Thanks for your interest in contributing to Open Workflow Library.
This file is the operational handbook. The project vision lives in
docs/vision.md; the current status lives in
docs/status.md; the roadmap lives in
docs/roadmap.md.
- No real credentials, tokens, JWTs, API keys, bearer tokens, webhook URLs, customer emails, phone numbers, addresses, or other PII in any tracked file. Placeholders only.
- No "production-ready", "behaviourally validated", "fully autonomous", "self-healing", "certified", or regulatory-compliance language. If something is true today, the status page says so.
- No AI attribution in generated files, commit messages, or PR descriptions. Generated artefacts identify the deterministic tool that produced them, not any model.
- No auto-apply of repair proposals. No auto-promotion of learning events into the curated wiki. Every promotion is a human PR.
-
Place the workflow under the appropriate category directory (
workflows/orautomation/). -
Use placeholder credentials and placeholder hosts only:
- Use
REPLACE_WITH_YOUR_VALUE,<your-api-key>, or framework-native placeholder syntax such as{{ $secrets.OPENAI_API_KEY }}. - Use
api.example.comorapi.example.invalidfor HTTP URLs.
- Use
-
Document required credentials in the workflow's
notesfield by symbolic name (e.g.slack_credentials), not by value. -
Run the audit locally:
python tools/audit_workflows.py
Confirm
possibleSecretFindingsis unchanged (target: 0). -
Open a Workflow submission issue first if you want a sanity check before a full PR.
-
Open the PR using
.github/PULL_REQUEST_TEMPLATE.md.
If you imported and executed the workflow in n8n (or the relevant framework) yourself, describe the test environment and outcome in the PR. If you did not, say so. Do not claim behavioural validation that did not happen.
The full local validation set is:
python tools/audit_workflows.py
python tools/validate_generated_pack.py
python tools/build_unified_catalog.py
python tools/validate_schemas.py
python tools/analyze_duplicates.py
python tools/build_review_queue.py
python tools/audit_public_claims.py
python tools/final_readiness_check.pyfinal_readiness_check.py orchestrates the hard gates and is the
single command to run before pushing.
The generated expansion pack is produced by
tools/generate_expansion_pack.py. Do not regenerate the pack from a
contributor PR unless that is explicitly the change you are making.
Regenerating the pack churns 420 files and is a separate, scoped change.
If you are extending the generator:
- Keep node types restricted to the conservative whitelist used by
tools/export_ir_to_n8n.py. - Use only placeholder URLs and credentials.
- Ensure
python tools/validate_generated_pack.pyreportsALL CHECKS PASSEDwithsecrets=0andstructural=0.
Repair proposals must conform to
schemas/repair-proposal.schema.json.
- Always set
requiresHumanReview: trueandstatus: "proposed". - Always include
diagnosisandproposedFixas plain-English strings a maintainer can act on. - Do not modify any workflow file from the same PR that introduces a
proposal. Proposals are written to
reports/; applying a proposal is a separate, explicit step.
Learning events live under
reports/runtime-proof/<slug>/learning-events.json and conform to
schemas/learning-event.schema.json.
- Events stay
humanReviewStatus: "pending"andappliedToWiki: falseuntil a maintainer opens a curated-wiki PR that references them. - Promotion = a hand-written entry under
wiki/repair-rules/,wiki/patterns/,wiki/integrations/, orwiki/failure-cases/. The curated wiki is the authoritative source; the seed files underwiki/generated/are regenerated by tools and are not promoted directly.
- Python 3.12+, standard library only by default.
- Optional dependencies (e.g.
jsonschema) must be gated behind a try import and a documented fallback mode. - Each tool writes to
reports/,catalog/, orwiki/generated/; tools must not modify source workflows or curated wiki files. - Stable output: rerunning a tool with the same inputs must produce identical (byte-for-byte where possible) outputs.
- Honest stderr summary on exit (last printed line should describe the outcome).
- Tools must not call external services and must not read environment variables for credentials.
- Honest first: if something is partial or not implemented, say so.
- Cross-link rather than restate: README links to
docs/status.mdanddocs/roadmap.mdrather than duplicating them. - No emoji-heavy section headers. Plain text titles.
- Code blocks for commands; tables for status; prose for context.
Before opening a PR:
- Audit reports 0
possibleSecretFindingsand 0invalidJsonFiles. - Schema validation passes.
- Generated-pack validation passes (if touched).
- Final readiness check exits 0.
- No real credentials or PII anywhere in the diff.
- No new overclaiming language in README or docs.
- No AI attribution anywhere in the diff.
- Status / roadmap pages are updated if the change moves a capability between "not implemented" and "implemented".