Topic
How the ComplyTime/Unbound Force organizations standardized their release infrastructure by extracting common release patterns into two reusable GitHub Actions workflows.
Suggested angle
Problem → Solution narrative: 7 Go repositories each maintained their own release workflow with inline preflight validation, GoReleaser execution, and supply chain steps. This led to action version drift, inconsistent supply chain coverage (3 of 7 repos lacked SBOMs and cosign signing), hardcoded CI check names that broke silently, and two functional bugs.
Key points:
- The journey from duplicated inline workflows to composable reusable workflows
- File-based CI check auto-discovery (convention over configuration)
- Smart re-run resilience — fixing the "tag already exists" problem
- Semver-aware pre-release ordering (why
sort -V gets it wrong)
- Supply chain enforcement by default (cosign + syft always installed)
- Adoption documentation as a first-class deliverable
PR reference
complytime/org-infra#394
Target audience
DevOps engineers and platform teams managing multi-repo release infrastructure with GitHub Actions.
Topic
How the ComplyTime/Unbound Force organizations standardized their release infrastructure by extracting common release patterns into two reusable GitHub Actions workflows.
Suggested angle
Problem → Solution narrative: 7 Go repositories each maintained their own release workflow with inline preflight validation, GoReleaser execution, and supply chain steps. This led to action version drift, inconsistent supply chain coverage (3 of 7 repos lacked SBOMs and cosign signing), hardcoded CI check names that broke silently, and two functional bugs.
Key points:
sort -Vgets it wrong)PR reference
complytime/org-infra#394
Target audience
DevOps engineers and platform teams managing multi-repo release infrastructure with GitHub Actions.