---
*Note: This file follows LightSpeedWP governance, frontmatter, naming, and versioning conventions as described in [VERSIONING.md](./VERSIONING.md) and [FRONTMATTER_SCHEMA.md](./FRONTMATTER_SCHEMA.md).*
---
This document is the single source of truth for all core GitHub workflows in the .github/workflows/ directory.
Each workflow must correspond to a single agent in .github/agents/ where possible.
Workflows and agents automate project health, enforce governance, and maintain data and process quality across all repos.
LightSpeedWP follows a develop → main branching model:
-
develop: All active development happens here.
- All validation, CI, test, lint, label, and automation workflows run on
develop. - Every PR and push targeting
developis fully validated before integration.
- All validation, CI, test, lint, label, and automation workflows run on
-
main: Reserved for production-ready code and releases.
- Only release, changelog, versioning, and publishing workflows run on
main. - Code is merged into
mainonly for tagging and deploying a release.
- Only release, changelog, versioning, and publishing workflows run on
Hotfixes: If you allow hotfixes directly to main, ensure CI/test/lint workflows also run on main for those rare PRs.
| Workflow Type | develop | main | Rationale |
|---|---|---|---|
| Lint/Test/CI | ✅ | Validation before release; all active development on develop. | |
| PR Automation/Labeler | ✅ | All PRs target develop; labels/status for triage and automation. | |
| Planner/Reviewer Agent | ✅ | Checklist and review enforced on develop. | |
| Project Meta Sync | ✅ | Keeps project boards in sync as work progresses. | |
| Release/Tag/Publish | ✅ | Only run on main: version bump, changelog, release, deployment. |
- ✅ = Workflow runs on this branch
- (empty) = Workflow does not trigger on this branch
Validation/CI workflows
on:
push:
branches: [develop]
pull_request:
branches: [develop]Release workflows
on:
push:
branches: [main]
workflow_dispatch:- Always document a new workflow in this file before committing the workflow YAML.
- Specify the branch triggers for each workflow.
- Remove or archive any workflow not referenced in this file.
- For questions, see Governance or open a discussion.
Branch: main only
Agent: release.agent.js
Purpose:
Automates versioning, changelog, tagging, and release notes in a single, auditable workflow.
Triggers:
pushtomainworkflow_dispatch(manual)
Key Steps:
- Checks out code, sets up environment
- Determines release version (from input, file, or tags)
- Updates version files and badges
- Generates or updates changelog
- Commits and tags new version
- Extracts release notes and publishes GitHub Release
- Resets badges for develop branch after release
Branch: develop
Agent: planner.agent.js
Purpose:
Posts a Markdown checklist and exit criteria to PRs, standardizing merge readiness and ensuring governance.
Triggers:
pushtodeveloppull_requesttodevelop
Key Steps:
- Runs planner agent script to post/update PR checklists on all PRs
Branch: develop
Agent: reviewer.agent.js
Purpose:
Automates PR review and feedback using reviewer agent.
Triggers:
pushtodeveloppull_requesttodevelop
Key Steps:
- Runs reviewer agent script for automated PR summary and review
Branch: develop
Agent: labeling.agent.js
Purpose:
Unified workflow for all labeling, status/priority, and issue type automation.
Triggers:
pushtodeveloppull_requesttodevelop(all relevant PR events)issues(all relevant issue events)
References:
- Canonical labels:
.github/labels.yml - Canonical issue types:
.github/issue-types.yml - File/branch label rules:
.github/labeler.yml
Key Steps:
- File/branch-based labels via native labeler action
- Runs unified agent for:
- One-hot status and priority enforcement
- Type label assignment using
issue-types.ymland heuristics - PR heuristics (front matter, file-based, labeler.yml)
- Ensures changelog label is present for PRs
- Logging and action reporting
Branch: develop
Agent: [project meta sync agent, if present]
Purpose:
Maps issues/PRs to projects and syncs status/priority/type fields from labels.
