Skip to content

Redesign the Area axis to a pure product-surface set: cli, spec, go-glx, import-export, docs, website, infra, security #1062

Description

@isaacschepp

Context / Problem

The "Area" dropdown is the product-surface axis for issue intake. Its canonical list lives in .github/issue-areas.yml (lines 32-38) and is mirrored into three templates' id: area dropdowns (bug_report.yml:5-16, feature_request.yml, enhancement.yml), with .github/workflows/issue-templates-drift.yml failing CI on any divergence and .github/workflows/issue-labeler.yml reading the file at runtime to compute valid labels.

Today the list is:

areas:
  - cli
  - spec
  - go-glx
  - import-export
  - ui
  - tooling

The axis is broken because it conflates two different dimensions:

  • A product surface (where the code lives), and
  • A kind-of-work dimension that the native GitHub issue type already owns (this repo has types Task, Bug, Feature, Enhancement, Infrastructure, Discussion).

Symptoms:

  1. tooling is a 53% catch-all — 133 of 247 open issues. It is a kind, not a surface: 91 of those 133 (68%) are already typed Infrastructure (measured 2026-06-08), so the label largely re-encodes the native issue-type axis. Splitting tooling into ci/build/deps/release would just recreate the same axis-conflation one level down.
  2. CODEOWNERS-owned dirs have no area. CODEOWNERS owns /docs/ and /website/ (lines 25-26) and /.github/ (line 29), but there are no docs, website, or infra areas. So docs-site, user-docs, and CI work all fall into tooling or needs-triage.
  3. Security work is invisible. ~33 of the 133 tooling issues (a quarter) are SLSA/cosign/Scorecard/vuln/supply-chain work (e.g. CI: add harden-runner to release and security workflows #350 harden-runner, SECURITY.md: add safe harbor clause and embargo policy #424 SECURITY.md, dependabot: add native cooldown (min-release-age) to defend against worm-class supply-chain updates #929 dependabot cooldown, ci: set persist-credentials: false on read-only checkout steps (artipacked hardening) #945 artipacked, scorecard.yml: SHA-pin ossf/scorecard-action and codeql-action/upload-sarif (match repo convention; reconcile codeql with security.yml) #1019 SHA-pin scorecard) — buried inside tooling with no cross-cutting label to find them by.
  4. ui (4 issues) is mixed and partly backs no code. It conflates VitePress docs-site issues (Website: upgrade VitePress from alpha to stable release #277/Website: add OpenGraph and Twitter Card meta tags #281) with archive-viewer vaporware (Read-only web viewer for sharing archives #91/Visual editor — local-first browser UI for GLX archives #93). ui maps to no directory in CODEOWNERS.

The root defect is the axis design, not the parsing/labeler machinery (which #885/#946/#948 cover). Fixing it drains both the tooling and needs-triage piles at the source.

Proposal / Recommendation

Make Area a pure product-surface axis that maps 1:1 to CODEOWNERS dirs wherever possible, lets the native Infrastructure issue type own the kind-of-work dimension, and admits exactly one justified cross-cutting exception (security).

New .github/issue-areas.yml list (keep values FLAT bare strings; defer any area/* namespacing):

areas:
  - cli
  - spec
  - go-glx
  - import-export
  - docs
  - website
  - infra
  - security

Rationale per change:

This is a data-only change to the runtime-read list plus the mirrored dropdowns — no labeler/awk/PyYAML code change is required (issue-labeler.yml and issue-templates-drift.yml read the list dynamically).

New labels needed (do not yet exist as repo labels)

docs, website, infra, security must be created as repo labels before this lands. This matters because of #946: the labeler hard-fails gh --add-label when a valid area has no backing repo label. Conversely, ui and tooling labels should be deleted only after a scripted relabel of the ~133 tooling + 4 ui issues by directory heuristic.

Sequencing (to avoid breaking the labeler / drift gate)

  1. Create repo labels docs, website, infra, security (prerequisite — see issue-labeler: a valid Area whose repo label is missing hard-fails gh --add-label (drift check guards options, not label existence) #946).
  2. Scripted relabel of the ~133 tooling + 4 ui open issues to the new surface labels by directory/keyword heuristic; tag security issues security.
  3. Update .github/issue-areas.yml AND all three templates' id: area option lists in the same commit (the issue-templates-drift.yml gate fails otherwise).
  4. Delete the now-unused ui and tooling repo labels.

Acceptance criteria

Relates to

Note: this issue is itself filed under area tooling only because that is the closest existing label until infra exists — which is precisely the bucket this proposal dissolves.


Follow-up issues filed alongside this one (same review)

This issue is the hub for a focused 2026 review of .github/issue-areas.yml and its labeling machinery (how the canonical Area list relates to the three issue-form templates, the issue-templates-drift gate, the issue-labeler workflow, the repo labels, and CODEOWNERS). The concrete sub-findings were filed separately:

Metadata

Metadata

Assignees

No one assigned

    Labels

    toolingInfrastructure, workflow, and developer tools

    Fields

    No fields configured for Discussion.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions