Reusable Workflow Governance
This repository keeps local workflow files for CI, release, security, and publishing until a portfolio reusable-workflow source is available to this repo.
Portfolio Source Check
Expected source:
- repository:
oaslananka-lab/.github - directory:
.github/workflows - checked: 2026-05-23
- result: GitHub returned
404 Not Foundfor the workflow directory through the authenticated API.
Because no callable reusable workflow entrypoint is currently visible, the local workflow files remain authoritative for this repository.
Local Workflows Retained
The following workflows duplicate portfolio-wide concerns and should be migrated only after a callable workflow with equivalent permissions, triggers, pinned actions, and artifact behavior is available:
| Concern | Local workflow | Current status |
|---|---|---|
| Code scanning | codeql.yml | Local pinned workflow retained |
| Supply-chain health | scorecard.yml | Local pinned workflow retained |
| Secret scanning | gitleaks.yml | Local pinned workflow retained |
| Dependency review and audit | security.yml | Local pinned workflow retained |
Migration Rule
Do not move PyPI publishing into a reusable workflow. PyPI Trusted Publishing currently requires the trusted publishing step to live in the non-reusable workflow file that is registered on PyPI, so publish-python.yml must keep the final pypa/gh-action-pypi-publish jobs locally.
When reusable workflow entrypoints become available, migrate one concern per PR and keep each caller workflow pinned to an immutable ref or a maintained release line approved by the repository security gate.