Checklist:
- •Required checks alignment
- •Ensure workflow/job names match branch protection required checks
- •Ensure PR checks run on
pull_requestand are fast and deterministic
- •Least privilege & secure defaults
- •Set default workflow permissions to minimal required
- •Use per-job
permissions:blocks for elevation - •Prefer OIDC auth to clouds; avoid long-lived secrets
- •Build/test hygiene
- •Cache appropriately:
- •.NET: NuGet packages
- •Node: npm/pnpm/yarn cache + lockfile-based key
- •Use matrix for OS/runtime versions only if valuable
- •Use
concurrencyto cancel redundant runs on the same branch/PR - •Split "quick PR checks" vs "full pipeline" when needed
- •Artifact handling
- •Upload test results/coverage as artifacts if useful
- •Ensure artifacts are not treated as trusted input without validation
- •Add provenance attestation for release artifacts where applicable
- •Reusability
- •Convert repeated logic into reusable workflows (
workflow_call) - •Centralize security-hardening steps (permissions, pinning policy, dependency checks)
Finish with:
- •Summary of workflow changes
- •Expected performance impact (faster? less flaky?)
- •Security impact (permissions, OIDC, pinning)
- •Any follow-ups (branch protection updates, secrets/env setup)