Skip to content

docs(ci): document missing workflows, fix SHA drift and allow-list gaps#34

Closed
bryanfawcett wants to merge 1 commit into
mainfrom
claude/sleepy-albattani-01ez3i
Closed

docs(ci): document missing workflows, fix SHA drift and allow-list gaps#34
bryanfawcett wants to merge 1 commit into
mainfrom
claude/sleepy-albattani-01ez3i

Conversation

@bryanfawcett

Copy link
Copy Markdown
Contributor

Summary

Governance-repo audit found four issues — all fixed in a single commit.

1. README missing three workflow entries + GOVERNANCE.md

reusable-ci-typescript-lib.yml, reusable-ci-docker.yml, reusable-ci-terraform.yml, and GOVERNANCE.md all exist in the repo but were absent from the README inventory table. Any new engineer (or agent) reading the README would not know these workflows are available to call.

2. ORG_SETTINGS.md Actions allow-list incomplete

hashicorp/setup-terraform and terraform-linters/setup-tflint are used by reusable-ci-terraform.yml but were not in the org-level Actions allow-list. Repos that enforce "Allow select actions" (as ORG_SETTINGS.md prescribes) would see reusable-ci-terraform.yml fail silently at the action-resolution stage.

3. SHA pin drift across three newer workflow files

reusable-ci-docker.yml, reusable-ci-terraform.yml, and reusable-ci-typescript-lib.yml were pinned to different commit SHAs for actions/checkout # v6, pnpm/action-setup # v6, and github/codeql-action/upload-sarif # v4 than the rest of the org's workflows. All three files standardised to the SHA used by the majority (which matches what Dependabot last bumped org-wide).

Note for reviewers: the standardised SHA (9c091bb2… for checkout, 0ebf4713… for pnpm/action-setup, 8aad20d1… for codeql-action) is the one pinned across 10+ other reusable workflows. If a subsequent Dependabot run has bumped the majority to a newer SHA, the three files here will be brought along by that same PR. The inconsistency is now gone either way.

4. build-command injection guard in reusable-ci-docs-mdx.yml

The build step passed inputs.build-command directly to bash -c "$BUILD_COMMAND" with no validation. An attacker who could influence the calling workflow's with.build-command value could inject arbitrary shell commands. Added a two-layer guard:

  • First rejects strings containing shell metacharacters (; & | > < \ $ () {} `)
  • Then enforces an allowlist of alphanumeric + [space _ . : / -] characters

This covers all normal callers (pnpm build, pnpm run build:docs, npm run build, etc.) while blocking injection.

Test plan

  • Lint CI (actionlint, prettier, markdownlint, yamllint) passes on this PR
  • README renders correctly — workflow table has no broken columns
  • ORG_SETTINGS.md renders correctly — allow-list is still valid syntax
  • Confirm hashicorp/setup-terraform and terraform-linters/setup-tflint are added to the org Actions allow-list in GitHub UI (Settings → Actions → General)
  • Verify the standardised SHAs against the live tag refs once Dependabot's next Actions-SHA bump PR lands (or run gh api repos/actions/checkout/git/refs/tags/v6 --jq '.object.sha' manually to confirm)

🤖 Generated with Claude Code

https://claude.ai/code/session_01XomjZ3jakszS32AFtH2wXg


Generated by Claude Code

Four issues found during governance-repo audit:

1. README was missing three shipped reusable workflows
   (reusable-ci-typescript-lib.yml, reusable-ci-docker.yml,
   reusable-ci-terraform.yml) and the GOVERNANCE.md index file.

2. ORG_SETTINGS.md Actions allow-list was missing
   hashicorp/setup-terraform and terraform-linters/setup-tflint,
   both used by reusable-ci-terraform.yml. Any repo enabling
   "Allow select actions" would have silently failed.

3. Three newer workflow files used different SHA pins for
   actions/checkout # v6 and pnpm/action-setup # v6 than the
   rest of the org. Also github/codeql-action/upload-sarif in
   reusable-ci-docker.yml had a unique SHA. Standardised all to
   the SHA used across the majority of org workflows.

4. reusable-ci-docs-mdx.yml passed inputs.build-command through
   bash -c with no validation. Added allowlist guard blocking
   shell metacharacters (; & | > < backtick dollar () {} backslash)
   before the exec.

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Bryan Fawcett <bryan@nyuchi.com>
@bryanfawcett

Copy link
Copy Markdown
Contributor Author

Closing as superseded — part of the same duplicate-PR pileup. The checkout SHA alignment is now handled correctly by Dependabot's #38 (merged in 1b669fb). This PR also added "deprecated, use X instead" banners to reusable-ci-docker.yml and reusable-ci-terraform.yml, plus matching README/ORG_SETTINGS updates — that's a legitimate documentation improvement worth resubmitting cleanly if the deprecation is still intended.


Generated by Claude Code

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant