Governance Amendment — ORG_SETTINGS.md §Actions permissions
Document being amended
ORG_SETTINGS.md — GitHub Settings Source of Truth
Section(s) being amended
ORG_SETTINGS.md §Actions permissions (allowlist) and §OIDC federation for cloud credentials (Cloudflare example)
Current text (quoted exactly)
Allowlist (end of block)
opentofu/setup-opentofu@*,
actions/attest-build-provenance@*
Cloudflare OIDC example
- name: Authenticate to Cloudflare via OIDC
uses: cloudflare/cloudflare-action@v1 # pin to SHA per NA-03 §7.1.1
with:
api-token: ${{ secrets.CLOUDFLARE_API_TOKEN }} # narrow-scope token
Proposed replacement text
Allowlist (add two missing entries before actions/attest-build-provenance)
opentofu/setup-opentofu@*,
hashicorp/setup-terraform@*,
terraform-linters/setup-tflint@*,
actions/attest-build-provenance@*
Cloudflare OIDC example (replace floating @v1 with a placeholder that communicates the SHA-pinning requirement — the live SHA must be resolved when the action is first adopted in a repo)
- name: Authenticate to Cloudflare via OIDC
# Replace the SHA below with the current pinned commit for the version you adopt.
# Resolve: gh api repos/cloudflare/cloudflare-action/git/refs/tags/<tag> --jq '.object.sha'
uses: cloudflare/cloudflare-action@<40-char-sha> # vX.Y.Z — per NA-03 §7.1.1
with:
api-token: ${{ secrets.CLOUDFLARE_API_TOKEN }} # narrow-scope token
Rationale
Missing allowlist entries
reusable-ci-terraform.yml was merged with two actions that are absent from the documented Actions allowlist in ORG_SETTINGS.md:
hashicorp/setup-terraform — used in the fmt, validate, and tflint jobs
terraform-linters/setup-tflint — used in the tflint job
The allowlist at Settings → Actions → General must include these entries for the workflow to execute. If they are not present (and not covered by "Allow actions by Marketplace verified creators"), the Terraform CI would be silently blocked. This amendment adds them to keep the document in sync with the running reusables.
Floating-tag example
The Cloudflare OIDC example in §OIDC federation currently uses cloudflare/cloudflare-action@v1, a floating tag that explicitly violates NA-03 §7.1.1 ("GitHub Actions used across the organisation are pinned to 40-character commit SHAs … never to tag refs such as @v4"). The example is documentation, but copying it directly would introduce a policy violation. Replacing it with a placeholder and resolution instructions prevents that mistake.
Security impact
Minor — changes a non-critical policy threshold.
- The allowlist additions reflect actions already in use; they are not new adoptions.
- The Cloudflare example fix removes a floating-tag reference from the docs without changing any running workflow.
Neither change reduces any existing security control.
Board notification
Not required — this amendment does not reduce security practices, testing requirements, the privacy filter, or any frontier default (§2).
Proposed changelog entry
Not applicable — ORG_SETTINGS.md does not carry a version changelog. The associated PR description and git history serve as the audit trail.
Opened by Claude Code as required by AGENTS.md before amending ORG_SETTINGS.md. Implement via the companion PR on branch claude/sleepy-albattani-k53ijz.
Governance Amendment — ORG_SETTINGS.md §Actions permissions
Document being amended
ORG_SETTINGS.md — GitHub Settings Source of TruthSection(s) being amended
ORG_SETTINGS.md §Actions permissions(allowlist) and§OIDC federation for cloud credentials(Cloudflare example)Current text (quoted exactly)
Allowlist (end of block)
Cloudflare OIDC example
Proposed replacement text
Allowlist (add two missing entries before
actions/attest-build-provenance)Cloudflare OIDC example (replace floating
@v1with a placeholder that communicates the SHA-pinning requirement — the live SHA must be resolved when the action is first adopted in a repo)Rationale
Missing allowlist entries
reusable-ci-terraform.ymlwas merged with two actions that are absent from the documented Actions allowlist in ORG_SETTINGS.md:hashicorp/setup-terraform— used in thefmt,validate, andtflintjobsterraform-linters/setup-tflint— used in thetflintjobThe allowlist at Settings → Actions → General must include these entries for the workflow to execute. If they are not present (and not covered by "Allow actions by Marketplace verified creators"), the Terraform CI would be silently blocked. This amendment adds them to keep the document in sync with the running reusables.
Floating-tag example
The Cloudflare OIDC example in §OIDC federation currently uses
cloudflare/cloudflare-action@v1, a floating tag that explicitly violates NA-03 §7.1.1 ("GitHub Actions used across the organisation are pinned to 40-character commit SHAs … never to tag refs such as@v4"). The example is documentation, but copying it directly would introduce a policy violation. Replacing it with a placeholder and resolution instructions prevents that mistake.Security impact
Minor — changes a non-critical policy threshold.
Neither change reduces any existing security control.
Board notification
Not required — this amendment does not reduce security practices, testing requirements, the privacy filter, or any frontier default (§2).
Proposed changelog entry
Not applicable — ORG_SETTINGS.md does not carry a version changelog. The associated PR description and git history serve as the audit trail.
Opened by Claude Code as required by AGENTS.md before amending ORG_SETTINGS.md. Implement via the companion PR on branch
claude/sleepy-albattani-k53ijz.