Triggers:
pushtodevelopissues: [opened, edited, labeled, unlabeled, reopened, closed]pull_requesttodevelop: [opened, edited, labeled, unlabeled, reopened, ready_for_review, synchronize, closed]
Key Steps:
- Uses GitHub App token
- Adds issues/PRs to project board
- Derives and syncs status, priority, and type values from labels/branches
Branch: develop
Purpose:
Enforces code quality and standards through automated linting.
Triggers:
pushtodeveloppull_requesttodevelop
Key Steps:
- Runs ESLint, Prettier, and other linters
- Reports code quality issues
Branch: develop
Purpose:
Core CI checks for all code changes.
Triggers:
pushtodeveloppull_requesttodevelop
Key Steps:
- Runs tests and builds
- Validates integration
Branch: develop
Purpose:
Validates and generates changelog entries.
Triggers:
pushtodeveloppull_requesttodevelop
Key Steps:
- Validates changelog format
- Ensures changelog entries for PRs
Branch: develop
Agent: meta.agent.js
Purpose:
Apply documentation metadata in one pass: validate/enrich front matter, update badges, inject human references, and select category-specific quirky footers.
Triggers:
- File changes to documentation or metadata config
- Weekly schedule
workflow_dispatch
Key Steps:
- Validates front matter
- Updates badge blocks under the H1
- Inserts reference blocks (when present) and applies deterministic quirky footers by category
- Runs the meta agent
Branch: develop
Agent: badges.agent.js
Purpose:
Repository badge status updates and maintenance.
Triggers:
- Path changes to badges
workflow_dispatch
Key Steps:
- Updates repository badges
- Maintains badge consistency
Note: Deprecated in favor of meta.yml for most use cases.
Branch: develop
Purpose:
Gathers repository health and performance metrics.
Triggers:
- Weekly schedule
workflow_dispatch
Key Steps:
- Collects repository metrics
- Generates health reports
- Each workflow must correspond to a single agent where possible.
- No workflow duplication: all logic is agent-driven, DRY, and maintainable.
- Canonical configuration for labels and issue types is in
.github/labels.ymland.github/issue-types.yml. - Label mapping/file/branch rules are in
.github/labeler.yml. - All workflow changes must comply with LightSpeed Coding Standards.
This document must be updated whenever workflows are changed, added, or removed. It is the single source of truth for workflow governance in LightSpeedWP projects.
This document describes the automated validation framework for GitHub Actions workflows in the LightSpeedWP organization. The framework ensures that all workflows meet organizational standards for security, performance, quality, and consistency.
The workflow validation system:
- Enforces Security Best Practices: Validates permissions, secret handling, and action versions
- Ensures Performance: Detects missing optimizations like caching and concurrency
- Maintains Quality: Checks for descriptive step names, proper error handling, and documentation
- Promotes Consistency: Verifies adherence to organizational standards
Security-related validations that are strict (errors block validation):
- Explicit Permissions: Workflows should declare explicit
permissions:blocks - No Secrets in Shell: Prevents accidental exposure of secrets through shell output
- Action Version Pinning: Requires full commit SHA pinning for security
- Checkout Permissions: Verifies safe checkout configuration
Performance optimizations that are warnings (allow workflows to pass):
- Caching Strategy: Recommends caching for npm, pip, and other package managers
- Concurrency Control: Suggests concurrency configuration to prevent overlapping runs
- Checkout Optimization: Recommends fetch-depth settings for faster checkouts
- Matrix Efficiency: Checks for efficient matrix configurations
Code quality validations that are warnings:
- Descriptive Step Names: All run steps should have descriptive names
- Error Handling: Checks for proper error handling and cleanup steps
- Timeout Configuration: Validates timeout settings for long-running jobs
- Resource Limits: Ensures appropriate resource allocation
Organizational consistency checks that are warnings:
