Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions WORKFLOW.md
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,7 @@ violate section 4.
trigger blocks. `workflow_dispatch` delivers the string `"true"`/`"false"`, so any `if:` consuming it
compares both forms: `${{ inputs.foo == true || inputs.foo == 'true' }}`.
- **Reusable-workflow permissions.** Job-level `permissions:` are validated before `if:`, so even a
skipped job needs valid permissions declared. Grant least privilege. A callee's extra scope (e.g.
skipped job's declared permissions must be valid. Grant least privilege. A callee's extra scope (e.g.
`actions: write` to delete artifacts) is granted by the caller at the `uses:` job.
- **Allowlist `success` and `skipped` explicitly** when chaining across an optional dependency.
`!= 'failure'` lets `cancelled` through. Use `(needs.X.result == 'success' || needs.X.result ==
Expand Down Expand Up @@ -468,7 +468,7 @@ applicable guarantee is not operational (section 1).
ref-independent group with `cancel-in-progress: false`. All other entry workflows use the
`...-${{ github.ref }}` group with `cancel-in-progress: true`, except the merge-bot (PR-number group, D8.1) and the daily codegen
workflow (ref-independent `${{ github.workflow }}` group with `cancel-in-progress: true`, section 2).
- **D7.2 Skipped jobs still need valid permissions.** Output: every reusable job declares valid
- **D7.2 Skipped jobs still need valid permissions.** Output: every reusable job runs under valid least-privilege
`permissions:`, and a callee's extra scope is granted by the caller.
- **D7.3 Boolean inputs both forms.** Output: boolean inputs are declared in both trigger blocks and
compared against `true` and `'true'`.
Expand Down
2 changes: 1 addition & 1 deletion repo-config/configure.sh
Original file line number Diff line number Diff line change
Expand Up @@ -139,7 +139,7 @@ check_security() {
# 404 when disabled; automated-security-fixes returns { "enabled": true/false }.
assert "Dependabot vulnerability alerts enabled" gh_ok "repos/$REPO/vulnerability-alerts"
assert "Dependabot automated security updates enabled" \
jq_has '.enabled == true' < <(gh api "repos/$REPO/automated-security-fixes" 2>/dev/null)
jq_has '.enabled == true' < <(gh api "repos/$REPO/automated-security-fixes")
}

check_secrets() {
Expand Down