From 33d1eb9cf2f004e76c17c917235e911ca3d8642c Mon Sep 17 00:00:00 2001 From: Bryan Fawcett Date: Tue, 23 Jun 2026 01:06:17 +0000 Subject: [PATCH] fix(governance): align docs and CI with NA-03 v1.6 and org-wide consistency Remove stale "7 Enterprise products" locked count from PR template (removed in NA-03 v1.6). Complete CLAUDE.md locked counts to list all six (was missing covenants, manifesto sections, sources of truth). Add TypeScript/Biome and TypeScript/Bun entries to CLAUDE.md stack commands to match AGENTS.md; add pnpm audit to Next.js entry. Align reusable-ci-typescript-lib and reusable-ci-docker to use the same actions/checkout (9c091bb), pnpm/action-setup (0ebf47b), and codeql-action/upload-sarif (8aad20d) SHAs as every other reusable workflow in the org. Add pnpm audit (--audit-level=moderate) to reusable-ci-typescript and reusable-ci-typescript-lib, matching the security gate already present in reusable-ci-nextjs-monorepo. Signed-off-by: Bryan Fawcett --- .github/PULL_REQUEST_TEMPLATE.md | 4 +- .github/workflows/reusable-ci-docker.yml | 8 ++-- .../workflows/reusable-ci-typescript-lib.yml | 40 ++++++++++++++----- .github/workflows/reusable-ci-typescript.yml | 17 ++++++++ CLAUDE.md | 11 +++-- 5 files changed, 61 insertions(+), 19 deletions(-) diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index bed0bbd..8e56fa7 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -91,8 +91,8 @@ Closes # - [ ] **Schema.org compliance** — new database tables, columns, or API fields map to Schema.org types, or the PR description justifies any deviation. - [ ] **Locked counts respected** — no change to the platform's locked counts - (17 mini-apps · 7 Enterprise products · 7 data layers · 7 covenants · - 40 interest categories · 12 manifesto sections · 3 sources of truth) + (17 mini-apps · 7 data layers · 7 covenants · 40 interest categories · + 12 manifesto sections · 3 sources of truth) without Founder approval documented in the PR description. - [ ] **Frontier defaults** — for user-facing or infrastructure work: offline / local-first behaviour has been considered; any new diff --git a/.github/workflows/reusable-ci-docker.yml b/.github/workflows/reusable-ci-docker.yml index c285379..9e88977 100644 --- a/.github/workflows/reusable-ci-docker.yml +++ b/.github/workflows/reusable-ci-docker.yml @@ -69,7 +69,7 @@ jobs: outputs: docker: ${{ steps.filter.outputs.docker }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 with: fetch-depth: 0 - id: filter @@ -88,7 +88,7 @@ jobs: if: needs.changes.outputs.docker == 'true' runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 - name: Install hadolint env: HADOLINT_VERSION: ${{ inputs.hadolint-version }} @@ -127,7 +127,7 @@ jobs: contents: read security-events: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 - name: docker build env: @@ -181,7 +181,7 @@ jobs: "${IMAGE_NAME}:ci" - name: Upload Trivy SARIF to GitHub Security tab - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4 with: sarif_file: trivy-results.sarif category: trivy-docker diff --git a/.github/workflows/reusable-ci-typescript-lib.yml b/.github/workflows/reusable-ci-typescript-lib.yml index 1d1f139..06d64d5 100644 --- a/.github/workflows/reusable-ci-typescript-lib.yml +++ b/.github/workflows/reusable-ci-typescript-lib.yml @@ -56,7 +56,7 @@ jobs: outputs: typescript: ${{ steps.filter.outputs.typescript }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 with: fetch-depth: 0 - id: filter @@ -84,8 +84,8 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: pnpm/action-setup@71c92474e7e4f5bca283fb17ef80fba9cdb2b4b1 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 + - uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6 - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version-file: ${{ inputs.node-version-file }} @@ -102,8 +102,8 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: pnpm/action-setup@71c92474e7e4f5bca283fb17ef80fba9cdb2b4b1 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 + - uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6 - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version-file: ${{ inputs.node-version-file }} @@ -120,8 +120,8 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: pnpm/action-setup@71c92474e7e4f5bca283fb17ef80fba9cdb2b4b1 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 + - uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6 - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version-file: ${{ inputs.node-version-file }} @@ -138,11 +138,33 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: pnpm/action-setup@71c92474e7e4f5bca283fb17ef80fba9cdb2b4b1 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 + - uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6 - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version-file: ${{ inputs.node-version-file }} cache: pnpm - run: pnpm install --frozen-lockfile - run: pnpm build + + audit: + name: pnpm audit + needs: changes + if: needs.changes.outputs.typescript == 'true' + runs-on: ubuntu-latest + defaults: + run: + working-directory: ${{ inputs.working-directory }} + steps: + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 + - uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 + with: + node-version-file: ${{ inputs.node-version-file }} + cache: pnpm + - run: pnpm install --frozen-lockfile + - name: pnpm audit + shell: bash + run: | + set -euo pipefail + pnpm audit --audit-level=moderate diff --git a/.github/workflows/reusable-ci-typescript.yml b/.github/workflows/reusable-ci-typescript.yml index 7a503dd..b933251 100644 --- a/.github/workflows/reusable-ci-typescript.yml +++ b/.github/workflows/reusable-ci-typescript.yml @@ -154,3 +154,20 @@ jobs: exit 1 fi pnpm run "$BUILD_SCRIPT" + + audit: + name: pnpm audit + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 + - uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 + with: + node-version-file: ${{ inputs.node-version-file }} + cache: pnpm + - run: pnpm install --frozen-lockfile + - name: pnpm audit + shell: bash + run: | + set -euo pipefail + pnpm audit --audit-level=moderate diff --git a/CLAUDE.md b/CLAUDE.md index 2ea7179..d981816 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -79,8 +79,10 @@ Honour a repo's declared check commands over these defaults: | Stack | Install | Full check | | -------------------- | ----------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| TypeScript / Next.js | `pnpm install` | `pnpm lint && pnpm typecheck && pnpm test && pnpm build` | +| TypeScript / Next.js | `pnpm install` | `pnpm lint && pnpm typecheck && pnpm test && pnpm build && pnpm audit --audit-level=moderate` | +| TypeScript (Biome) | `pnpm install` | `pnpm check && pnpm typecheck && pnpm test && pnpm build` | | TypeScript library | `pnpm install` | `pnpm typecheck && pnpm lint && pnpm test` | +| TypeScript / Bun | `bun install` | `bun lint && bun typecheck && bun test && bun build` | | Rust | (Cargo workspace) | `cargo fmt --check && cargo clippy --workspace --all-targets --all-features -- -D warnings && cargo nextest run --workspace --all-features && cargo test --workspace --doc` | | Python (uv) | `uv sync` | `uv run ruff check . && uv run ruff format --check . && uv run mypy packages && uv run pytest` | | Solidity (Foundry) | `forge install` | `forge fmt --check && forge build --sizes && forge test -vvv` | @@ -141,9 +143,10 @@ that would change them. - **No prohibited dependencies:** no Flutter, no Couchbase. - **Post-quantum migration path required** for every new cryptographic primitive adopted by the platform. -- **Locked counts:** 17 Mukoko mini-apps, 7 data layers, 40 interest - categories. Do not mutate via PR. **Nyuchi Enterprise products are - not a locked count** — that line grows; do not treat it as fixed. +- **Locked counts:** 17 Mukoko mini-apps, 7 data layers, 7 covenants, + 40 interest categories, 12 manifesto sections, 3 sources of truth. + Do not mutate via PR. **Nyuchi Enterprise products are not a locked + count** — that line grows; do not treat it as fixed. ---