USThing · polyipseity · Jan 21, 2026 · Jan 19, 2026 · Jan 19, 2026 · Jan 19, 2026
diff --git a/.github/workflows/check-shared-steps.yml b/.github/workflows/check-shared-steps.yml
@@ -0,0 +1,78 @@
+## NOTE: This workflow contains shared steps used by an internal try→fallback
+## pattern inside this repository. It's named `*-shared-steps.yml` to make it
+## clear these are shared step definitions for local use (not a broadly
+## reusable/cross-repo workflow). Keep the file paired with the callers that
+## run it twice (try + fallback).
+on:
+  workflow_call:
+    inputs:
+      runs_on:
+        required: true
+        type: string
+      continue_on_error:
+        required: false
+        type: boolean
+        default: false
+
+jobs:
+  eslint:
+    runs-on: ${{ inputs.runs_on }}
+    continue-on-error: ${{ inputs.continue_on_error }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 24
+
+      - run: |
+          corepack enable
+          corepack install
+
+      - uses: actions/setup-node@v4
+        with:
+          cache: yarn
+
+      - run: |
+          yarn install
+
+      - run: |
+          yarn run lint
+
+  commitlint:
+    runs-on: ${{ inputs.runs_on }}
+    continue-on-error: ${{ inputs.continue_on_error }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: wagoid/commitlint-github-action@v6
+
+  tests:
+    runs-on: ${{ inputs.runs_on }}
+    continue-on-error: ${{ inputs.continue_on_error }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 24
+
+      - uses: supercharge/mongodb-github-action@1.11.0
+        with:
+          mongodb-version: 7
+
+      - run: |
+          corepack enable
+          corepack install
+
+      - uses: actions/setup-node@v4
+        with:
+          cache: yarn
+
+      - run: |
+          yarn install
+
+      - run: |
+          yarn run test
diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
@@ -5,71 +5,23 @@ on:
   - pull_request
 
 jobs:
-
-  eslint:
-
-    runs-on: ubuntu-22.04
-
-    steps:
-
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 24
-
-      - run: |
-          corepack enable
-          corepack install
-
-      - uses: actions/setup-node@v4
-        with:
-          cache: yarn
-
-      - run: |
-          yarn install
-
-      - run: |
-          yarn run lint
-
-  commitlint:
-
-    runs-on: ubuntu-latest
-
-    steps:
-
-      - uses: actions/checkout@v4
-
-      - uses: wagoid/commitlint-github-action@v6
-
-  tests:
-
-    runs-on: ubuntu-latest
-
-    steps:
-
-      - uses: actions/checkout@v4
-
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 24
-
-      # - uses: supercharge/mongodb-github-action@1.11.0
-      #   with:
-      #     mongodb-version: 7
-
-      - run: |
-          corepack enable
-          corepack install
-
-      - uses: actions/setup-node@v4
-        with:
-          cache: yarn
-
-      - run: |
-          yarn install
-
-      - run: |
-          yarn run test
+  try_checks:
+    uses: ./.github/workflows/check-shared-steps.yml
+    with:
+      runs_on: "ubuntu-22.04"
+      continue_on_error: true
+
+  fallback_checks:
+    # NOTE: This fallback job runs only when the `try_checks` job fails.
+    #
+    # Because both the try and fallback invoke the same reusable workflow, the
+    # GitHub PR UI may display duplicated or expanded workflow sections. In
+    # addition, using `continue-on-error` inside the reusable jobs can make
+    # checks appear as failed in the PR interface even though the fallback
+    # subsequently handled the failure. This is a cosmetic artifact of the
+    # try→fallback pattern and does not indicate a functional regression.
+    needs: [try_checks]
+    if: ${{ failure() }}
+    uses: ./.github/workflows/check-shared-steps.yml
+    with:
+      runs_on: "self-hosted"
diff --git a/.github/workflows/docker-shared-steps.yml b/.github/workflows/docker-shared-steps.yml
@@ -0,0 +1,62 @@
+## NOTE: This workflow contains shared steps used by an internal try→fallback
+## pattern inside this repository. It's named `*-shared-steps.yml` to make it
+## clear these are shared step definitions for local use (not a broadly
+## reusable/cross-repo workflow). Keep the file paired with the callers that
+## run it twice (try + fallback).
+on:
+  workflow_call:
+    inputs:
+      runs_on:
+        required: true
+        type: string
+      continue_on_error:
+        required: false
+        type: boolean
+        default: false
+
+permissions:
+  contents: read
+  packages: write
+  attestations: write
+  id-token: write
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  docker:
+    runs-on: ${{ inputs.runs_on }}
+    continue-on-error: ${{ inputs.continue_on_error }}
+    steps:
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Docker Metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=sha
+            type=ref,event=branch
+            type=ref,event=pr
+            test
+
+      - name: Build and Push
+        uses: docker/build-push-action@v6
+        with:
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -11,50 +11,27 @@ permissions:
   id-token: write
 
