Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 39 additions & 3 deletions .github/branch-protection/main.json
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,44 @@
"deletion (blocks branch deletion)",
"non_fast_forward (blocks force-push)",
"required_signatures (requires verified commits)",
"required_linear_history (blocks merge commits)"
"required_linear_history (blocks merge commits)",
"pull_request (requires squash-only PRs and resolved review threads)",
"required_status_checks (requires the exact strict CI contexts below)"
],
"allow_force_pushes": false,
"allow_deletions": false,
"repository_settings": {
"allow_squash_merge": true,
"allow_merge_commit": false,
"allow_rebase_merge": false,
"squash_merge_commit_title": "PR_TITLE",
"squash_merge_commit_message": "BLANK",
"allow_update_branch": true,
"delete_branch_on_merge": true,
"has_wiki": false,
"has_projects": false
},
"pull_request_policy": {
"required_approving_review_count": 0,
"required_review_thread_resolution": true,
"require_code_owner_review": false,
"require_last_push_approval": false,
"dismiss_stale_reviews_on_push": false,
"allowed_merge_methods": [
"squash"
]
},
"required_status_checks": {
"strict": true,
"do_not_enforce_on_create": false,
"contexts": [
"actionlint / actionlint",
"CodeQL / CodeQL (actions)",
"Dependency review / Dependency review",
"Secret scan / Gitleaks secret scan",
"zizmor (SARIF) / zizmor (SARIF)"
]
},
"release_governance": {
"semver_tag_ruleset_id": 18733591,
"protected_tag_patterns": [
Expand All @@ -26,9 +60,11 @@
"This file documents the ACTUAL branch protection applied via gh API ruleset.",
"Solo-maintainer repo: no PR review requirement (self-approval not possible on GitHub).",
"Repository administrators retain the standard emergency bypass used across NDDev repositories.",
"Repository merges are squash-only, use the pull-request title as the commit title, and omit an auto-generated body.",
"Update-branch is enabled, merged branches are deleted automatically, and unused wiki/projects surfaces are disabled.",
"SemVer tags cannot be updated, force-pushed, or deleted after creation.",
"Repository-level release immutability applies to releases created after it was enabled; release 2.0.0 predates that setting and remains protected by its immutable tag.",
"Secret scanning, push protection, and Dependabot security updates are enabled at repo level.",
"To add PR reviews later (when collaborators join), add a 'pull_request' rule to the ruleset."
"Secret scanning, push protection, dependency graph, Dependabot alerts, and Dependabot security updates are enabled at repo level.",
"The pull-request rule intentionally requires zero approvals for the solo maintainer while still requiring resolved review threads; increase the approval count when collaborators join."
]
}
23 changes: 17 additions & 6 deletions .github/workflows/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,13 @@ against a pinned submodule revision.

Reusable workflows are sourced from
[`NDDev-it-com/nddev-ci-workflows`](https://github.com/NDDev-it-com/nddev-ci-workflows)
release `0.3.0`, pinned to commit
`1acba687361415b3f5942acceb40b228bb0387fd`.
release `0.5.0`, pinned to commit
`d1bb39730a45bae1e8c507477bb15c5e05a2b412`.

## Workflows

- **`actionlint.yml`** validates every public workflow's syntax and expressions
through the checksum-verified shared `actionlint.yml` workflow.
- **`codeql.yml`** runs CodeQL for GitHub Actions on pushes, pull requests, and
the weekly schedule through `public-codeql.yml`.
- **`dependency-review.yml`** checks pull-request dependency changes through
Expand All @@ -20,10 +22,19 @@ release `0.3.0`, pinned to commit
`secret-scan.yml`.
- **`scorecard.yml`** runs the public OpenSSF Scorecard JSON workflow on pushes
and the weekly schedule.
- **`release.yml`** verifies a SemVer tag against all three build-version
sources, checks core-plugin version parity, extracts the matching changelog
section, and publishes the GitHub Release.
- **`labeler.yml`** labels pull requests from `.github/labeler.yml`.
- **`zizmor.yml`** performs pedantic GitHub Actions security analysis, publishes
SARIF to code scanning, and fails on low-or-higher findings. GitHub permits
code-scanning result upload for workflows triggered by `pull_request`,
including fork and Dependabot pull requests.
- **`release.yml`** requires strict SemVer equality across the tag, every build
contract, and both core-plugin version sources. The tagged commit must be an
ancestor of freshly fetched `origin/main`. It then calls the shared
supply-chain workflow to publish one immutable release with a deterministic
source archive (including the root secret-boundary `.gitignore`), checksums,
SPDX SBOM, build provenance, and SBOM attestation.
- **`labeler.yml`** labels pull requests from `.github/labeler.yml` without
checking out contributor code. Its hardened runner uses minimal egress and
per-pull-request concurrency.

All external actions and reusable workflows are pinned to immutable commit SHAs.
The private harness validates those pins and the public/private repository
Expand Down
22 changes: 22 additions & 0 deletions .github/workflows/actionlint.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
name: actionlint

on:
push:
branches: [main]
pull_request:
branches: [main]
workflow_dispatch:

permissions:
contents: read

concurrency:
group: actionlint-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}

jobs:
actionlint:
name: actionlint
permissions:
contents: read
uses: NDDev-it-com/nddev-ci-workflows/.github/workflows/actionlint.yml@d1bb39730a45bae1e8c507477bb15c5e05a2b412 # 0.5.0
11 changes: 6 additions & 5 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,7 @@ on:
schedule:
- cron: "20 7 * * 1"

permissions:
contents: read
security-events: write
actions: read
permissions: {}

concurrency:
group: codeql-${{ github.ref }}
Expand All @@ -20,7 +17,11 @@ concurrency:
jobs:
codeql:
name: CodeQL
uses: NDDev-it-com/nddev-ci-workflows/.github/workflows/public-codeql.yml@1acba687361415b3f5942acceb40b228bb0387fd # 0.3.0
permissions:
contents: read
security-events: write # Publish CodeQL analysis to code scanning.
actions: read # Read workflow metadata for the actions language.
uses: NDDev-it-com/nddev-ci-workflows/.github/workflows/public-codeql.yml@d1bb39730a45bae1e8c507477bb15c5e05a2b412 # 0.5.0
with:
languages: '["actions"]'
queries: security-and-quality
8 changes: 5 additions & 3 deletions .github/workflows/dependency-review.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,7 @@ on:
pull_request:
branches: [main]

permissions:
contents: read
permissions: {}

concurrency:
group: dependency-review-${{ github.ref }}
Expand All @@ -14,4 +13,7 @@ concurrency:
jobs:
dependency-review:
name: Dependency review
uses: NDDev-it-com/nddev-ci-workflows/.github/workflows/public-dependency-review.yml@1acba687361415b3f5942acceb40b228bb0387fd # 0.3.0
permissions:
contents: read
pull-requests: write # Comment when dependency policy rejects a change.
uses: NDDev-it-com/nddev-ci-workflows/.github/workflows/public-dependency-review.yml@d1bb39730a45bae1e8c507477bb15c5e05a2b412 # 0.5.0
23 changes: 16 additions & 7 deletions .github/workflows/labeler.yml
Original file line number Diff line number Diff line change
@@ -1,25 +1,34 @@
name: labeler

on:
pull_request_target:
# Required to label pull requests from forks. No contributor-controlled code
# is checked out or executed by this privileged workflow.
pull_request_target: # zizmor: ignore[dangerous-triggers]
types: [opened, synchronize, reopened]

permissions:
contents: read
pull-requests: write
permissions: {}

concurrency:
group: labeler-${{ github.ref }}
group: labeler-pr-${{ github.event.pull_request.number }}
cancel-in-progress: true

jobs:
label:
name: Label PR
runs-on: ubuntu-latest
timeout-minutes: 5
permissions:
contents: read
pull-requests: write # Apply labels to the triggering pull request only.
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Harden runner
uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0
with:
egress-policy: block
allowed-endpoints: >
agent.api.stepsecurity.io:443
api.github.com:443

- name: Apply labels
uses: actions/labeler@b8dd2d9be0f68b860e7dae5dae7d772984eacd6d # v6.0.0
with:
Expand Down
Loading