From 952c94b22e8135210899dc4871cd1cc99ad4b118 Mon Sep 17 00:00:00 2001 From: Pieter Viljoen Date: Mon, 29 Jun 2026 20:56:16 -0700 Subject: [PATCH] Address filed configuration and doc defects (#231) Co-Authored-By: Claude Opus 4.8 (1M context) --- WORKFLOW.md | 4 ++-- repo-config/configure.sh | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/WORKFLOW.md b/WORKFLOW.md index ffe3d58..cd93277 100644 --- a/WORKFLOW.md +++ b/WORKFLOW.md @@ -109,7 +109,7 @@ violate section 4. trigger blocks. `workflow_dispatch` delivers the string `"true"`/`"false"`, so any `if:` consuming it compares both forms: `${{ inputs.foo == true || inputs.foo == 'true' }}`. - **Reusable-workflow permissions.** Job-level `permissions:` are validated before `if:`, so even a - skipped job needs valid permissions declared. Grant least privilege. A callee's extra scope (e.g. + skipped job's declared permissions must be valid. Grant least privilege. A callee's extra scope (e.g. `actions: write` to delete artifacts) is granted by the caller at the `uses:` job. - **Allowlist `success` and `skipped` explicitly** when chaining across an optional dependency. `!= 'failure'` lets `cancelled` through. Use `(needs.X.result == 'success' || needs.X.result == @@ -468,7 +468,7 @@ applicable guarantee is not operational (section 1). ref-independent group with `cancel-in-progress: false`. All other entry workflows use the `...-${{ github.ref }}` group with `cancel-in-progress: true`, except the merge-bot (PR-number group, D8.1) and the daily codegen workflow (ref-independent `${{ github.workflow }}` group with `cancel-in-progress: true`, section 2). -- **D7.2 Skipped jobs still need valid permissions.** Output: every reusable job declares valid +- **D7.2 Skipped jobs still need valid permissions.** Output: every reusable job runs under valid least-privilege `permissions:`, and a callee's extra scope is granted by the caller. - **D7.3 Boolean inputs both forms.** Output: boolean inputs are declared in both trigger blocks and compared against `true` and `'true'`. diff --git a/repo-config/configure.sh b/repo-config/configure.sh index d8ca484..2c4c22e 100755 --- a/repo-config/configure.sh +++ b/repo-config/configure.sh @@ -139,7 +139,7 @@ check_security() { # 404 when disabled; automated-security-fixes returns { "enabled": true/false }. assert "Dependabot vulnerability alerts enabled" gh_ok "repos/$REPO/vulnerability-alerts" assert "Dependabot automated security updates enabled" \ - jq_has '.enabled == true' < <(gh api "repos/$REPO/automated-security-fixes" 2>/dev/null) + jq_has '.enabled == true' < <(gh api "repos/$REPO/automated-security-fixes") } check_secrets() {