From f9a392dc83416072215a8635173b31e090d97311 Mon Sep 17 00:00:00 2001 From: Bryan Fawcett Date: Thu, 25 Jun 2026 01:08:03 +0000 Subject: [PATCH] ci: align terraform checkout SHA, add pnpm audit to TS CI, fix PR template and ORG_SETTINGS MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Four issues found during org-wide review against NA-03 v1.6 and current best practices: 1. reusable-ci-terraform.yml used actions/checkout SHA de0fac2e (# v6) while every other workflow uses 9c091bb2 (# v6). Aligns all four checkout steps to the org-standard SHA. 2. reusable-ci-typescript.yml was missing the pnpm audit job present in reusable-ci-nextjs-monorepo.yml. Adds the job (--audit-level=moderate) so standalone TypeScript repos get the same supply-chain gate as Turborepo monorepos. 3. PULL_REQUEST_TEMPLATE.md still listed "7 Enterprise products" in the locked counts. NA-03 v1.6 (22 June 2026) explicitly removed Enterprise products from the locked count list. Removes it from the template to prevent confusion. 4. ORG_SETTINGS.md §Actions permissions allowlist was missing hashicorp/setup-terraform@* and terraform-linters/setup-tflint@*, both used by reusable-ci-terraform.yml. The Cloudflare OIDC example also used a floating @v1 tag, violating NA-03 §7.1.1. Adds the missing entries and replaces the floating tag with a placeholder plus resolution instructions. Implements #32. Signed-off-by: Bryan Fawcett --- .github/PULL_REQUEST_TEMPLATE.md | 6 +++--- .github/workflows/reusable-ci-terraform.yml | 8 ++++---- .github/workflows/reusable-ci-typescript.yml | 17 +++++++++++++++++ ORG_SETTINGS.md | 6 +++++- 4 files changed, 29 insertions(+), 8 deletions(-) diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index bed0bbd..ccb41be 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -91,9 +91,9 @@ Closes # - [ ] **Schema.org compliance** — new database tables, columns, or API fields map to Schema.org types, or the PR description justifies any deviation. - [ ] **Locked counts respected** — no change to the platform's locked counts - (17 mini-apps · 7 Enterprise products · 7 data layers · 7 covenants · - 40 interest categories · 12 manifesto sections · 3 sources of truth) - without Founder approval documented in the PR description. + (17 mini-apps · 7 data layers · 7 covenants · 40 interest categories · + 12 manifesto sections · 3 sources of truth) without Founder approval + documented in the PR description. - [ ] **Frontier defaults** — for user-facing or infrastructure work: offline / local-first behaviour has been considered; any new cryptographic primitive has a documented post-quantum migration path; diff --git a/.github/workflows/reusable-ci-terraform.yml b/.github/workflows/reusable-ci-terraform.yml index 118cd24..eafd6f2 100644 --- a/.github/workflows/reusable-ci-terraform.yml +++ b/.github/workflows/reusable-ci-terraform.yml @@ -57,7 +57,7 @@ jobs: outputs: terraform: ${{ steps.filter.outputs.terraform }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 with: fetch-depth: 0 - id: filter @@ -76,7 +76,7 @@ jobs: if: needs.changes.outputs.terraform == 'true' runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 - uses: hashicorp/setup-terraform@dfe3c3f87815947d99a8997f908cb6525fc44e9e # v4.0.1 with: terraform_version: ${{ inputs.terraform-version }} @@ -99,7 +99,7 @@ jobs: if: needs.changes.outputs.terraform == 'true' runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 - uses: hashicorp/setup-terraform@dfe3c3f87815947d99a8997f908cb6525fc44e9e # v4.0.1 with: terraform_version: ${{ inputs.terraform-version }} @@ -128,7 +128,7 @@ jobs: if: needs.changes.outputs.terraform == 'true' runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 - uses: terraform-linters/setup-tflint@b480b8fcdaa6f2c577f8e4fa799e89e756bb7c93 # v6.2.2 with: tflint_version: ${{ inputs.tflint-version }} diff --git a/.github/workflows/reusable-ci-typescript.yml b/.github/workflows/reusable-ci-typescript.yml index 7a503dd..3c4cdb0 100644 --- a/.github/workflows/reusable-ci-typescript.yml +++ b/.github/workflows/reusable-ci-typescript.yml @@ -62,6 +62,23 @@ permissions: contents: read jobs: + audit: + name: pnpm audit + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 + - uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 + with: + node-version-file: ${{ inputs.node-version-file }} + cache: pnpm + - run: pnpm install --frozen-lockfile + - name: pnpm audit + shell: bash + run: | + set -euo pipefail + pnpm audit --audit-level=moderate + typecheck: name: tsc runs-on: ubuntu-latest diff --git a/ORG_SETTINGS.md b/ORG_SETTINGS.md index 40823b6..a10dd37 100644 --- a/ORG_SETTINGS.md +++ b/ORG_SETTINGS.md @@ -95,6 +95,8 @@ At **Settings → Actions → General**: aquasecurity/trivy-action@*, sigstore/cosign-installer@*, opentofu/setup-opentofu@*, + hashicorp/setup-terraform@*, + terraform-linters/setup-tflint@*, actions/attest-build-provenance@* ``` @@ -366,8 +368,10 @@ specific repositories, branches, and environments. ### Cloudflare example ```yaml +# Resolve the SHA before use: +# gh api repos/cloudflare/cloudflare-action/git/refs/tags/ --jq '.object.sha' - name: Authenticate to Cloudflare via OIDC - uses: cloudflare/cloudflare-action@v1 # pin to SHA per NA-03 §7.1.1 + uses: cloudflare/cloudflare-action@<40-char-sha> # vX.Y.Z — per NA-03 §7.1.1 with: api-token: ${{ secrets.CLOUDFLARE_API_TOKEN }} # narrow-scope token ```