ppkarwasz commented on PR #699: URL: https://github.com/apache/commons-parent/pull/699#issuecomment-4267269415
I hear you on complexity. The goal here isn't to replicate Log4j's setup, just to centralize the three workflows that we never debug: CodeQL, Scorecards, and Dependency Review. The pain points with the status quo: - CodeQL stays stale between quarterly updates, so we don't profit from new static analysis rules, - 40+ Dependabot notifications per upgrade cycle, - SHA-pinned actions still need manual bumps everywhere A reusable workflow for just these three would reduce churn without adding any meaningful cognitive overhead: they're essentially fire-and-forget. Proposal: let's try it scoped to these three only. If debugging ever becomes an issue in a downstream repo, we inline it back. Does that work for you? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
