feat(#26): approved actions registry and supply chain hardening docs#36
Merged
ms280690 merged 1 commit intoMay 29, 2026
Merged
Conversation
Documents all nine external action references currently in use with pinned SHAs, versions, purposes, and review dates. Includes: - Security review checklist for approving new actions - Step-by-step process for adding a new publisher to the org allowlist - Renovate SHA update policy (pinDigests: true, no manual SHA edits) - Current org allowlist patterns (ossf/*, reviewdog/*, zizmorcore/*, opentofu/*, terramate-io/* — GitHub-owned via github_owned_allowed) Satisfies the docs/approved-actions.md acceptance criterion for #26. Remaining open item: Renovate github-actions manager (tracked in #8). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
ms280690
added a commit
that referenced
this pull request
May 29, 2026
* Add OpenSSF Scorecard and dependency review workflows (#29) scorecard.yml: - Runs weekly (Monday 06:00 UTC), on push to main, and on workflow_dispatch - Publishes results to the OpenSSF database (public repo, OIDC-signed) - Uploads SARIF to GitHub Security tab and as a retained artifact - Target score >= 8.0/10 per issue #29 acceptance criteria dependency-review.yml: - Triggers on PRs touching any supported lockfile format - Reusable via workflow_call with fail-on-severity and deny-licenses inputs - Posts a summary comment on the PR via comment-summary-in-pr: always - Default deny list: GPL-2.0, GPL-3.0, AGPL-3.0 Also brings .pre-commit-config.yaml forward from issue-25 branch so local hooks work while that PR is pending merge. All action references SHA-pinned per #25 authoring standards. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Address PR review comments on scorecard and dependency-review workflows scorecard.yml: - Remove redundant workflow-level permissions: read-all; job-level block is definitive (job permissions override, not merge, workflow-level) - Add if: always() to SARIF upload so results are captured even on transient Scorecard failures dependency-review.yml: - Raise fail-on-severity default from critical to high — CVSS 8.x findings should not pass silently in a security-focused org library - Add pdm.lock, mix.lock, Package.resolved to lockfile path filter - Expose comment-summary-in-pr as a workflow_call input (default: on-failure) so callers can control PR comment verbosity; avoids requiring pull-requests: write for callers that don't want comments Note: upload-artifact v7.0.1 SHA (043fb46d) is confirmed correct — v7.0.1 is the current latest release of actions/upload-artifact. The || fallback pattern on inputs.* is intentional and necessary: inputs.default is only applied on workflow_call; pull_request-triggered runs receive an empty string from the inputs context, requiring the fallback to supply the default value. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Improve workflow descriptions, job names, and README documentation scorecard.yml / dependency-review.yml: - Add workflow-level description comments (line 2) - Add job-level description comments - Capitalise job display names for consistency with Actions Quality Gate README.md: - Add OpenSSF Scorecard and Dependency Review to workflows table - Add usage examples for both workflows including workflow_call inputs Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Add CI self-test workflow that dogfoods repo's own actions ci.yml calls workflow-lint.yml via workflow_call and runs the storage-optimizer composite action on every push and PR. Serves as both a test harness and a reference implementation for consuming repos. Also adds ci.yml to README workflows table. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Restructure: convert reusable workflows to composite actions, single ci.yml Each workflow capability is now a standalone composite action following the same pattern as storage-optimizer and terramate-opentofu-setup: - .github/actions/actionlint/ — actionlint via reviewdog - .github/actions/zizmor/ — zizmor static security analysis - .github/actions/scorecard/ — OpenSSF Scorecard + SARIF upload - .github/actions/dependency-review/ — dependency-review-action with inputs Deleted reusable workflows: workflow-lint.yml, scorecard.yml, dependency-review.yml. All logic moved into composite actions above. ci.yml updated to one job per composite action, all running in parallel. scorecard skips pull_request; dependency-review runs only on pull_request. schedule trigger added to ci.yml (weekly Monday 06:00 UTC) for scorecard. README rewritten to reflect composite-action-first structure with per-action usage examples and required permissions documented. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Rename actionlint action to github-actionlint; update CONTRIBUTING.md Rename .github/actions/actionlint/ → .github/actions/github-actionlint/ to make it explicit the action is specific to GitHub Actions workflows. Update ci.yml and README references accordingly. CONTRIBUTING.md: - Update description from "workflows" to "composite actions" to match the new repo structure - Rewrite "Adding a new workflow" → "Adding a new action" to reflect composite-action-first approach: create action.yml, add ci.yml job, update README table Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Add terramate-opentofu-setup job to ci.yml Verifies both tools install correctly. Terramate stack steps (generate, init, list) are no-ops in this repo since no stacks are defined. OPENTOFU_VERSION and TERRAMATE_VERSION set via job-level env to match the action defaults. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Fix terramate-opentofu-setup job: fetch-depth: 0 for --changed flag terramate --changed diffs against git history; shallow clone (depth 1) has only one commit so the flag errors. Full history required. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Fix scorecard job: require refs/heads/main, not just non-pull_request ossf/scorecard-action hard-requires the default branch and fails with "Only the default branch main is supported" on feature branches. Added github.ref == 'refs/heads/main' guard so the job is skipped on workflow_dispatch from feature branches and only runs on push to main and the weekly schedule. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Fix scorecard action: guard SARIF uploads against missing file When scorecard-action fails (e.g. wrong branch), scorecard-results.sarif is not produced. The if: always() upload steps then error with "Path does not exist". Add a check-sarif step that sets an output, and gate both upload steps on that output so they skip cleanly rather than error when the file is absent. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Address PR review findings: inputs, scorecard, dependabot, CODEOWNERS terramate-opentofu-setup/action.yml: - Fix declared inputs being dead code: replace env.OPENTOFU_VERSION / env.TERRAMATE_VERSION with inputs.opentofu_version / inputs.terramate_version so callers using `with:` actually get their version honoured ci.yml: - Remove env: block from terramate-opentofu-setup job (now uses input defaults) - Gate storage-optimizer job to workflow_dispatch only — running docker prune on a throwaway ephemeral runner wastes CI minutes with zero benefit scorecard/action.yml: - Expose publish_results as an input (default: true) so private-repo callers can set it to false without forking the action - Replace check-sarif shell probe + output variable with if-no-files-found: ignore on upload-artifact and hashFiles() gate on upload-sarif — removes a step and eliminates the shell-subprocess failure mode - Add required permissions (id-token: write, security-events: write) to description CONTRIBUTING.md: - Add migration guide from the deleted workflow_call / workflow-lint.yml pattern to the equivalent composite action calls .github/dependabot.yml: add github-actions ecosystem, weekly schedule, 7-day cooldown to throttle supply-chain-attack-via-rapid-update vectors .github/CODEOWNERS: require @sparkgeo/security-team review for .github/ changes README.md: document publish_results input on scorecard action Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * perf: cancel stale runs, parallelize cleanup, skip push CI for non-workflow changes - Add concurrency group to ci.yml: cancels in-flight runs when new push arrives on same ref — avoids burning extra runner minutes on stale jobs - Add paths filter on push trigger: skip CI for doc/README-only pushes to main; scorecard still runs weekly via schedule so coverage unchanged - Parallelize storage-optimizer cleanup: run all rm -rf and docker prune in background with & + wait instead of sequentially — saves ~20-30s on workflow_dispatch Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * feat(#26): add docs/approved-actions.md and link from README (#36) Documents all nine external action references currently in use with pinned SHAs, versions, purposes, and review dates. Includes: - Security review checklist for approving new actions - Step-by-step process for adding a new publisher to the org allowlist - Renovate SHA update policy (pinDigests: true, no manual SHA edits) - Current org allowlist patterns (ossf/*, reviewdog/*, zizmorcore/*, opentofu/*, terramate-io/* — GitHub-owned via github_owned_allowed) Satisfies the docs/approved-actions.md acceptance criterion for #26. Remaining open item: Renovate github-actions manager (tracked in #8). Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
docs/approved-actions.md— authoritative list of all nine external actions used in this repo, with pinned SHAs, versions, purposes, and 2026-05-21 review datespinDigests: true, no manual edits)Acceptance criteria status (closes #26)
ossf/*,reviewdog/*,zizmorcore/*,opentofu/*,terramate-io/*+github_owned_allowed: true(applied via API in feat: OpenSSF Scorecard and dependency review workflows #33)docs/approved-actions.mdcreated and maintained in this repozizmorSHA pinning check (enforced by pre-commit + CI)github-actionsweekly updates withcooldown: 7(added in feat: OpenSSF Scorecard and dependency review workflows #33)pinDigests: trueforgithub-actionsmanager — tracked in feat: dependency management reusable workflows [parent] #8 (Renovate setup)dependencies:block — future GitHub roadmap item; issue will be updated when GANotes
issue-29-governance-observability(parent); will retarget tomainafter feat: OpenSSF Scorecard and dependency review workflows #33 mergesperf:CI improvements committed onissue-29-governance-observability(concurrency group, push path filter, parallel storage-optimizer cleanup)Closes #26
🤖 Generated with Claude Code