Reusable GitHub Actions workflows + canonical caller workflows shared across consumer orgs, including native Swift/Xcode macOS app CI.
.github/workflows/— reusable workflows (workflow_call). Each implements one piece of CI/release machinery. Consumer repos call these viauses:.consumers/— caller workflows. Each consuming repo declares groups in.github/.shared-config.yaml;scripts/sync-sharedcopies the matching caller files verbatim into.github/workflows/. Adrift-checkjob in thehygienegroup fails CI on any divergence. Don't hand-author caller workflows. See AGENTS.md for the full pattern.
Consumer repos should pin .github/.shared-config.yaml to a shared-vX.Y.Z
tag via ref:. Renovate tracks that pin and opens dedicated update PRs, so
shared workflow drift does not ride along with unrelated feature changes.
GAT releases the next shared-vX.Y.Z tag automatically when canonical
consumer workflows or shared files change on master, including a GitHub
Release with generated notes.
Both consumer orgs (whengas/, jr200-labs) enforce default-branch protection centrally: rulesets require PRs, repo settings disable auto-merge by default + enable branch auto-delete, and the lint-no-auto-merge workflow in hygiene fails CI if any caller workflow invokes gh pr merge, --auto-merge, or gh pr review --approve. Shared-ref auto-merge guardrails live in config for a future opt-in, but the feature is currently disabled.
Read GOTCHAS.md before wiring up a new consumer. It covers cross-org secrets, GitHub Free plan limitations, App token quirks, and other issues that are poorly documented upstream.
- AGENTS.md — Consumer pattern, group catalogue, how to add new groups
- GOTCHAS.md — Cross-org reusable workflow & GitHub App gotchas
- GitHub: Reusing Workflows
- GitHub: Accessing Workflows