Skip to content

chore: allow dryvist/* reusable workflows to ride @main org-wide#52

Merged
JacobPEvans-personal merged 1 commit into
mainfrom
chore/allow-dryvist-main-pin
Jun 29, 2026
Merged

chore: allow dryvist/* reusable workflows to ride @main org-wide#52
JacobPEvans-personal merged 1 commit into
mainfrom
chore/allow-dryvist-main-pin

Conversation

@JacobPEvans-personal

@JacobPEvans-personal JacobPEvans-personal commented Jun 28, 2026

Copy link
Copy Markdown
Member

What

Configure the org scanners so dryvist/* reusable workflows referenced at
@main raise no alert — using the most native option for each, no
reinvented config files.

Why

Renovate's global pinGitHubActionDigests: true would rewrite
uses: dryvist/...@main → a commit SHA and auto-merge it (the own-org
auto-merge rule), silently breaking the @main convention across every consumer
repo. That is the one scanner that actively fights the policy.

Changes

  • Renovate (renovate-presets.json): new packageRule with
    pinDigests: false for dryvist/** + github-actions. This is the native
    way to control Renovate — there's no GitHub setting for "don't digest-pin our
    own actions." Untrusted/external actions keep SHA digests.
  • zizmor: already allows dryvist/*: ref-pinno change.
  • CodeQL: not configured in this repo. Code scanning is managed as IaC in
    dryvist/tofu-github (per-repo
    default setup, public repos only — free; private excluded). Same-org @main
    false positives (github/codeql#18316)
    are dismissed in the code scanning UI.
  • OSV-Scanner (osv-scanner.toml): documented — OSV reports dependency
    vulnerabilities, not ref-pinning, so @main is never flagged.
  • SECURITY.md: documents the full per-scanner posture.

An earlier draft committed a codeql-config.yml query-filter — reverted. That
reinvented org settings and wouldn't apply under default setup. Code-scanning
enablement is IaC (tofu-github), not committed here.

Verification

  • jq confirms valid JSON; markdownlint-cli2 SECURITY.md → 0 errors.

Companions: dryvist/docs#89 (convention + posture), dryvist/tofu-github#18
(code-scanning IaC adoption plan).

🤖 Generated with Claude Code

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request establishes a consistent policy allowing first-party dryvist/* reusable workflows to ride the @main branch without being flagged or pinned. It updates SECURITY.md to document this posture, introduces a pre-staged codeql-config.yml to exclude the actions/unpinned-tag query, adds explanatory comments to osv-scanner.toml, and configures renovate-presets.json to prevent digest-pinning for dryvist/** actions. There are no review comments, and I have no feedback to provide.

@JacobPEvans-personal JacobPEvans-personal force-pushed the chore/allow-dryvist-main-pin branch from a355bf0 to d09a5f0 Compare June 29, 2026 00:41
JacobPEvans-personal added a commit to dryvist/docs that referenced this pull request Jun 29, 2026
Match dryvist/.github#52: CodeQL is managed via the org Security
Configuration (public repos, free) — no committed codeql-config.yml. Same-org
@main false positives are dismissed natively in the code scanning UI.

Assisted-by: Claude:claude-opus-4-8
Claude-Session: https://claude.ai/code/session_019mTayMHweSbSdF4ug83FhB
dryvist/* reusable workflows are referenced at @main by every consumer per
the self-reference convention (SECURITY.md). But Renovate's global
`pinGitHubActionDigests: true` would rewrite `uses: dryvist/...@main` to a
SHA and auto-merge it (own-org rule), silently breaking that convention
across every repo. Configure the scanners so @main is allowed everywhere,
using the most native option for each — no reinvented config files:

- Renovate: add a packageRule with `pinDigests: false` for dryvist/**
  github-actions, overriding the global digest pinning. Untrusted/external
  actions are unaffected and keep SHA digests.
- zizmor: already allows (`dryvist/*: ref-pin`) — no change.
- CodeQL: code scanning is managed as IaC in dryvist/tofu-github (per-repo
  default setup, public repos only — free; private excluded), not in this
  repo. Same-org @main false positives (github/codeql#18316) are dismissed
  in the code scanning UI.
- OSV-Scanner: does not flag ref pinning — documented in osv-scanner.toml.
- SECURITY.md: document the full per-scanner posture.

Assisted-by: Claude:claude-opus-4-8
Claude-Session: https://claude.ai/code/session_019mTayMHweSbSdF4ug83FhB
@JacobPEvans-personal JacobPEvans-personal force-pushed the chore/allow-dryvist-main-pin branch from d09a5f0 to 91a0253 Compare June 29, 2026 01:18
JacobPEvans-personal added a commit to dryvist/docs that referenced this pull request Jun 29, 2026
…onfiguration

Align with dryvist/.github#52 / dryvist/tofu-github#18: code scanning default
setup is managed per-repo as IaC in tofu-github (pending the provider resource),
not via an org-level Security Configuration.

Assisted-by: Claude:claude-opus-4-8
Claude-Session: https://claude.ai/code/session_019mTayMHweSbSdF4ug83FhB
@JacobPEvans-personal JacobPEvans-personal merged commit 29e6615 into main Jun 29, 2026
4 checks passed
JacobPEvans-personal added a commit to dryvist/docs that referenced this pull request Jun 30, 2026
* docs(cicd): standardize self-references on @main + scanner posture

- Dependency-versioning table: tighten the self-reference row to `@main`
  (drop "or a major version tag") and point to the new scanner posture.
- New "Scanner posture for self-references" subsection: how each scanner is
  configured to allow `dryvist/*@main` — Renovate `pinDigests: false`,
  zizmor `dryvist/*: ref-pin`, a pre-staged CodeQL `actions/unpinned-tag`
  exclude, and OSV (N/A) — linking to dryvist/.github SECURITY.md.
- ai-workflows Versioning section: state that consumers pin `@main` (never a
  SHA or version pin) and link to the scanner posture.

Documents the org-wide overrides shipped in dryvist/.github#52.

Assisted-by: Claude:claude-opus-4-8
Claude-Session: https://claude.ai/code/session_019mTayMHweSbSdF4ug83FhB

* docs(cicd): use native org code scanning, not a committed codeql config

Match dryvist/.github#52: CodeQL is managed via the org Security
Configuration (public repos, free) — no committed codeql-config.yml. Same-org
@main false positives are dismissed natively in the code scanning UI.

Assisted-by: Claude:claude-opus-4-8
Claude-Session: https://claude.ai/code/session_019mTayMHweSbSdF4ug83FhB

* docs(cicd): code scanning is IaC (tofu-github), not an org Security Configuration

Align with dryvist/.github#52 / dryvist/tofu-github#18: code scanning default
setup is managed per-repo as IaC in tofu-github (pending the provider resource),
not via an org-level Security Configuration.

Assisted-by: Claude:claude-opus-4-8
Claude-Session: https://claude.ai/code/session_019mTayMHweSbSdF4ug83FhB

* docs(cicd): scope scanner posture to dryvist/* action sources

Review feedback (gemini-code-assist on #89): the self-reference table listed
both dryvist/* and JacobPEvans/*, but the Renovate/zizmor overrides are
dryvist/*-only. Clarify that the scanner overrides target dryvist/* action
sources; JacobPEvans/* follows the same @main convention (overrides not
expanded — out of scope for this dryvist-focused change).

Assisted-by: Claude:claude-opus-4-8
Claude-Session: https://claude.ai/code/session_019mTayMHweSbSdF4ug83FhB
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant