docs(ci): document missing workflows, fix SHA drift and allow-list gaps#34
Closed
bryanfawcett wants to merge 1 commit into
Closed
docs(ci): document missing workflows, fix SHA drift and allow-list gaps#34bryanfawcett wants to merge 1 commit into
bryanfawcett wants to merge 1 commit into
Conversation
Four issues found during governance-repo audit:
1. README was missing three shipped reusable workflows
(reusable-ci-typescript-lib.yml, reusable-ci-docker.yml,
reusable-ci-terraform.yml) and the GOVERNANCE.md index file.
2. ORG_SETTINGS.md Actions allow-list was missing
hashicorp/setup-terraform and terraform-linters/setup-tflint,
both used by reusable-ci-terraform.yml. Any repo enabling
"Allow select actions" would have silently failed.
3. Three newer workflow files used different SHA pins for
actions/checkout # v6 and pnpm/action-setup # v6 than the
rest of the org. Also github/codeql-action/upload-sarif in
reusable-ci-docker.yml had a unique SHA. Standardised all to
the SHA used across the majority of org workflows.
4. reusable-ci-docs-mdx.yml passed inputs.build-command through
bash -c with no validation. Added allowlist guard blocking
shell metacharacters (; & | > < backtick dollar () {} backslash)
before the exec.
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Bryan Fawcett <bryan@nyuchi.com>
Contributor
Author
|
Closing as superseded — part of the same duplicate-PR pileup. The checkout SHA alignment is now handled correctly by Dependabot's #38 (merged in 1b669fb). This PR also added "deprecated, use X instead" banners to Generated by Claude Code |
13 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Governance-repo audit found four issues — all fixed in a single commit.
1. README missing three workflow entries + GOVERNANCE.md
reusable-ci-typescript-lib.yml,reusable-ci-docker.yml,reusable-ci-terraform.yml, andGOVERNANCE.mdall exist in the repo but were absent from the README inventory table. Any new engineer (or agent) reading the README would not know these workflows are available to call.2. ORG_SETTINGS.md Actions allow-list incomplete
hashicorp/setup-terraformandterraform-linters/setup-tflintare used byreusable-ci-terraform.ymlbut were not in the org-level Actions allow-list. Repos that enforce "Allow select actions" (asORG_SETTINGS.mdprescribes) would seereusable-ci-terraform.ymlfail silently at the action-resolution stage.3. SHA pin drift across three newer workflow files
reusable-ci-docker.yml,reusable-ci-terraform.yml, andreusable-ci-typescript-lib.ymlwere pinned to different commit SHAs foractions/checkout # v6,pnpm/action-setup # v6, andgithub/codeql-action/upload-sarif # v4than the rest of the org's workflows. All three files standardised to the SHA used by the majority (which matches what Dependabot last bumped org-wide).4.
build-commandinjection guard inreusable-ci-docs-mdx.ymlThe
buildstep passedinputs.build-commanddirectly tobash -c "$BUILD_COMMAND"with no validation. An attacker who could influence the calling workflow'swith.build-commandvalue could inject arbitrary shell commands. Added a two-layer guard:; & | > < \$ () {} `)[space _ . : / -]charactersThis covers all normal callers (
pnpm build,pnpm run build:docs,npm run build, etc.) while blocking injection.Test plan
actionlint,prettier,markdownlint,yamllint) passes on this PRhashicorp/setup-terraformandterraform-linters/setup-tflintare added to the org Actions allow-list in GitHub UI (Settings → Actions → General)gh api repos/actions/checkout/git/refs/tags/v6 --jq '.object.sha'manually to confirm)🤖 Generated with Claude Code
https://claude.ai/code/session_01XomjZ3jakszS32AFtH2wXg
Generated by Claude Code