From c4e9d6fd581c0191a629768dbbb71f5ce85eea5d Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Tue, 14 Jul 2026 04:22:58 +0200 Subject: [PATCH 1/2] feat(repo-permissions): bring devantler-tech/actions under SHA-pin policy The actions repo was excluded from the org-wide shaPinningRequired policy only while its first-party self-references were tag-pinned. Those accommodations were reverted in devantler-tech/actions#541 (self-refs now resolve by local path after a same-commit self-checkout; every remote uses: is SHA-pinned), so the exclusion is obsolete. Add actions.yaml and register it in the kustomization; the shared patch applies shaPinningRequired: true. Live effect awaits the same provider-upjet-github#288 bump that gates the whole directory; this delivers the declarative source of truth. Part of devantler-tech/actions#426 Co-Authored-By: Claude Opus 4.8 (1M context) --- deploy/repository-permissions/actions.yaml | 27 +++++++++++++++++++ .../repository-permissions/kustomization.yaml | 8 +++--- 2 files changed, 32 insertions(+), 3 deletions(-) create mode 100644 deploy/repository-permissions/actions.yaml diff --git a/deploy/repository-permissions/actions.yaml b/deploy/repository-permissions/actions.yaml new file mode 100644 index 0000000..458563c --- /dev/null +++ b/deploy/repository-permissions/actions.yaml @@ -0,0 +1,27 @@ +# Actions permissions for devantler-tech/actions — binds the org-wide +# shaPinningRequired policy (asserted once in kustomization.yaml) to this repo. +# Observe+LateInitialize adopts the repo's live enabled/allowedActions so turning +# on SHA-pinning never disturbs them. See ../README.md. +# +# Previously excluded while this repo's first-party self-references were tag-pinned +# (release-please rewrote them per release). Those accommodations were reverted in +# devantler-tech/actions#541 — self-references now resolve by local path after a +# same-commit self-checkout and every remote `uses:` is SHA-pinned — so the repo +# now joins the org-wide policy (devantler-tech/actions#426). +apiVersion: actions.github.m.upbound.io/v1alpha1 +kind: RepositoryPermissions +metadata: + name: actions + annotations: + crossplane.io/external-name: actions +spec: + managementPolicies: + - Observe + - Create + - Update + - LateInitialize + forProvider: + repository: actions + providerConfigRef: + kind: ProviderConfig + name: default diff --git a/deploy/repository-permissions/kustomization.yaml b/deploy/repository-permissions/kustomization.yaml index 3f09e2a..b93570d 100644 --- a/deploy/repository-permissions/kustomization.yaml +++ b/deploy/repository-permissions/kustomization.yaml @@ -11,9 +11,10 @@ # repo's live `enabled`/`allowedActions` first, so turning SHA-pinning on never # disturbs them. # -# Scope = every repo managed in ../labels/ EXCEPT `actions` -# (devantler-tech/actions is intentionally excluded). Bring a new repo under this -# policy by adding `.yaml` here. +# Scope = every repo managed in ../labels/. `actions` joined the policy in +# devantler-tech/actions#426 once its first-party tag-pin accommodations were +# reverted (actions#541) — it had been excluded only while those tags existed. +# Bring a new repo under this policy by adding `.yaml` here. # # REQUIRES a provider-upjet-github release embedding terraform-provider-github # >= 6.11.0 (where `sha_pinning_required` was added). The field is ABSENT in the @@ -25,6 +26,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - dot-github.yaml + - actions.yaml - platform.yaml - ksail.yaml - maintenance.yaml From cd7ec030955e0cdcbbc84265e770530548c1ed34 Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Tue, 14 Jul 2026 06:16:30 +0200 Subject: [PATCH 2/2] docs(deploy): drop stale actions SHA-pin exception in README actions.yaml brings devantler-tech/actions under the shaPinningRequired policy, so the README no longer documents it as excepted. Keeps the deploy/ source-of-truth guidance consistent with the manifests. Co-Authored-By: Claude Opus 4.8 (1M context) --- deploy/README.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/deploy/README.md b/deploy/README.md index 4264bad..d11bbf4 100644 --- a/deploy/README.md +++ b/deploy/README.md @@ -39,11 +39,12 @@ out-of-band changes made in the GitHub UI. - `repository-permissions/` — one `RepositoryPermissions` per managed repo enforcing **Require actions to be pinned to a full-length commit SHA** (`sha_pinning_required`). The policy is asserted once via a shared patch in - `repository-permissions/kustomization.yaml`; scope is every repo in `labels/` - **except `actions`**. Requires a provider-upjet-github release embedding - terraform-provider-github ≥ 6.11.0 (the field is absent in the deployed v0.19.1) - and activation of `repositorypermissions.actions.github.m.upbound.io` in the - platform MRAP. + `repository-permissions/kustomization.yaml`; scope is **every repo in `labels/`** + (`actions` included — its former exception was removed once its tag-pins were + reverted). Live enforcement is still gated on a provider-upjet-github release + embedding terraform-provider-github ≥ 6.11.0 (the field is absent in the deployed + v0.19.1) and activation of `repositorypermissions.actions.github.m.upbound.io` in + the platform MRAP. ## Roadmap