Automate template submissions for trusted publishers (mirror extension pipeline) #784
Description
Problem
Trusted internal partners cannot publish templates fast enough. The current process requires manually editing a 5500-line JSON file, generating UUIDs, uploading images, determining correct tags, opening a PR with a checklist, and waiting for review + manual deploy. Partners can npm publish faster than they can get a template into the gallery.
The extension submission pipeline already solves this pattern: file an issue, automation validates and creates a PR, maintainer merges. Templates have no equivalent automation.
Proposed Solution
Mirror the extension submission model for templates:
Issue Form -> Validation -> Auto-PR -> Trusted Publisher Auto-Merge
Components
- GitHub Issue Template (
template-submission.yml) - structured form for source repo URL, title, description, author, IaC provider, etc. - Validation Script (
validate-template.js) - validates source repo URL, checks repo exists, validates image URL, generates UUID - Submission Workflow (
template-submission.yml) - triggered by issue label, runs validation, updates templates.json, auto-creates PR - Trusted Publishers Config (
.github/trusted-publishers.json) - allowlist of GitHub usernames for auto-merge - Auto-Merge Workflow (
template-auto-merge.yml) - auto-merges trusted publisher PRs after CI passes - Docs Update - update contributor guide with new automated path
Security Model
- Everything is rollbackable (git revert)
- Trusted publishers list is version-controlled and requires PR to modify
- URL validation prevents SSRF
- Auto-merge double-checks submitter against trusted list
- Branch protection rules still apply
See docs/specs/template-submission-automation/spec.md for full spec.