feat(checkpoints): org_provides + follow_uses + GH-30 demote#70
Merged
feat(checkpoints): org_provides + follow_uses + GH-30 demote#70
Conversation
GH-3 (SECURITY.md), GH-4 (CONTRIBUTING.md), GH-7 (PR template) declare org_provides: paths so the runner falls back to `gh api repos/{owner}/.github/contents/<path>` when the local file is missing. Repos that opt into org-wide community-health files (the documented GitHub default) now stop being flagged. GH-7 also accepts both PULL_REQUEST_TEMPLATE.md and the lowercase pull_request_template.md (which is what netresearch/.github actually uses) — GitHub treats these case-insensitively. GH-5 (CODEOWNERS) intentionally stays local-only — GitHub's review routing only honours CODEOWNERS in the consuming repo, not the org's .github fallback. GH-8 / GH-9 (issue templates) declare org_provides for completeness but most orgs don't ship default issue templates; for those repos this still surfaces as a finding. When an org does provide them at {owner}/.github/.github/ISSUE_TEMPLATE/<name>, the checkpoint passes. Signed-off-by: Sebastian Mendel <github@sebastianmendel.de>
GH-19, GH-20, and GH-21 now set follow_uses: true so the runner expands the searched workflow files with the contents of any reusable workflow referenced via uses: owner/repo/.github/workflows/file.yml@ref (one hop, fetched via gh api). The pattern then matches against either the local file OR the upstream content. This lets repos satisfy CodeQL/Scorecard checks by delegating to a shared reusable workflow (e.g. netresearch/typo3-ci-workflows/.github/ workflows/security.yml) instead of duplicating the github/codeql-action and ossf/scorecard-action wiring locally. The semantics are unchanged — the upstream workflow body must still actually use the named action. For GH-21 (regex_not for slsa-github-generator), follow_uses prevents hiding the deprecated generator inside a delegated workflow. Signed-off-by: Sebastian Mendel <github@sebastianmendel.de>
netresearch's org-wide default leaves enforce_admins=false so admins retain bypass for emergency response — none of the surveyed mature repos enables it. Forcing severity=error against this org policy created persistent red findings everywhere. Demoted to info so the checkpoint still reminds reviewers but doesn't block as a hard failure. Description updated to make the policy choice explicit. Signed-off-by: Sebastian Mendel <github@sebastianmendel.de>
Contributor
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Code Review
This pull request updates the checkpoints.yaml configuration to support organization-wide file provisioning and reusable workflows. Key changes include the addition of the org_provides field to several file existence checks, the enablement of follow_uses for workflow regex patterns to support one-hop reusable workflow analysis, and a severity downgrade for the enforce_admins check to align with organizational defaults. Review feedback suggests expanding the search paths for pull request templates to include the docs/ directory and correcting the relative paths for issue templates within the org_provides field to ensure they resolve correctly against the root of the .github repository.
There was a problem hiding this comment.
Pull request overview
This PR updates the github-project checkpoint definitions to recognize more org-level GitHub defaults and reusable workflow patterns, aiming to reduce false negatives when repositories inherit configuration from an organization-level .github repo or shared workflows.
Changes:
- Added
org_providesfallbacks for several community-health/template checks, including PR and issue templates. - Enabled
follow_uses: truefor CodeQL, Scorecard, and SLSA workflow checks so reusable workflows are inspected one hop deep. - Demoted GH-30 (
enforce_admins) from an error-level policy signal to informational guidance and updated its description.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- GH-7: add docs/ paths to target list and accept both upper/lowercase PULL_REQUEST_TEMPLATE.md in org_provides via brace expansion. - GH-8/09: drop redundant .github/ prefix from org_provides (path is resolved against the {owner}/.github repo root) and accept both .yml and .md forms for the org-wide fallback so repos following either Netresearch convention pass. - GH-32: align prompt with GH-30 demote — enforce_admins is advisory (info), only required_conversation_resolution remains error-level. Prevents repos following the org default (enforce_admins=false) from failing GH-32 even though GH-30 was demoted to info. Signed-off-by: Sebastian Mendel <github@sebastianmendel.de>
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
org_providesfor community-health files (SECURITY.md, CONTRIBUTING.md, pull_request_template.md) viagh api repos/{owner}/.github/contents/<path>fallback; fix: align verify script with README merge strategy #7 also accepts bothPULL_REQUEST_TEMPLATE.mdand lowercasepull_request_template.md(which is what netresearch/.github actually uses).follow_uses: trueso the runner walks one hop into reusable-workflowuses:references — surfaces CodeQL/Scorecard wired through netresearch/.github reusable workflows.enforce_admins) demoted from error to info because netresearch's org default leavesenforce_admins=false(admins keep bypass for emergency response); description updated to make the policy choice explicit.Test plan
bash /home/sme/p/automated-assessment-skill/main/skills/automated-assessment/scripts/run-checkpoints.sh --force <this-skill>/checkpoints.yaml /home/sme/p/file-search-skill/main