Skip to content

ci: add pnpm audit gates, fix SHA drift, update docs to match NA-03 v1.6#39

Closed
bryanfawcett wants to merge 1 commit into
mainfrom
claude/sleepy-albattani-bdb88f
Closed

ci: add pnpm audit gates, fix SHA drift, update docs to match NA-03 v1.6#39
bryanfawcett wants to merge 1 commit into
mainfrom
claude/sleepy-albattani-bdb88f

Conversation

@bryanfawcett

Copy link
Copy Markdown
Contributor

Summary

  • PR template: removes the stale "7 Enterprise products" entry from the locked-count checklist — this was explicitly removed from the locked counts in NA-03 v1.6 (22 June 2026) and the template was not updated
  • reusable-ci-typescript.yml: adds a pnpm audit --audit-level=moderate job, closing the supply-chain gap that already existed in the monorepo and lib variants but not this standalone workflow
  • reusable-ci-typescript-lib.yml: adds the same pnpm audit job; aligns actions/checkout and pnpm/action-setup SHAs to match all other org workflows (both were on different pinned SHAs from a prior Dependabot cycle that didn't reach this file)
  • CLAUDE.md: three documentation fixes: (1) adds claude-fable-5 to the model-selection table for maximum-depth analysis tasks; (2) adds pnpm audit --audit-level=moderate to the TypeScript stack command reference so it matches what CI actually enforces; (3) completes the locked-count list to enumerate all six locked values (covenants, manifesto sections, and sources of truth were previously omitted)

Linked issue(s)

N/A — identified during routine governance audit of the org .github repo.

Type of change

  • ci — CI configuration
  • docs — documentation only

Breaking change?

  • This PR introduces a breaking change.

Consuming repos that call reusable-ci-typescript.yml or reusable-ci-typescript-lib.yml will gain a new pnpm audit CI job. If any repo currently has vulnerable dependencies at moderate severity or higher this job will fail on their next CI run — which is the intended behaviour.

How has this been tested?

  • Diff reviewed against NA-03 v1.6 for locked-count correctness
  • SHA values verified against the canonical SHAs used in all other org workflows
  • YAML structure validated by inspection (actionlint will run in CI)

Checklist

Process

  • My PR title follows Conventional Commits.
  • All of my commits are signed and show "Verified" on GitHub (remote session — signing unavailable; flagged per CLAUDE.md).
  • All of my commits have a DCO sign-off (Signed-off-by: Bryan Fawcett <bryan@nyuchi.com>).
  • My branch name follows claude/<short-kebab-description>.
  • I have rebased onto the latest default branch; no merge commits from the base branch in this PR.
  • I have updated documentation where relevant (CLAUDE.md).
  • I ran the repo's local checks and they pass (lint CI runs on push).
  • No new runtime dependencies introduced.

NA-03 merge blockers

  • N/A for schema, APIs, cryptography, data placement, and smart-contract counts.
  • Secret hygiene — no secrets in diff.
  • Prohibited dependencies — none introduced.
  • New GitHub Actions — no new actions; existing SHA pins aligned, not changed to floating tags.

Additional notes

Unsigned commits: This PR was authored in an ephemeral remote Claude Code session where GPG/SSH signing keys are not available. Per CLAUDE.md § "Signed commits": flagging this before merging so the human operator can decide whether to sign the commits locally or squash-sign on merge.


Generated by Claude Code

- PR template: remove "7 Enterprise products" from locked-count checklist
  (NA-03 v1.6, 22 Jun 2026, removed Enterprise products from locked counts)
- reusable-ci-typescript.yml: add pnpm audit job (audit-level=moderate)
  to match the gate that already exists in the monorepo and lib variants
- reusable-ci-typescript-lib.yml: add pnpm audit job; align
  actions/checkout and pnpm/action-setup SHAs with the rest of the org
  (both were using stale pinned SHAs inconsistent with other workflows)
- CLAUDE.md: add claude-fable-5 row to model-selection table; add
  pnpm audit step to TypeScript stack commands; complete the locked-count
  list to include all six locked values (was missing covenants, manifesto
  sections, and sources of truth)

Signed-off-by: Bryan Fawcett <bryan@nyuchi.com>
@bryanfawcett

Copy link
Copy Markdown
Contributor Author

Closing as superseded — the most recent of the duplicate-PR pileup (#30#39). The checkout SHA alignment it chased is now handled correctly by Dependabot's #38 (merged in 1b669fb). This PR also proposed pnpm audit gates for the TypeScript reusables and a corrected locked-counts line in the PR template — reasonable ideas, stale against current main; worth resubmitting as a focused PR if still wanted.


Generated by Claude Code

bryanfawcett added a commit that referenced this pull request Jul 3, 2026
The scheduled "keep the repo up to date" routine was opening a new
draft PR every day (#30-#39) without checking for existing open ones
or merging its own work, and repeatedly hand-resolved actions/checkout
SHA drift in inconsistent directions instead of deferring to
Dependabot. Document the actual rules: dedupe against open PRs from
the same routine, leave third-party Action version pins to Dependabot,
run formatters before committing, and merge routine/mechanical fixes
once required checks are green instead of leaving them as drafts
forever.

Signed-off-by: Claude <noreply@anthropic.com>
Co-authored-by: Claude <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant