Context
The org CI/CD audit (docs/omt-global-ci-cd-audit-2026-04-14.md) names github-runner-fleet as the release-isolation reference and recommends:
Extend its policy into explicit rg-ci / rg-security / rg-release governance
and
Use as the source repo for reusable PR/security/release workflows
pr-fast-ci.yml, extended-validation.yml, and release-image.yml already encode the right patterns, but they are repo-local and cannot be consumed from downstream repos via workflow_call. #28 covers the docs side (shell-safe workflow cookbook); this issue is the artifact side.
Scope
- Carve out
workflow_call reusable workflows under .github/workflows/ (or a sibling reusable/ directory) for:
rg-ci.yml — cheap PR gate template (lint/test/build, shell-safe runner allowlist)rg-security.yml — wraps the security scan workflow added in the security-scanning issue (CodeQL / dep-review / OSV) on hosted runners onlyrg-release.yml — signed-image / OIDC-only release template, derived from release-image.yml
- Each reusable workflow exposes minimal, well-typed inputs and
secrets: inherit boundaries.
- Each one pins external actions by SHA and constrains
permissions: to least-privilege.
- Add an example consumer snippet to
docs/workflow-cookbook.md showing how a downstream repo references each workflow with uses: OMT-Global/github-runner-fleet/.github/workflows/rg-*.yml@<tag>.
- Validate via a smoke-style test (or a separate test-consumer repo / matrix job) that each reusable workflow is callable.
Acceptance Criteria
- A downstream repo can adopt the org standard with three
uses: lines instead of copying YAML.
- Inputs and required secrets are documented in the workflow file header.
- README or
docs/workflow-cookbook.md links the canonical reference for each reusable workflow.
- The repo's own CI continues to use
CI Gate as the single required status check.
Related
Context
The org CI/CD audit (
docs/omt-global-ci-cd-audit-2026-04-14.md) namesgithub-runner-fleetas the release-isolation reference and recommends:and
pr-fast-ci.yml,extended-validation.yml, andrelease-image.ymlalready encode the right patterns, but they are repo-local and cannot be consumed from downstream repos viaworkflow_call. #28 covers the docs side (shell-safe workflow cookbook); this issue is the artifact side.Scope
workflow_callreusable workflows under.github/workflows/(or a siblingreusable/directory) for:rg-ci.yml— cheap PR gate template (lint/test/build, shell-safe runner allowlist)rg-security.yml— wraps the security scan workflow added in the security-scanning issue (CodeQL / dep-review / OSV) on hosted runners onlyrg-release.yml— signed-image / OIDC-only release template, derived fromrelease-image.ymlsecrets: inheritboundaries.permissions:to least-privilege.docs/workflow-cookbook.mdshowing how a downstream repo references each workflow withuses: OMT-Global/github-runner-fleet/.github/workflows/rg-*.yml@<tag>.Acceptance Criteria
uses:lines instead of copying YAML.docs/workflow-cookbook.mdlinks the canonical reference for each reusable workflow.CI Gateas the single required status check.Related
docs/omt-global-ci-cd-audit-2026-04-14.md(Wave 4)