feat(repo-permissions): bring devantler-tech/actions under SHA-pin policy#98
Conversation
…licy The actions repo was excluded from the org-wide shaPinningRequired policy only while its first-party self-references were tag-pinned. Those accommodations were reverted in devantler-tech/actions#541 (self-refs now resolve by local path after a same-commit self-checkout; every remote uses: is SHA-pinned), so the exclusion is obsolete. Add actions.yaml and register it in the kustomization; the shared patch applies shaPinningRequired: true. Live effect awaits the same provider-upjet-github#288 bump that gates the whole directory; this delivers the declarative source of truth. Part of devantler-tech/actions#426 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: c4e9d6fd58
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
actions.yaml brings devantler-tech/actions under the shaPinningRequired policy, so the README no longer documents it as excepted. Keeps the deploy/ source-of-truth guidance consistent with the manifests. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@codex review |
|
Codex Review: Didn't find any major issues. Keep it up! Reviewed commit: ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
Why.
devantler-tech/actionswas the one repo left out of the org-wide "require actions to be pinned to a full-length commit SHA" policy — excluded only while its first-party self-references were tag-pinned. Those tag-pin accommodations were reverted in devantler-tech/actions#541 (self-references now resolve by local path; every remote action is SHA-pinned), so the exclusion is obsolete and the repo should hold itself to the same hardening it enforces everywhere else.What. Adds
actions.yamltodeploy/repository-permissions/and registers it in the kustomization, so the sharedshaPinningRequired: truepatch now coversactionstoo. Updates the header note that recorded the old exclusion.Delivers the declarative source-of-truth for AC1 of actions#426 (AC2/AC3 already landed via actions#541). Live effect awaits the same provider-upjet-github#288 provider bump that gates this entire directory — no behaviour change until then.
Part of devantler-tech/actions#426