diff --git a/automation/cloud-pipelines/ai-workflows.mdx b/automation/cloud-pipelines/ai-workflows.mdx index 698248c..b4a977d 100644 --- a/automation/cloud-pipelines/ai-workflows.mdx +++ b/automation/cloud-pipelines/ai-workflows.mdx @@ -88,7 +88,7 @@ on: ## Versioning -Per the [CI/CD policy](/infrastructure/cicd/policy#dependency-versioning), JacobPEvans self-references use `@main` or a major tag like `@v0` — never minor/patch pins. The full SemVer tags exist (`@v0.15.1`) and are tracked by Renovate, but consumers should ride a moving ref so upstream improvements land without a Renovate PR per repo. +Per the [CI/CD policy](/infrastructure/cicd/policy#dependency-versioning), consumers pin `ai-workflows` — and every `dryvist/*` reusable workflow — at `@main`, never a SHA or version pin. The SemVer tags still exist (`@v0.15.1`) and release-please keeps bumping them for the changelog and the per-run resolved-SHA audit trail, but callers ride `@main` so upstream fixes land immediately with no per-repo Renovate PR. Every org scanner is configured to allow `@main` — see [scanner posture](/infrastructure/cicd/policy#scanner-posture-for-self-references). ## Authentication diff --git a/infrastructure/cicd/policy.mdx b/infrastructure/cicd/policy.mdx index 35eecab..f22d95b 100644 --- a/infrastructure/cicd/policy.mdx +++ b/infrastructure/cicd/policy.mdx @@ -40,10 +40,21 @@ Conventional Commits and the no-emoji rule for commit subjects live in [Commit c | Action source | How to pin | | --- | --- | -| Self-references (`JacobPEvans/*`) | `@main` or a major version tag — never SHA or minor/patch pins | +| Self-references (`dryvist/*`, `JacobPEvans/*`) | `@main` — never a SHA or version tag. Scanner overrides currently target `dryvist/*` action sources (see [posture](#scanner-posture-for-self-references)); `JacobPEvans/*` follows the same convention. | | Trusted external actions | Version tags (major like `@v6` or full SemVer like `@v2.3.5`). Trusted orgs are listed in [`JacobPEvans/.github/renovate-presets.json`](https://github.com/JacobPEvans/.github/blob/main/renovate-presets.json) | | Untrusted external actions | SHA commit hashes only — for orgs not on the trusted list. SHA pinning is the exception, not the default | +### Scanner posture for self-references + +`@main` on a self-owned workflow is deliberate — consumers ride upstream fixes the moment they land, with no per-repo Renovate PR. SemVer tags still exist and release-please keeps bumping them for the changelog and the per-run resolved-SHA audit trail, but callers ride `@main`. Every org scanner is configured to allow it for `dryvist/*` action sources: + +- **Renovate** — `pinDigests: false` for `dryvist/**` overrides the global digest-pinning, so `@main` is never rewritten to a SHA. +- **zizmor** — `unpinned-uses` policy `dryvist/*: ref-pin`. +- **CodeQL** — code scanning default setup on public repos only (free; private repos excluded to avoid the paid Code Security charge), managed as IaC in [`dryvist/tofu-github`](https://github.com/dryvist/tofu-github) (per-repo, pending the provider resource). No committed query-filter config; same-org `@main` false positives ([github/codeql#18316](https://github.com/github/codeql/issues/18316)) are dismissed in the code scanning UI. +- **OSV-Scanner** — reports dependency vulnerabilities, not ref pinning, so `@main` is never flagged. + +Untrusted/external actions are unaffected and keep their SHA digests. The full per-scanner posture lives in [`dryvist/.github` → SECURITY.md](https://github.com/dryvist/.github/blob/main/SECURITY.md). + ## Reusable workflow ownership Reusable GitHub Actions workflows are referenced by a literal `owner/repo` in `uses:` — GitHub allows no variables there and does not follow repository move or rename redirects for those references. So when a shared-CI repository changes ownership, every consumer's `uses:` must be updated at the same time.