- Consistent Trigger Events: Encourages standard event triggers
- Ubuntu Version: Recommends ubuntu-latest for consistency
- Action Organization: Suggests organizing steps logically
# Run all workflow validations
npm run validate:workflows
# Check results
# - ✅ Passed: 33
# - ❌ Failed: 0
# - ⚠️ Warnings: 97The validation runs automatically on:
- Pull Requests: When workflow files are modified
- Scheduled: Weekly validation of all workflows
- Manual: Via workflow_dispatch trigger
The validator produces structured output including:
🔍 Workflow Validation Results
❌ ERRORS:
[Only critical security issues shown]
⚠️ WARNINGS:
[Best practice recommendations]
📊 Summary:
Total workflows: 33
✅ Passed: 33
❌ Failed: 0
⚠️ Warnings: 97
The validation rules are defined in:
// Location: scripts/validation/validate-workflows.js
// Contains: SecurityGuardrails, PerformanceGuardrails, QualityGuardrails, ConsistencyGuardrailsEach guardrail category includes:
{
enabled: true, // Enable/disable the entire category
rules: {
specificRule: {
enabled: true, // Enable/disable individual rules
message: "Description", // Error/warning message
level: "warning" | "error" // Severity level
}
}
}Common recommendations from validation:
permissions:
contents: read
pull-requests: writeconcurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true- uses: actions/checkout@v4
with:
fetch-depth: 0 # Full history when needed- uses: actions/setup-node@v4
with:
node-version: "20"
cache: "npm"- name: Run tests with coverage
run: npm run test:coverageCurrent workflow validation results:
- Total Workflows: 33
- Security Status: ✅ All workflows follow security best practices
- Performance: 25 workflows could benefit from caching optimizations
- Quality: 20 workflows have steps without descriptive names
- Consistency: All workflows follow organizational patterns
-
Always Include Permissions
permissions: contents: read
-
Pin Action Versions
uses: actions/checkout@a1b82bbb3dd0ef16261a2ba3b91b4603d2e2d46b # v4
-
Use Concurrency
concurrency: group: ${{ github.workflow }}-${{ github.ref }}
-
Name All Steps
- name: Build application run: npm run build
-
Cache Dependencies
- uses: actions/setup-node@v4 with: cache: "npm"
name: Build and Test
on:
push:
branches: [develop]
pull_request:
branches: [develop]
permissions:
contents: read
pull-requests: write
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 30
steps:
- name: Checkout code
uses: actions/checkout@a1b82bbb3dd0ef16261a2ba3b91b4603d2e2d46b # v4
with:
fetch-depth: 0
- name: Setup Node.js
uses: actions/setup-node@60edb3dd545a775178fbb3d1d2aaf32c4631a3bb # v4
with:
node-version: "20"
cache: "npm"
- name: Install dependencies
run: npm ci
- name: Run tests with coverage
run: npm test:coverage
- name: Upload coverage
uses: actions/upload-artifact@65462800fd760344d3fbb3e7f58a62d3e9ce1e25 # v4
if: always()
with:
name: coverage-report
path: coverage/Error: "Missing permissions block"
- Solution: Add
permissions:block to job or workflow level
Error: "Action version not pinned to commit SHA"
- Solution: Use full commit SHA instead of tag (find via GitHub UI)
Error: "Secrets found in shell output"
- Solution: Use GitHub's secret masking or avoid logging sensitive data
# View full validation output with all warnings
npm run validate:workflows 2>&1 | less
# Check specific workflow
node scripts/validation/validate-workflows.js .github/workflows/lint.yml-
Before Committing Workflow Changes
npm run validate:workflows
-
Fix Issues
- Address all errors (red)
- Consider addressing warnings (yellow)
-
Commit Changes
git add .github/workflows/your-workflow.yml git commit -m "feat(workflows): improve security and performance"
The validation automatically runs in:
- PR Workflow: Validates modified workflows
- Scheduled Jobs: Weekly comprehensive validation
- Pre-commit Hooks: Local validation via Husky
The validation framework is maintained by the LightSpeed team. To propose improvements:
- Open an issue with the
type:improvementlabel - Include examples of workflows that should pass/fail
- Link to relevant GitHub Actions documentation
Have questions? Ping us on GitHub! 🐙 Made with 💚 by LightSpeedWP Contact