ci: add pnpm audit gates, fix SHA drift, update docs to match NA-03 v1.6#39
Closed
bryanfawcett wants to merge 1 commit into
Closed
ci: add pnpm audit gates, fix SHA drift, update docs to match NA-03 v1.6#39bryanfawcett wants to merge 1 commit into
bryanfawcett wants to merge 1 commit into
Conversation
- PR template: remove "7 Enterprise products" from locked-count checklist (NA-03 v1.6, 22 Jun 2026, removed Enterprise products from locked counts) - reusable-ci-typescript.yml: add pnpm audit job (audit-level=moderate) to match the gate that already exists in the monorepo and lib variants - reusable-ci-typescript-lib.yml: add pnpm audit job; align actions/checkout and pnpm/action-setup SHAs with the rest of the org (both were using stale pinned SHAs inconsistent with other workflows) - CLAUDE.md: add claude-fable-5 row to model-selection table; add pnpm audit step to TypeScript stack commands; complete the locked-count list to include all six locked values (was missing covenants, manifesto sections, and sources of truth) Signed-off-by: Bryan Fawcett <bryan@nyuchi.com>
11 tasks
Contributor
Author
|
Closing as superseded — the most recent of the duplicate-PR pileup (#30–#39). The checkout SHA alignment it chased is now handled correctly by Dependabot's #38 (merged in 1b669fb). This PR also proposed Generated by Claude Code |
13 tasks
bryanfawcett
added a commit
that referenced
this pull request
Jul 3, 2026
The scheduled "keep the repo up to date" routine was opening a new draft PR every day (#30-#39) without checking for existing open ones or merging its own work, and repeatedly hand-resolved actions/checkout SHA drift in inconsistent directions instead of deferring to Dependabot. Document the actual rules: dedupe against open PRs from the same routine, leave third-party Action version pins to Dependabot, run formatters before committing, and merge routine/mechanical fixes once required checks are green instead of leaving them as drafts forever. Signed-off-by: Claude <noreply@anthropic.com> Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
reusable-ci-typescript.yml: adds apnpm audit --audit-level=moderatejob, closing the supply-chain gap that already existed in the monorepo and lib variants but not this standalone workflowreusable-ci-typescript-lib.yml: adds the samepnpm auditjob; alignsactions/checkoutandpnpm/action-setupSHAs to match all other org workflows (both were on different pinned SHAs from a prior Dependabot cycle that didn't reach this file)CLAUDE.md: three documentation fixes: (1) addsclaude-fable-5to the model-selection table for maximum-depth analysis tasks; (2) addspnpm audit --audit-level=moderateto the TypeScript stack command reference so it matches what CI actually enforces; (3) completes the locked-count list to enumerate all six locked values (covenants, manifesto sections, and sources of truth were previously omitted)Linked issue(s)
N/A — identified during routine governance audit of the org
.githubrepo.Type of change
ci— CI configurationdocs— documentation onlyBreaking change?
Consuming repos that call
reusable-ci-typescript.ymlorreusable-ci-typescript-lib.ymlwill gain a newpnpm auditCI job. If any repo currently has vulnerable dependencies atmoderateseverity or higher this job will fail on their next CI run — which is the intended behaviour.How has this been tested?
Checklist
Process
Signed-off-by: Bryan Fawcett <bryan@nyuchi.com>).claude/<short-kebab-description>.CLAUDE.md).NA-03 merge blockers
Additional notes
Unsigned commits: This PR was authored in an ephemeral remote Claude Code session where GPG/SSH signing keys are not available. Per
CLAUDE.md§ "Signed commits": flagging this before merging so the human operator can decide whether to sign the commits locally or squash-sign on merge.Generated by Claude Code