Skip to content

[codex] Hard-fail platform security reusables#12

Merged
NWarila merged 1 commit into
mainfrom
codex/platform-reusable-hardfail
Jun 1, 2026
Merged

[codex] Hard-fail platform security reusables#12
NWarila merged 1 commit into
mainfrom
codex/platform-reusable-hardfail

Conversation

@NWarila

@NWarila NWarila commented Jun 1, 2026

Copy link
Copy Markdown
Contributor

Summary

  • removes caller-controlled advisory modes from reusable IaC security
  • makes Trivy, Gitleaks, and zizmor findings blocking by default
  • removes dependabot[bot] from reusable auto-merge trusted authors

Validation

  • workflow YAML parse via PyYAML
  • rg found no remaining advisory/dependabot trust patterns in the hardened reusable workflows
  • git diff --check

Resolution note

The pasted backlog suggested bumping Vault from 7093eaa to platform main, but current platform main still contained the advisory inputs and dependabot trust. This PR creates the hardened platform source SHA first; Vault can then pin to this commit after merge.

@NWarila NWarila merged commit 1952b49 into main Jun 1, 2026
15 checks passed
@NWarila NWarila deleted the codex/platform-reusable-hardfail branch June 1, 2026 20:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant