feat: OpenSSF Allstar — continuous org-wide policy enforcement

[ms280690]

Context

Track: B — Org/infrastructure governance
Pillar: 6 — Enterprise Governance & Observability
Parent: #29
Cross-references: #25 (workflow authoring standards), #29 (Scorecard already running)

Why Allstar

OpenSSF Scorecard (added in #29) gives a weekly point-in-time score. Allstar complements it with continuous enforcement: it watches every repo in the org and opens a GitHub issue (or auto-fixes where possible) the moment a repo drifts out of policy. Where Scorecard measures, Allstar acts.

Allstar is a GitHub App maintained by the OpenSSF. It is configured via YAML files in a central sparkgeo/.allstar repo. One config governs the whole org; individual repos can opt out of specific policies via their own .allstar/ overrides.

Policies to enable

Policy	What it enforces	Auto-fix?
branch_protection	Required status checks, dismiss stale reviews, require up-to-date branches	No — opens issue
binary_artifacts	No compiled binaries committed to the repo	No — opens issue
dangerous_workflow	No pull_request_target + checkout of fork ref (script injection vector)	No — opens issue
outside_collaborators	Outside collaborators cannot have admin/push access	No — opens issue
security_policy	Repo must have a SECURITY.md or link to the org security advisory process	No — opens issue
scorecard	Repo scorecard checks must meet a minimum threshold	No — opens issue

Setup

1. Install the Allstar GitHub App on the sparkgeo org
2. Create a sparkgeo/.allstar repo (or use an existing .github repo)
3. Add the opt-in/opt-out config and per-policy YAML files (see Allstar docs)
4. Configure action: issue for all policies initially — observe before enforcing
5. After a burn-down period, tighten to action: fix where auto-fix is safe

Example config skeleton

# .allstar/allstar.yaml  (opt-in all repos by default)
optConfig:
  optOutStrategy: false   # opt-in model: all repos enforced unless they opt out
  disableRepoOverride: false  # allow per-repo .allstar/ overrides
issueLabel: allstar
issueRepo: sparkgeo/.allstar  # file all issues centrally, not per-repo

# .allstar/branch_protection.yaml
optConfig:
  optOutStrategy: false
action: issue
requireDefaultBranchProtection: true
requireStatusChecks: true
requireUpToDateBranch: false   # allow flexibility on non-main branches

Relationship to existing tooling

• Allstar's dangerous_workflow check is a runtime complement to zizmor (which catches issues at PR time in feat: workflow authoring standards + actionlint/zizmor gate #25) — together they cover both new PRs and existing workflow files that predate the gate
• Allstar's scorecard policy can enforce the ≥ 8.0 target set in feat: enterprise governance, rulesets, and observability #29 across all repos, not just sparkgeo/github-actions
• OpenSSF Scorecard rewards having Allstar enabled (the Branch-Protection and Maintained checks benefit directly)

Acceptance criteria

• Allstar GitHub App installed on sparkgeo org
• sparkgeo/.allstar repo created with opt-in-all config
• branch_protection, dangerous_workflow, binary_artifacts, outside_collaborators, and security_policy policies enabled in action: issue mode
• Burn-down period: all existing policy violations resolved across org repos
• Central issue tracker (issueRepo) reviewed weekly until steady state
• action: fix enabled for policies that support safe auto-remediation