Skip to content

ci: align terraform checkout SHA, add pnpm audit to TS CI, fix PR template and ORG_SETTINGS#33

Closed
bryanfawcett wants to merge 1 commit into
mainfrom
claude/sleepy-albattani-k53ijz
Closed

ci: align terraform checkout SHA, add pnpm audit to TS CI, fix PR template and ORG_SETTINGS#33
bryanfawcett wants to merge 1 commit into
mainfrom
claude/sleepy-albattani-k53ijz

Conversation

@bryanfawcett

Copy link
Copy Markdown
Contributor

Summary

Four issues found during a comprehensive org-wide review of nyuchi/.github against NA-03 v1.6 and current enterprise best practices. All fixes are targeted — no policy changes, no new abstractions.

  • PR template locked-count driftPULL_REQUEST_TEMPLATE.md still listed "7 Enterprise products" which NA-03 v1.6 (22 June 2026) explicitly removed from the locked count.
  • Terraform workflow SHA inconsistencyreusable-ci-terraform.yml used actions/checkout@de0fac2e (# v6) while every other workflow in the org uses 9c091bb2 (# v6). All four checkout steps aligned to the org-standard SHA.
  • Missing pnpm audit in standalone TypeScript CIreusable-ci-typescript.yml was missing the pnpm audit --audit-level=moderate supply-chain gate that reusable-ci-nextjs-monorepo.yml already ships. Repos using the standalone workflow would have no CVE gate on their lockfile.
  • ORG_SETTINGS.md actions allowlist gaps + floating-tag examplehashicorp/setup-terraform@* and terraform-linters/setup-tflint@* (both used by reusable-ci-terraform.yml) were absent from the documented allowlist. The Cloudflare OIDC example used a floating @v1 tag, violating NA-03 §7.1.1. Governance amendment issue opened first per AGENTS.md: Implements governance: amend [ORG_SETTINGS.md §Actions permissions] — add missing Terraform allowlist entries and fix floating-tag example #32.

Test plan

🤖 Generated with Claude Code


Generated by Claude Code

…plate and ORG_SETTINGS

Four issues found during org-wide review against NA-03 v1.6 and current
best practices:

1. reusable-ci-terraform.yml used actions/checkout SHA de0fac2e (# v6)
   while every other workflow uses 9c091bb2 (# v6). Aligns all four
   checkout steps to the org-standard SHA.

2. reusable-ci-typescript.yml was missing the pnpm audit job present in
   reusable-ci-nextjs-monorepo.yml. Adds the job (--audit-level=moderate)
   so standalone TypeScript repos get the same supply-chain gate as
   Turborepo monorepos.

3. PULL_REQUEST_TEMPLATE.md still listed "7 Enterprise products" in the
   locked counts. NA-03 v1.6 (22 June 2026) explicitly removed Enterprise
   products from the locked count list. Removes it from the template to
   prevent confusion.

4. ORG_SETTINGS.md §Actions permissions allowlist was missing
   hashicorp/setup-terraform@* and terraform-linters/setup-tflint@*,
   both used by reusable-ci-terraform.yml. The Cloudflare OIDC example
   also used a floating @v1 tag, violating NA-03 §7.1.1. Adds the missing
   entries and replaces the floating tag with a placeholder plus resolution
   instructions. Implements #32.

Signed-off-by: Bryan Fawcett <bryan@nyuchi.com>
@bryanfawcett

Copy link
Copy Markdown
Contributor Author

Closing as superseded — part of the same duplicate-PR pileup. The checkout SHA alignment is now handled correctly by Dependabot's #38 (merged in 1b669fb). This PR also proposed a pnpm audit gate for reusable-ci-typescript.yml and a terraform allow-list note for ORG_SETTINGS.md — those are reasonable ideas but are stale against current main; worth resubmitting as a focused PR if still wanted.


Generated by Claude Code

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant