ADR-005: Dedicated Repository for Reusable Composite GitHub Actions
Status
Accepted (2026-04-04)
Context
CascadeGuard’s CI/CD pipelines across multiple repositories (cascadeguard, cascadeguard-actions, future SaaS repos) share common workflow patterns: container build, Trivy scan, image signing with Cosign, and GHCR publish. Duplicating these steps in every repo’s .github/workflows/ creates maintenance burden and drift risk — a security-relevant concern when action versions or pinned SHAs fall out of sync.
GitHub supports composite actions that bundle multiple steps into a single reusable unit, referenced by repository and SHA.
Decision
Create a dedicated public repository cascadeguard/cascadeguard-actions to host reusable composite GitHub Actions for the CascadeGuard organisation.
Key properties
| Property | Value |
|---|---|
| Repository | cascadeguard/cascadeguard-actions |
| Visibility | Public (required for cross-repo action references) |
| Referencing | All consumers pin to full commit SHA (not tags) |
| Release model | Tagged releases with SHA-pinned changelog |
| Scope | CI/CD composite actions only — no application code |
Initial actions planned
build-scan-sign-publish— container image pipeline (build, Trivy scan, Cosign sign, GHCR push)- Additional actions as common patterns emerge across repos
Consequences
Easier
- Single place to update action dependencies and pinned SHAs
- Consistent security posture across all repos (one update propagates)
- Standard ecosystem pattern — contributors recognise the structure
- Unblocks CAS-81 (CVE presentation in managed image repo)
Harder
- Cross-repo dependency: changes to actions require testing against all consumers
- Versioning discipline required — breaking changes need coordinated rollout
- One more repo to maintain (mitigated by its narrow, well-defined scope)
References
- Paperclip decision issue: CAS-155
- Blocked issue: CAS-81 (CVE presentation in managed image repo)
- CEO approval: CAS-155 comment (2026-04-04)