 env:
-  # Use docker.io for Docker Hub if empty
   REGISTRY: ghcr.io
-  # github.repository as <account>/<repo>
   IMAGE_NAME: ${{ github.repository }}
 
 jobs:
-
-  docker:
-
-    runs-on: ubuntu-latest
-
-    steps:
-
-      - name: Setup QEMU
-        uses: docker/setup-qemu-action@v3
-
-      - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Login to Docker Hub
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Docker Metadata
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: |
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          # Commit SHA Tag
-          # The Tags based on the branch or the PR
-          # The "test" Tag, indicating a non-production-ready image
-          tags: |
-            type=sha
-            type=ref,event=branch
-            type=ref,event=pr
-            test
-
-      - name: Build and Push
-        uses: docker/build-push-action@v6
-        with:
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
+  try_docker:
+    uses: ./.github/workflows/docker-shared-steps.yml
+    with:
+      runs_on: "ubuntu-latest"
+      continue_on_error: true
+
+  fallback_docker:
+    # NOTE: This fallback job runs only when the `try_docker` job fails.
+    #
+    # Because both the try and fallback invoke the same reusable workflow, the
+    # GitHub PR UI may display duplicated or expanded workflow sections. In
+    # addition, using `continue-on-error` inside the reusable jobs can make
+    # checks appear as failed in the PR interface even though the fallback
+    # subsequently handled the failure. This is a cosmetic artifact of the
+    # try→fallback pattern and does not indicate a functional regression.
+    needs: [try_docker]
+    if: ${{ failure() }}
+    uses: ./.github/workflows/docker-shared-steps.yml
+    with:
+      runs_on: "self-hosted"
diff --git a/.github/workflows/release-shared-steps.yml b/.github/workflows/release-shared-steps.yml
@@ -0,0 +1,85 @@
+## NOTE: This workflow contains shared steps used by an internal try→fallback
+## pattern inside this repository. It's named `*-shared-steps.yml` to make it
+## clear these are shared step definitions for local use (not a broadly
+## reusable/cross-repo workflow). Keep the file paired with the callers that
+## run it twice (try + fallback).
+on:
+  workflow_call:
+    inputs:
+      runs_on:
+        required: true
+        type: string
+      continue_on_error:
+        required: false
+        type: boolean
+        default: false
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  release:
+    runs-on: ${{ inputs.runs_on }}
+    continue-on-error: ${{ inputs.continue_on_error }}
+    steps:
+      - name: Release Please
+        uses: googleapis/release-please-action@v4
+        id: release
+        with:
+          release-type: node
+
+      - name: Checkout
+        uses: actions/checkout@v4
+        if: ${{ steps.release.outputs.release_created }}
+
+      - name: Tag Major and Minor Versions
+        if: ${{ steps.release.outputs.release_created }}
+        run: |
+          git config user.name github-actions[bot]
+          git config user.email github-actions[bot]@users.noreply.github.com
+          git remote add gh-token "https://${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git"
+          git tag -d v${{ steps.release.outputs.major }} || true
+          git tag -d v${{ steps.release.outputs.major }}.${{ steps.release.outputs.minor }} || true
+          git push origin :v${{ steps.release.outputs.major }} || true
+          git push origin v${{ steps.release.outputs.major }}
+          git push origin v${{ steps.release.outputs.major }}.${{ steps.release.outputs.minor }}.${{ steps.release.outputs.patch }}
+
+      - name: Setup QEMU
+        if: ${{ steps.release.outputs.release_created }}
+        uses: docker/setup-qemu-action@v3
+
+      - name: Setup Docker Buildx
+        if: ${{ steps.release.outputs.release_created }}
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to Docker Hub
+        if: ${{ steps.release.outputs.release_created }}
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Docker Metadata
+        if: ${{ steps.release.outputs.release_created }}
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=sha
+            type=ref,event=branch
+            prod
+            ${{ steps.release.outputs.major }}
+            ${{ steps.release.outputs.major }}.${{ steps.release.outputs.minor }}
+            ${{ steps.release.outputs.major }}.${{ steps.release.outputs.minor }}.${{ steps.release.outputs.patch }}
+
+      - name: Build and Push
+        if: ${{ steps.release.outputs.release_created }}
+        uses: docker/build-push-action@v6
+        with:
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}