chore: allow dryvist/* reusable workflows to ride @main org-wide#52
Merged
Conversation
There was a problem hiding this comment.
Code Review
This pull request establishes a consistent policy allowing first-party dryvist/* reusable workflows to ride the @main branch without being flagged or pinned. It updates SECURITY.md to document this posture, introduces a pre-staged codeql-config.yml to exclude the actions/unpinned-tag query, adds explanatory comments to osv-scanner.toml, and configures renovate-presets.json to prevent digest-pinning for dryvist/** actions. There are no review comments, and I have no feedback to provide.
a355bf0 to
d09a5f0
Compare
JacobPEvans-personal
added a commit
to dryvist/docs
that referenced
this pull request
Jun 29, 2026
Match dryvist/.github#52: CodeQL is managed via the org Security Configuration (public repos, free) — no committed codeql-config.yml. Same-org @main false positives are dismissed natively in the code scanning UI. Assisted-by: Claude:claude-opus-4-8 Claude-Session: https://claude.ai/code/session_019mTayMHweSbSdF4ug83FhB
dryvist/* reusable workflows are referenced at @main by every consumer per the self-reference convention (SECURITY.md). But Renovate's global `pinGitHubActionDigests: true` would rewrite `uses: dryvist/...@main` to a SHA and auto-merge it (own-org rule), silently breaking that convention across every repo. Configure the scanners so @main is allowed everywhere, using the most native option for each — no reinvented config files: - Renovate: add a packageRule with `pinDigests: false` for dryvist/** github-actions, overriding the global digest pinning. Untrusted/external actions are unaffected and keep SHA digests. - zizmor: already allows (`dryvist/*: ref-pin`) — no change. - CodeQL: code scanning is managed as IaC in dryvist/tofu-github (per-repo default setup, public repos only — free; private excluded), not in this repo. Same-org @main false positives (github/codeql#18316) are dismissed in the code scanning UI. - OSV-Scanner: does not flag ref pinning — documented in osv-scanner.toml. - SECURITY.md: document the full per-scanner posture. Assisted-by: Claude:claude-opus-4-8 Claude-Session: https://claude.ai/code/session_019mTayMHweSbSdF4ug83FhB
d09a5f0 to
91a0253
Compare
JacobPEvans-personal
added a commit
to dryvist/docs
that referenced
this pull request
Jun 29, 2026
…onfiguration Align with dryvist/.github#52 / dryvist/tofu-github#18: code scanning default setup is managed per-repo as IaC in tofu-github (pending the provider resource), not via an org-level Security Configuration. Assisted-by: Claude:claude-opus-4-8 Claude-Session: https://claude.ai/code/session_019mTayMHweSbSdF4ug83FhB
JacobPEvans-personal
added a commit
to dryvist/docs
that referenced
this pull request
Jun 30, 2026
* docs(cicd): standardize self-references on @main + scanner posture - Dependency-versioning table: tighten the self-reference row to `@main` (drop "or a major version tag") and point to the new scanner posture. - New "Scanner posture for self-references" subsection: how each scanner is configured to allow `dryvist/*@main` — Renovate `pinDigests: false`, zizmor `dryvist/*: ref-pin`, a pre-staged CodeQL `actions/unpinned-tag` exclude, and OSV (N/A) — linking to dryvist/.github SECURITY.md. - ai-workflows Versioning section: state that consumers pin `@main` (never a SHA or version pin) and link to the scanner posture. Documents the org-wide overrides shipped in dryvist/.github#52. Assisted-by: Claude:claude-opus-4-8 Claude-Session: https://claude.ai/code/session_019mTayMHweSbSdF4ug83FhB * docs(cicd): use native org code scanning, not a committed codeql config Match dryvist/.github#52: CodeQL is managed via the org Security Configuration (public repos, free) — no committed codeql-config.yml. Same-org @main false positives are dismissed natively in the code scanning UI. Assisted-by: Claude:claude-opus-4-8 Claude-Session: https://claude.ai/code/session_019mTayMHweSbSdF4ug83FhB * docs(cicd): code scanning is IaC (tofu-github), not an org Security Configuration Align with dryvist/.github#52 / dryvist/tofu-github#18: code scanning default setup is managed per-repo as IaC in tofu-github (pending the provider resource), not via an org-level Security Configuration. Assisted-by: Claude:claude-opus-4-8 Claude-Session: https://claude.ai/code/session_019mTayMHweSbSdF4ug83FhB * docs(cicd): scope scanner posture to dryvist/* action sources Review feedback (gemini-code-assist on #89): the self-reference table listed both dryvist/* and JacobPEvans/*, but the Renovate/zizmor overrides are dryvist/*-only. Clarify that the scanner overrides target dryvist/* action sources; JacobPEvans/* follows the same @main convention (overrides not expanded — out of scope for this dryvist-focused change). Assisted-by: Claude:claude-opus-4-8 Claude-Session: https://claude.ai/code/session_019mTayMHweSbSdF4ug83FhB
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Configure the org scanners so
dryvist/*reusable workflows referenced at@mainraise no alert — using the most native option for each, noreinvented config files.
Why
Renovate's global
pinGitHubActionDigests: truewould rewriteuses: dryvist/...@main→ a commit SHA and auto-merge it (the own-orgauto-merge rule), silently breaking the
@mainconvention across every consumerrepo. That is the one scanner that actively fights the policy.
Changes
renovate-presets.json): newpackageRulewithpinDigests: falsefordryvist/**+github-actions. This is the nativeway to control Renovate — there's no GitHub setting for "don't digest-pin our
own actions." Untrusted/external actions keep SHA digests.
dryvist/*: ref-pin— no change.dryvist/tofu-github(per-repodefault setup, public repos only — free; private excluded). Same-org
@mainfalse positives (github/codeql#18316)
are dismissed in the code scanning UI.
osv-scanner.toml): documented — OSV reports dependencyvulnerabilities, not ref-pinning, so
@mainis never flagged.Verification
jqconfirms valid JSON;markdownlint-cli2 SECURITY.md→ 0 errors.Companions: dryvist/docs#89 (convention + posture), dryvist/tofu-github#18
(code-scanning IaC adoption plan).
🤖 Generated with Claude Code