[FEATURE] Add CI gate for the shared reusable workflows (lint, security, conformance, freshness)#16
Merged
Conversation
…lows Quote $(pwd) in reusable-test-documentation.yml (SC2046) and add missing trailing newlines in reusable-backport.yml and reusable-apply-precommit.yml. Signed-off-by: Sebastian Mendel <github@sebastianmendel.de>
9ddc0e6 to
c49df78
Compare
Set persist-credentials: false on all read-only checkouts, add the missing job-level permissions block to reusable-test-documentation.yml, move the flag-style inputs composer-args and render-flags to environment variable indirection, and add justified inline zizmor ignores for command-style inputs (code by contract from the calling repository) and for the two write workflows whose credential handling must not change without validation (backport, apply-precommit). Signed-off-by: Sebastian Mendel <github@sebastianmendel.de>
Every push and PR now runs four checks over the shared workflows: actionlint (syntax, expressions, shellcheck; checksum-pinned binary), yamllint in strict mode, zizmor (security audit: template injection, credential persistence, token misuse), and a conformance script that keeps the README workflow table, workflow_call triggers and input documentation in sync. Python tools are hash-locked in .github/requirements.txt; Dependabot (new) keeps action pins and tool versions current with a 7-day cooldown. The README documents the consumer contract that command-style inputs must be static literals. This implements the mitigation required by ADR-003: consumers reference these workflows at @main, so main must stay reliable. Signed-off-by: Sebastian Mendel <github@sebastianmendel.de>
c49df78 to
5b4531e
Compare
This was referenced Jul 4, 2026
linawolf
approved these changes
Jul 7, 2026
linawolf
left a comment
Member
There was a problem hiding this comment.
These changes make sense to me as far as I can tell
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a CI gate to this repository so every PR and push to
mainvalidates the shared reusable workflows — beyond lint, it now also covers security, conformance and freshness. This implements the mitigation called out in ADR-003 (#6): consumer repositories reference these workflows at@main, so a broken or compromised merge here immediately affects every consumer repo. Until now this repository had no PR-triggered CI at all.What the gate checks
actionlintworkflow_callinput references, expression types, actionwith:validation, shellcheck on allrun:blocksyamllint--strict.github/per the committed.yamllint.ymlzizmorartipacked), GitHub App token misuse, Dependabot cooldown, online audits (ref confusion, impostor commits) viaGITHUB_TOKENconformance.github/scripts/check_conformance.pyworkflow_call-only triggers, every input documentedAll Python tools are hash-locked in
.github/requirements.txt(installed withpip --require-hashes --only-binary :all:), and a new.github/dependabot.ymlkeeps both the action SHA pins and the tool versions current (weekly, 7-day cooldown against hijacked-release windows).Commits
[BUGFIX]— pre-existing conformance findings onmain, so the gate is green from day one: unquoted$(pwd)inreusable-test-documentation.yml(SC2046), missing trailing newlines inreusable-backport.yml/reusable-apply-precommit.yml.[TASK]— security hardening from the zizmor audit:persist-credentials: falseon all read-only checkouts; job-levelpermissions: contents: readadded toreusable-test-documentation.yml(the only workflow that had none);composer-args/render-flagsmoved to env-var indirection (no template expansion into scripts); justified inline ignores for command-style inputs (code by contract, set in the calling repo's committed workflow) and for the two write workflows whose credential handling must not be changed blind (see follow-ups).[FEATURE]— the gate itself (4 jobs),.yamllint.yml, hash-locked requirements, conformance script, Dependabot config, README "Quality gate" section.Independent review round
Three independent reviewers (code, security, runtime) were run over this PR and #15. Their confirmed findings are incorporated: the consumer contract for command-style inputs is now documented in the README (static literals only, never
github.event.*data), the conformance script accepts all validon:forms (scalar/list/mapping), the README no longer over-claims Dependabot coverage for the curl-installed actionlint binary (bumped manually, noted inci.yml), and #15 was hardened to pass this gate in any merge order. Deliberately rejected: scoping the backport App token in this PR (the pinnedcreate-github-app-token@v1predatespermission-*support validation — remains a tracked follow-up to do together with the v3 migration).Verification
All four checks run locally green against this branch (zizmor: “No findings”, both offline and with a token for the online audits), against #15's
reusable-node-command.yml, and against a simulated merged tree of both PRs (conformance: 8 workflows checked) — the gate stays green in any merge order.Deliberately not in this PR (follow-ups)
reusable-node-command.ymlvia a localuses: ./.github/workflows/...reference (works only after [TASK] Add reusable Node command workflow #15 merges); the PHP reusables need a small fixture project and/or aworking-directoryinput first.reusable-backport.ymlstill usescreate-github-app-token@v1without permission scoping (zizmorgithub-app, currently ignore-listed with justification) — migrate to the v3.2.0 +permission-*pattern already used byreusable-apply-precommit.yml, coordinated with consumer secrets.peter-evans/create-pull-requestpushes purely via itstokeninput, then setpersist-credentials: falsethere too.