Skip to content

governance: amend [ORG_SETTINGS.md §Actions permissions] — add missing Terraform allowlist entries and fix floating-tag example #32

Description

@bryanfawcett

Governance Amendment — ORG_SETTINGS.md §Actions permissions

Document being amended

ORG_SETTINGS.md — GitHub Settings Source of Truth

Section(s) being amended

ORG_SETTINGS.md §Actions permissions (allowlist) and §OIDC federation for cloud credentials (Cloudflare example)

Current text (quoted exactly)

Allowlist (end of block)

  opentofu/setup-opentofu@*,
  actions/attest-build-provenance@*

Cloudflare OIDC example

- name: Authenticate to Cloudflare via OIDC
  uses: cloudflare/cloudflare-action@v1   # pin to SHA per NA-03 §7.1.1
  with:
    api-token: ${{ secrets.CLOUDFLARE_API_TOKEN }}  # narrow-scope token

Proposed replacement text

Allowlist (add two missing entries before actions/attest-build-provenance)

  opentofu/setup-opentofu@*,
  hashicorp/setup-terraform@*,
  terraform-linters/setup-tflint@*,
  actions/attest-build-provenance@*

Cloudflare OIDC example (replace floating @v1 with a placeholder that communicates the SHA-pinning requirement — the live SHA must be resolved when the action is first adopted in a repo)

- name: Authenticate to Cloudflare via OIDC
  # Replace the SHA below with the current pinned commit for the version you adopt.
  # Resolve: gh api repos/cloudflare/cloudflare-action/git/refs/tags/<tag> --jq '.object.sha'
  uses: cloudflare/cloudflare-action@<40-char-sha>  # vX.Y.Z — per NA-03 §7.1.1
  with:
    api-token: ${{ secrets.CLOUDFLARE_API_TOKEN }}  # narrow-scope token

Rationale

Missing allowlist entries

reusable-ci-terraform.yml was merged with two actions that are absent from the documented Actions allowlist in ORG_SETTINGS.md:

  • hashicorp/setup-terraform — used in the fmt, validate, and tflint jobs
  • terraform-linters/setup-tflint — used in the tflint job

The allowlist at Settings → Actions → General must include these entries for the workflow to execute. If they are not present (and not covered by "Allow actions by Marketplace verified creators"), the Terraform CI would be silently blocked. This amendment adds them to keep the document in sync with the running reusables.

Floating-tag example

The Cloudflare OIDC example in §OIDC federation currently uses cloudflare/cloudflare-action@v1, a floating tag that explicitly violates NA-03 §7.1.1 ("GitHub Actions used across the organisation are pinned to 40-character commit SHAs … never to tag refs such as @v4"). The example is documentation, but copying it directly would introduce a policy violation. Replacing it with a placeholder and resolution instructions prevents that mistake.

Security impact

Minor — changes a non-critical policy threshold.

  • The allowlist additions reflect actions already in use; they are not new adoptions.
  • The Cloudflare example fix removes a floating-tag reference from the docs without changing any running workflow.

Neither change reduces any existing security control.

Board notification

Not required — this amendment does not reduce security practices, testing requirements, the privacy filter, or any frontier default (§2).

Proposed changelog entry

Not applicable — ORG_SETTINGS.md does not carry a version changelog. The associated PR description and git history serve as the audit trail.


Opened by Claude Code as required by AGENTS.md before amending ORG_SETTINGS.md. Implement via the companion PR on branch claude/sleepy-albattani-k53ijz.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions