ci: align terraform checkout SHA, add pnpm audit to TS CI, fix PR template and ORG_SETTINGS#33
Closed
bryanfawcett wants to merge 1 commit into
Closed
ci: align terraform checkout SHA, add pnpm audit to TS CI, fix PR template and ORG_SETTINGS#33bryanfawcett wants to merge 1 commit into
bryanfawcett wants to merge 1 commit into
Conversation
…plate and ORG_SETTINGS Four issues found during org-wide review against NA-03 v1.6 and current best practices: 1. reusable-ci-terraform.yml used actions/checkout SHA de0fac2e (# v6) while every other workflow uses 9c091bb2 (# v6). Aligns all four checkout steps to the org-standard SHA. 2. reusable-ci-typescript.yml was missing the pnpm audit job present in reusable-ci-nextjs-monorepo.yml. Adds the job (--audit-level=moderate) so standalone TypeScript repos get the same supply-chain gate as Turborepo monorepos. 3. PULL_REQUEST_TEMPLATE.md still listed "7 Enterprise products" in the locked counts. NA-03 v1.6 (22 June 2026) explicitly removed Enterprise products from the locked count list. Removes it from the template to prevent confusion. 4. ORG_SETTINGS.md §Actions permissions allowlist was missing hashicorp/setup-terraform@* and terraform-linters/setup-tflint@*, both used by reusable-ci-terraform.yml. The Cloudflare OIDC example also used a floating @v1 tag, violating NA-03 §7.1.1. Adds the missing entries and replaces the floating tag with a placeholder plus resolution instructions. Implements #32. Signed-off-by: Bryan Fawcett <bryan@nyuchi.com>
Contributor
Author
|
Closing as superseded — part of the same duplicate-PR pileup. The checkout SHA alignment is now handled correctly by Dependabot's #38 (merged in 1b669fb). This PR also proposed a Generated by Claude Code |
13 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Four issues found during a comprehensive org-wide review of
nyuchi/.githubagainst NA-03 v1.6 and current enterprise best practices. All fixes are targeted — no policy changes, no new abstractions.PULL_REQUEST_TEMPLATE.mdstill listed "7 Enterprise products" which NA-03 v1.6 (22 June 2026) explicitly removed from the locked count.reusable-ci-terraform.ymlusedactions/checkout@de0fac2e(# v6) while every other workflow in the org uses9c091bb2(# v6). All four checkout steps aligned to the org-standard SHA.pnpm auditin standalone TypeScript CI —reusable-ci-typescript.ymlwas missing thepnpm audit --audit-level=moderatesupply-chain gate thatreusable-ci-nextjs-monorepo.ymlalready ships. Repos using the standalone workflow would have no CVE gate on their lockfile.hashicorp/setup-terraform@*andterraform-linters/setup-tflint@*(both used byreusable-ci-terraform.yml) were absent from the documented allowlist. The Cloudflare OIDC example used a floating@v1tag, violating NA-03 §7.1.1. Governance amendment issue opened first per AGENTS.md: Implements governance: amend [ORG_SETTINGS.md §Actions permissions] — add missing Terraform allowlist entries and fix floating-tag example #32.Test plan
reusable-ci-typescript.ymlauditjob name matches the expected status checkci / pnpm auditin consuming reposreusable-ci-terraform.ymldiff shows only SHA changes, no logic changes🤖 Generated with Claude Code
Generated by Claude Code