docs(ci): update governance docs and deprecate legacy workflows#37
Closed
bryanfawcett wants to merge 1 commit into
Closed
docs(ci): update governance docs and deprecate legacy workflows#37bryanfawcett wants to merge 1 commit into
bryanfawcett wants to merge 1 commit into
Conversation
- fix(pr-template): remove "7 Enterprise products" from locked count checklist — this was removed from NA-03 in v1.6; Enterprise products are explicitly not a locked count - docs(readme): add reusable-ci-typescript-lib.yml to the workflows table (it was shipped but undocumented) - ci(docker): deprecate reusable-ci-docker.yml in favour of reusable-ci-container.yml which adds multi-platform builds, registry push, cosign signing, and SBOM provenance (NA-03 §7.2-7.3) - ci(terraform): deprecate reusable-ci-terraform.yml in favour of reusable-ci-opentofu.yml which adds Trivy IaC scan and plan PR comments; note allow-list gap for consuming repos not yet migrated - ci(typescript-lib): normalise SHA pins to match org-wide set — actions/checkout and pnpm/action-setup were pinned to older SHAs than the rest of the reusable workflows (Dependabot drift) - docs(claude): complete the locked count list (was 3 of 6 entries; now lists all six: mini-apps, data layers, covenants, interest categories, manifesto sections, sources of truth) - docs(org-settings): add hashicorp/setup-terraform and terraform-linters/setup-tflint to the Actions allow-list with a note that they are legacy-only and will be removed with the terraform reusable Signed-off-by: bryan@nyuchi.com Signed-off-by: Claude <noreply@anthropic.com>
Contributor
Author
|
Closing as superseded — part of the same duplicate-PR pileup, and it also flipped the checkout SHA in the wrong direction (see #38, merged in 1b669fb, for the correct resolution). One thing in this PR is worth flagging rather than silently dropping: it added an input-sanitization guard against shell-metacharacter injection via Generated by Claude Code |
13 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
reusable-ci-typescript-lib.ymlto the README workflows table (it was shipped but never documented)reusable-ci-docker.ymlandreusable-ci-terraform.ymlas deprecated with migration paths to their feature-complete successors (reusable-ci-container.ymlandreusable-ci-opentofu.yml)reusable-ci-typescript-lib.yml,reusable-ci-docker.yml, andreusable-ci-terraform.ymlto match the org-wide set (Dependabot had drifted these three files out of sync)CLAUDE.md(was 3 of 6 counts; now lists all six)hashicorp/setup-terraformandterraform-linters/setup-tflintto theORG_SETTINGS.mdActions allow-list with a note that they are legacy-only pending deletion of the deprecated workflowLinked issue(s)
N/A — housekeeping pass on the governing repo.
Type of change
docs— documentation onlyci— CI configurationBreaking change?
No behaviour changes. The deprecated workflow files remain callable; only their comment headers are updated. SHA normalisation uses the same tagged version as before (the org-wide pin), just aligned to the SHA that Dependabot last pushed to the main set of reusables.
How has this been tested?
actionlint(no structural changes to job logic)Checklist
Process
Signed-off-by:trailer)claude/<short-kebab-description>NA-03 merge blockers
Generated by Claude Code