From 421cdc778c0dd3c314c1b5f9e7a63466ab1384e1 Mon Sep 17 00:00:00 2001 From: JacobPEvans <20714140+JacobPEvans-personal@users.noreply.github.com> Date: Sun, 28 Jun 2026 17:07:45 -0400 Subject: [PATCH 1/4] docs(cicd): standardize self-references on @main + scanner posture MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Dependency-versioning table: tighten the self-reference row to `@main` (drop "or a major version tag") and point to the new scanner posture. - New "Scanner posture for self-references" subsection: how each scanner is configured to allow `dryvist/*@main` — Renovate `pinDigests: false`, zizmor `dryvist/*: ref-pin`, a pre-staged CodeQL `actions/unpinned-tag` exclude, and OSV (N/A) — linking to dryvist/.github SECURITY.md. - ai-workflows Versioning section: state that consumers pin `@main` (never a SHA or version pin) and link to the scanner posture. Documents the org-wide overrides shipped in dryvist/.github#52. Assisted-by: Claude:claude-opus-4-8 Claude-Session: https://claude.ai/code/session_019mTayMHweSbSdF4ug83FhB --- automation/cloud-pipelines/ai-workflows.mdx | 2 +- infrastructure/cicd/policy.mdx | 13 ++++++++++++- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/automation/cloud-pipelines/ai-workflows.mdx b/automation/cloud-pipelines/ai-workflows.mdx index 698248c..b4a977d 100644 --- a/automation/cloud-pipelines/ai-workflows.mdx +++ b/automation/cloud-pipelines/ai-workflows.mdx @@ -88,7 +88,7 @@ on: ## Versioning -Per the [CI/CD policy](/infrastructure/cicd/policy#dependency-versioning), JacobPEvans self-references use `@main` or a major tag like `@v0` — never minor/patch pins. The full SemVer tags exist (`@v0.15.1`) and are tracked by Renovate, but consumers should ride a moving ref so upstream improvements land without a Renovate PR per repo. +Per the [CI/CD policy](/infrastructure/cicd/policy#dependency-versioning), consumers pin `ai-workflows` — and every `dryvist/*` reusable workflow — at `@main`, never a SHA or version pin. The SemVer tags still exist (`@v0.15.1`) and release-please keeps bumping them for the changelog and the per-run resolved-SHA audit trail, but callers ride `@main` so upstream fixes land immediately with no per-repo Renovate PR. Every org scanner is configured to allow `@main` — see [scanner posture](/infrastructure/cicd/policy#scanner-posture-for-self-references). ## Authentication diff --git a/infrastructure/cicd/policy.mdx b/infrastructure/cicd/policy.mdx index 35eecab..4430cf8 100644 --- a/infrastructure/cicd/policy.mdx +++ b/infrastructure/cicd/policy.mdx @@ -40,10 +40,21 @@ Conventional Commits and the no-emoji rule for commit subjects live in [Commit c | Action source | How to pin | | --- | --- | -| Self-references (`JacobPEvans/*`) | `@main` or a major version tag — never SHA or minor/patch pins | +| Self-references (`dryvist/*`, `JacobPEvans/*`) | `@main` — never a SHA or version tag. The scanners allow this; see [scanner posture](#scanner-posture-for-self-references) below | | Trusted external actions | Version tags (major like `@v6` or full SemVer like `@v2.3.5`). Trusted orgs are listed in [`JacobPEvans/.github/renovate-presets.json`](https://github.com/JacobPEvans/.github/blob/main/renovate-presets.json) | | Untrusted external actions | SHA commit hashes only — for orgs not on the trusted list. SHA pinning is the exception, not the default | +### Scanner posture for self-references + +`@main` on a self-owned workflow is deliberate — consumers ride upstream fixes the moment they land, with no per-repo Renovate PR. SemVer tags still exist and release-please keeps bumping them for the changelog and the per-run resolved-SHA audit trail, but callers ride `@main`. Every org scanner is configured to allow it: + +- **Renovate** — `pinDigests: false` for `dryvist/**` overrides the global digest-pinning, so `@main` is never rewritten to a SHA. +- **zizmor** — `unpinned-uses` policy `dryvist/*: ref-pin`. +- **CodeQL** — a pre-staged `codeql-config.yml` excludes the `actions/unpinned-tag` query; it applies the moment CodeQL is enabled org-wide. +- **OSV-Scanner** — reports dependency vulnerabilities, not ref pinning, so `@main` is never flagged. + +Untrusted/external actions are unaffected and keep their SHA digests. The full per-scanner posture lives in [`dryvist/.github` → SECURITY.md](https://github.com/dryvist/.github/blob/main/SECURITY.md). + ## Reusable workflow ownership Reusable GitHub Actions workflows are referenced by a literal `owner/repo` in `uses:` — GitHub allows no variables there and does not follow repository move or rename redirects for those references. So when a shared-CI repository changes ownership, every consumer's `uses:` must be updated at the same time. From d64099d55497e6121b10b939c6f1a25241542289 Mon Sep 17 00:00:00 2001 From: JacobPEvans <20714140+JacobPEvans-personal@users.noreply.github.com> Date: Sun, 28 Jun 2026 20:42:03 -0400 Subject: [PATCH 2/4] docs(cicd): use native org code scanning, not a committed codeql config MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Match dryvist/.github#52: CodeQL is managed via the org Security Configuration (public repos, free) — no committed codeql-config.yml. Same-org @main false positives are dismissed natively in the code scanning UI. Assisted-by: Claude:claude-opus-4-8 Claude-Session: https://claude.ai/code/session_019mTayMHweSbSdF4ug83FhB --- infrastructure/cicd/policy.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infrastructure/cicd/policy.mdx b/infrastructure/cicd/policy.mdx index 4430cf8..5a827e3 100644 --- a/infrastructure/cicd/policy.mdx +++ b/infrastructure/cicd/policy.mdx @@ -50,7 +50,7 @@ Conventional Commits and the no-emoji rule for commit subjects live in [Commit c - **Renovate** — `pinDigests: false` for `dryvist/**` overrides the global digest-pinning, so `@main` is never rewritten to a SHA. - **zizmor** — `unpinned-uses` policy `dryvist/*: ref-pin`. -- **CodeQL** — a pre-staged `codeql-config.yml` excludes the `actions/unpinned-tag` query; it applies the moment CodeQL is enabled org-wide. +- **CodeQL** — native code scanning via the org Security Configuration (public repos only — free; private repos excluded to avoid the paid Code Security charge). No committed config: default setup ignores query-filters, and same-org `@main` false positives ([github/codeql#18316](https://github.com/github/codeql/issues/18316)) are dismissed in the code scanning UI. - **OSV-Scanner** — reports dependency vulnerabilities, not ref pinning, so `@main` is never flagged. Untrusted/external actions are unaffected and keep their SHA digests. The full per-scanner posture lives in [`dryvist/.github` → SECURITY.md](https://github.com/dryvist/.github/blob/main/SECURITY.md). From 2a74a3496b7cd3628c8ace41f169af9f780ceb98 Mon Sep 17 00:00:00 2001 From: JacobPEvans <20714140+JacobPEvans-personal@users.noreply.github.com> Date: Sun, 28 Jun 2026 21:18:57 -0400 Subject: [PATCH 3/4] docs(cicd): code scanning is IaC (tofu-github), not an org Security Configuration Align with dryvist/.github#52 / dryvist/tofu-github#18: code scanning default setup is managed per-repo as IaC in tofu-github (pending the provider resource), not via an org-level Security Configuration. Assisted-by: Claude:claude-opus-4-8 Claude-Session: https://claude.ai/code/session_019mTayMHweSbSdF4ug83FhB --- infrastructure/cicd/policy.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infrastructure/cicd/policy.mdx b/infrastructure/cicd/policy.mdx index 5a827e3..5971d83 100644 --- a/infrastructure/cicd/policy.mdx +++ b/infrastructure/cicd/policy.mdx @@ -50,7 +50,7 @@ Conventional Commits and the no-emoji rule for commit subjects live in [Commit c - **Renovate** — `pinDigests: false` for `dryvist/**` overrides the global digest-pinning, so `@main` is never rewritten to a SHA. - **zizmor** — `unpinned-uses` policy `dryvist/*: ref-pin`. -- **CodeQL** — native code scanning via the org Security Configuration (public repos only — free; private repos excluded to avoid the paid Code Security charge). No committed config: default setup ignores query-filters, and same-org `@main` false positives ([github/codeql#18316](https://github.com/github/codeql/issues/18316)) are dismissed in the code scanning UI. +- **CodeQL** — code scanning default setup on public repos only (free; private repos excluded to avoid the paid Code Security charge), managed as IaC in [`dryvist/tofu-github`](https://github.com/dryvist/tofu-github) (per-repo, pending the provider resource). No committed query-filter config; same-org `@main` false positives ([github/codeql#18316](https://github.com/github/codeql/issues/18316)) are dismissed in the code scanning UI. - **OSV-Scanner** — reports dependency vulnerabilities, not ref pinning, so `@main` is never flagged. Untrusted/external actions are unaffected and keep their SHA digests. The full per-scanner posture lives in [`dryvist/.github` → SECURITY.md](https://github.com/dryvist/.github/blob/main/SECURITY.md). From 1f984739d12461e85696258010d46c9f0f01629e Mon Sep 17 00:00:00 2001 From: JacobPEvans <20714140+JacobPEvans-personal@users.noreply.github.com> Date: Sun, 28 Jun 2026 21:30:22 -0400 Subject: [PATCH 4/4] docs(cicd): scope scanner posture to dryvist/* action sources MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Review feedback (gemini-code-assist on #89): the self-reference table listed both dryvist/* and JacobPEvans/*, but the Renovate/zizmor overrides are dryvist/*-only. Clarify that the scanner overrides target dryvist/* action sources; JacobPEvans/* follows the same @main convention (overrides not expanded — out of scope for this dryvist-focused change). Assisted-by: Claude:claude-opus-4-8 Claude-Session: https://claude.ai/code/session_019mTayMHweSbSdF4ug83FhB --- infrastructure/cicd/policy.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/infrastructure/cicd/policy.mdx b/infrastructure/cicd/policy.mdx index 5971d83..f22d95b 100644 --- a/infrastructure/cicd/policy.mdx +++ b/infrastructure/cicd/policy.mdx @@ -40,13 +40,13 @@ Conventional Commits and the no-emoji rule for commit subjects live in [Commit c | Action source | How to pin | | --- | --- | -| Self-references (`dryvist/*`, `JacobPEvans/*`) | `@main` — never a SHA or version tag. The scanners allow this; see [scanner posture](#scanner-posture-for-self-references) below | +| Self-references (`dryvist/*`, `JacobPEvans/*`) | `@main` — never a SHA or version tag. Scanner overrides currently target `dryvist/*` action sources (see [posture](#scanner-posture-for-self-references)); `JacobPEvans/*` follows the same convention. | | Trusted external actions | Version tags (major like `@v6` or full SemVer like `@v2.3.5`). Trusted orgs are listed in [`JacobPEvans/.github/renovate-presets.json`](https://github.com/JacobPEvans/.github/blob/main/renovate-presets.json) | | Untrusted external actions | SHA commit hashes only — for orgs not on the trusted list. SHA pinning is the exception, not the default | ### Scanner posture for self-references -`@main` on a self-owned workflow is deliberate — consumers ride upstream fixes the moment they land, with no per-repo Renovate PR. SemVer tags still exist and release-please keeps bumping them for the changelog and the per-run resolved-SHA audit trail, but callers ride `@main`. Every org scanner is configured to allow it: +`@main` on a self-owned workflow is deliberate — consumers ride upstream fixes the moment they land, with no per-repo Renovate PR. SemVer tags still exist and release-please keeps bumping them for the changelog and the per-run resolved-SHA audit trail, but callers ride `@main`. Every org scanner is configured to allow it for `dryvist/*` action sources: - **Renovate** — `pinDigests: false` for `dryvist/**` overrides the global digest-pinning, so `@main` is never rewritten to a SHA. - **zizmor** — `unpinned-uses` policy `dryvist/*: ref-pin`.