From 774db37a80ad6fa52cdd111b9aa5a42eefd79f0e Mon Sep 17 00:00:00 2001 From: LeadGoEngineer Date: Tue, 19 May 2026 07:45:08 -0400 Subject: [PATCH] chore(ci): add security.yml version marker + document >5-repos switchover The security workflow is copy-and-propagated across repos today; without a version marker at the top of the file there is no key for a future drift check to bind to. Add the marker per Lead Go review on PR #5, and document the >5-repos threshold for switching to a workflow_call reusable workflow in CONTRIBUTING.md so the next person who edits the workflow knows the rule. No behavior change to the workflow itself. Withings-export-cli carries the same marker in a parallel PR. Refs QUA-47. Co-Authored-By: Paperclip --- .github/workflows/security.yml | 5 +++++ CONTRIBUTING.md | 8 ++++++++ 2 files changed, 13 insertions(+) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 08c1e21..8a2c3ae 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -1,3 +1,8 @@ +# security.yml v1 — source of truth: quantcli/common; sync changes to every *-export-cli. +# Bump the version when this workflow changes materially; a future drift-check job will key off it. +# See CONTRIBUTING.md "Supply-chain and security" for the propagation policy and the >5-repos +# switchover trigger to a reusable workflow_call. + name: security # Supply-chain and license-policy gate for quantcli repos. diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 0684abc..63db9f4 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -106,6 +106,14 @@ If a PR fails the license-policy check, do not unblock it by adding a `replace` To propose a security policy change (allowlist, severity bar, or workflow tooling), open an issue here first — these decisions ripple to every export-cli. +### Where the workflow lives, and when to centralize it + +The `security` workflow is **copied verbatim** into every repo that runs it (`quantcli/common` plus each `*-export-cli`). `quantcli/common` is the source of truth; the `# security.yml v1 — source of truth: quantcli/common` marker at the top of each copy is the version key. When you change the workflow in `common`, propagate the change (and bump the version) to every repo that runs it. A future drift-check job will key off that marker. + +Self-contained is the right shape **while the org has ≤5 repos running this workflow**. The tradeoff is deliberate: each repo's CI is hermetic, no org-level reusable-workflow setting to wrangle, and new contributors can read the entire pipeline in one file. The cost is drift — fixes in `common` don't propagate automatically, and the version marker plus this propagation rule is the mitigation. + +**Switchover trigger:** when a 6th repo onboards the workflow (i.e. `>5` repos), evaluate moving to a `workflow_call` reusable workflow hosted in `quantcli/common` and consumed by each export-cli. At that point the copy-and-propagate cost exceeds the centralization cost. Revisit sooner if GitHub starts letting non-admins read the reusable-workflow org setting (today that's an admin-only surface, which would otherwise hide CI configuration from contributors). See [Lead Go review on PR #5](https://github.com/quantcli/common/pull/5#pullrequestreview-4260001530) for the original rationale. + For reporting a vulnerability in a shipped CLI or in `common`, see [SECURITY.md](SECURITY.md). Do **not** open a public issue with exploit details. ## License and sign-off