability. |
| 57 | + |
| 58 | +### Migration |
| 59 | + |
| 60 | +1. Create shared workflow repository and initial pipeline definitions. |
| 61 | +2. Document how to consume workflows, expected defaults, and available inputs. |
| 62 | +3. Migrate a few core repositories (`express`, `router`, `body-parser`) as a pilot. |
| 63 | +4. Expand adoption across the organization. |
| 64 | +5. Deprecate custom pipelines once migration is completed. |
| 65 | + |
| 66 | +## Rationale and Alternatives |
| 67 | + |
| 68 | +| Approach | Pros | Cons | |
| 69 | +|----------|------|------| |
| 70 | +| **Shared reusable workflows (proposed)** | Consistent CI/CD, easier maintenance, improved security, one update applies to all repos | Requires initial setup and governance | |
| 71 | +| **Status quo: per-repository workflows** | Maximum flexibility per repository | Inconsistent behavior, duplicated code, high maintenance, increased risk of outdated CI | |
| 72 | +| **Use external CI tools (Jenkins, CircleCI, etc.)** | Can be highly customizable | Adds external dependency, higher complexity, reduces transparency for contributors | |
| 73 | + |
| 74 | +This proposal offers the best balance of maintainability, consistency, and openness for the Express.js ecosystem. |
| 75 | + |
| 76 | +## Implementation |
| 77 | + |
| 78 | +### Affected Areas |
| 79 | + |
| 80 | +- All active repositories using GitHub Actions under the `expressjs/` organization. |
| 81 | +- No runtime code changes required; only CI configuration updates. |
| 82 | + |
| 83 | +### Actions Required |
| 84 | + |
| 85 | +- Create new repository `ci-workflows` organization repository. |
| 86 | +- Implement and document reusable workflows. |
| 87 | +- Configure organization-wide secrets (npm token, GitHub token, etc.) if required. |
| 88 | +- Roll out reusable workflows in prioritized repositories. |
| 89 | +- Establish contribution guidelines and versioning strategy for workflow updates. |
| 90 | + |
| 91 | +### Technical Considerations |
| 92 | + |
| 93 | +- Use `workflow_call` and workflow permissions properly. |
| 94 | +- Use only organization-level secrets, not per-repo secrets for shared steps. |
| 95 | +- Optional security checks (CodeQL, audit) should be configurable. |
| 96 | +- Release workflows should include safeguards (e.g., manual approval for npm publish). |
| 97 | + |
| 98 | +## Prior Art |
| 99 | + |
| 100 | +- GitHub officially recommends this pattern for large organizations. |
| 101 | + |
| 102 | +## Unresolved Questions and Bikeshedding |
| 103 | + |
| 104 | +- What should the shared workflow repository be named? `expressjs/.github` or something like `expressjs/ci-workflows`? |
| 105 | +- Should `npm` be enforced, or support `pnpm`, `npm`, `yarn`? |
| 106 | +- Should `npm audit` or CodeQL scanning be mandatory by default? |
| 107 | +- How should versions of workflows be managed — tagged releases (`v1`) or branch references (`main`)? |
| 108 | +- Should automatic npm releases be allowed, or manual approvals required? |
0 commit comments