Skip to content

fix(governance): align docs and CI with NA-03 v1.6 and org-wide consistency#30

Closed
bryanfawcett wants to merge 1 commit into
mainfrom
claude/sleepy-albattani-z1wtt8
Closed

fix(governance): align docs and CI with NA-03 v1.6 and org-wide consistency#30
bryanfawcett wants to merge 1 commit into
mainfrom
claude/sleepy-albattani-z1wtt8

Conversation

@bryanfawcett

Copy link
Copy Markdown
Contributor

Summary

  • PR template: Remove stale "7 Enterprise products" from locked counts checklist — this was explicitly removed in NA-03 v1.6 (June 22, 2026) but the template was never updated.
  • CLAUDE.md locked counts: Was only listing 3 of the 6 locked counts (missing covenants, manifesto sections, sources of truth). Now complete per NA-03 §3.3.
  • CLAUDE.md stack commands: Added TypeScript (Biome) and TypeScript/Bun entries to match AGENTS.md; added pnpm audit --audit-level=moderate to the TypeScript/Next.js entry to match the reusable workflow.
  • Action SHA consistency: reusable-ci-typescript-lib.yml and reusable-ci-docker.yml were using different actions/checkout, pnpm/action-setup, and codeql-action/upload-sarif SHAs compared to every other workflow in the org. All aligned to the consensus SHAs.
  • Supply-chain audit parity: Added pnpm audit --audit-level=moderate jobs to reusable-ci-typescript.yml and reusable-ci-typescript-lib.yml, matching the security gate already present in reusable-ci-nextjs-monorepo.yml. TypeScript codebases were the only stacks without this gate.

Test plan

  • lint / actionlint passes (no new workflow syntax issues)
  • lint / yamllint passes
  • lint / prettier passes
  • lint / markdownlint passes
  • Confirm PR template locked counts match NA-03 §3.3 (6 counts, no Enterprise products)
  • Confirm CLAUDE.md locked counts match NA-03 §3.3 (6 counts listed)
  • Confirm all actions/checkout references in workflows now use 9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0

NA-03 merge blockers

  • N/A for schema/API/crypto — documentation and CI workflow changes only
  • Secret hygiene — no secrets in diff
  • Locked counts respected — this PR corrects the locked counts display; no counts are changed
  • New GitHub Actions — no new actions added; only SHA alignment of existing ones

🤖 Generated with Claude Code


Generated by Claude Code

…stency

Remove stale "7 Enterprise products" locked count from PR template
(removed in NA-03 v1.6). Complete CLAUDE.md locked counts to list all
six (was missing covenants, manifesto sections, sources of truth).
Add TypeScript/Biome and TypeScript/Bun entries to CLAUDE.md stack
commands to match AGENTS.md; add pnpm audit to Next.js entry.

Align reusable-ci-typescript-lib and reusable-ci-docker to use the
same actions/checkout (9c091bb), pnpm/action-setup (0ebf47b), and
codeql-action/upload-sarif (8aad20d) SHAs as every other reusable
workflow in the org.

Add pnpm audit (--audit-level=moderate) to reusable-ci-typescript and
reusable-ci-typescript-lib, matching the security gate already present
in reusable-ci-nextjs-monorepo.

Signed-off-by: Bryan Fawcett <bryan@nyuchi.com>
@bryanfawcett

Copy link
Copy Markdown
Contributor Author

Closing as superseded. This PR was one of a run of duplicate daily "keep the repo up to date" PRs (#30#39) that piled up unmerged because the underlying automation never checked for existing open PRs or merged its own work. The one genuine bug it (and the others) were chasing — actions/checkout pinned to two different SHAs for the same v6 tag across workflows — has now been fixed correctly via Dependabot's #38 (merged in 1b669fb). No unique content in this PR is being carried forward.


Generated by Claude Code

bryanfawcett added a commit that referenced this pull request Jul 3, 2026
The scheduled "keep the repo up to date" routine was opening a new
draft PR every day (#30-#39) without checking for existing open ones
or merging its own work, and repeatedly hand-resolved actions/checkout
SHA drift in inconsistent directions instead of deferring to
Dependabot. Document the actual rules: dedupe against open PRs from
the same routine, leave third-party Action version pins to Dependabot,
run formatters before committing, and merge routine/mechanical fixes
once required checks are green instead of leaving them as drafts
forever.

Signed-off-by: Claude <noreply@anthropic.com>
Co-authored-by: Claude <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant