Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion automation/cloud-pipelines/ai-workflows.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@ on:

## Versioning

Per the [CI/CD policy](/infrastructure/cicd/policy#dependency-versioning), JacobPEvans self-references use `@main` or a major tag like `@v0` — never minor/patch pins. The full SemVer tags exist (`@v0.15.1`) and are tracked by Renovate, but consumers should ride a moving ref so upstream improvements land without a Renovate PR per repo.
Per the [CI/CD policy](/infrastructure/cicd/policy#dependency-versioning), consumers pin `ai-workflows` — and every `dryvist/*` reusable workflow — at `@main`, never a SHA or version pin. The SemVer tags still exist (`@v0.15.1`) and release-please keeps bumping them for the changelog and the per-run resolved-SHA audit trail, but callers ride `@main` so upstream fixes land immediately with no per-repo Renovate PR. Every org scanner is configured to allow `@main` — see [scanner posture](/infrastructure/cicd/policy#scanner-posture-for-self-references).

## Authentication

Expand Down
13 changes: 12 additions & 1 deletion infrastructure/cicd/policy.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -40,10 +40,21 @@ Conventional Commits and the no-emoji rule for commit subjects live in [Commit c

| Action source | How to pin |
| --- | --- |
| Self-references (`JacobPEvans/*`) | `@main` or a major version tag — never SHA or minor/patch pins |
| Self-references (`dryvist/*`, `JacobPEvans/*`) | `@main` — never a SHA or version tag. Scanner overrides currently target `dryvist/*` action sources (see [posture](#scanner-posture-for-self-references)); `JacobPEvans/*` follows the same convention. |
| Trusted external actions | Version tags (major like `@v6` or full SemVer like `@v2.3.5`). Trusted orgs are listed in [`JacobPEvans/.github/renovate-presets.json`](https://github.com/JacobPEvans/.github/blob/main/renovate-presets.json) |
| Untrusted external actions | SHA commit hashes only — for orgs not on the trusted list. SHA pinning is the exception, not the default |

### Scanner posture for self-references

`@main` on a self-owned workflow is deliberate — consumers ride upstream fixes the moment they land, with no per-repo Renovate PR. SemVer tags still exist and release-please keeps bumping them for the changelog and the per-run resolved-SHA audit trail, but callers ride `@main`. Every org scanner is configured to allow it for `dryvist/*` action sources:

- **Renovate** — `pinDigests: false` for `dryvist/**` overrides the global digest-pinning, so `@main` is never rewritten to a SHA.
- **zizmor** — `unpinned-uses` policy `dryvist/*: ref-pin`.
Comment thread
JacobPEvans-personal marked this conversation as resolved.
- **CodeQL** — code scanning default setup on public repos only (free; private repos excluded to avoid the paid Code Security charge), managed as IaC in [`dryvist/tofu-github`](https://github.com/dryvist/tofu-github) (per-repo, pending the provider resource). No committed query-filter config; same-org `@main` false positives ([github/codeql#18316](https://github.com/github/codeql/issues/18316)) are dismissed in the code scanning UI.
- **OSV-Scanner** — reports dependency vulnerabilities, not ref pinning, so `@main` is never flagged.

Untrusted/external actions are unaffected and keep their SHA digests. The full per-scanner posture lives in [`dryvist/.github` → SECURITY.md](https://github.com/dryvist/.github/blob/main/SECURITY.md).

## Reusable workflow ownership

Reusable GitHub Actions workflows are referenced by a literal `owner/repo` in `uses:` — GitHub allows no variables there and does not follow repository move or rename redirects for those references. So when a shared-CI repository changes ownership, every consumer's `uses:` must be updated at the same time.
Expand Down
Loading