diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index bed0bbd..bf28315 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -91,9 +91,10 @@ Closes # - [ ] **Schema.org compliance** — new database tables, columns, or API fields map to Schema.org types, or the PR description justifies any deviation. - [ ] **Locked counts respected** — no change to the platform's locked counts - (17 mini-apps · 7 Enterprise products · 7 data layers · 7 covenants · - 40 interest categories · 12 manifesto sections · 3 sources of truth) + (17 mini-apps · 7 data layers · 7 covenants · 40 interest categories · + 12 manifesto sections · 3 sources of truth) without Founder approval documented in the PR description. + Note: Nyuchi Enterprise products are **not** a locked count — see NA-03 §3.3. - [ ] **Frontier defaults** — for user-facing or infrastructure work: offline / local-first behaviour has been considered; any new cryptographic primitive has a documented post-quantum migration path; diff --git a/.github/workflows/reusable-ci-docker.yml b/.github/workflows/reusable-ci-docker.yml index c285379..93aa09e 100644 --- a/.github/workflows/reusable-ci-docker.yml +++ b/.github/workflows/reusable-ci-docker.yml @@ -1,3 +1,20 @@ +# DEPRECATED — use reusable-ci-container.yml instead. +# +# This workflow is superseded by reusable-ci-container.yml, which adds: +# - Multi-platform builds (linux/amd64 + linux/arm64) +# - Registry push support +# - cosign keyless image signing (NA-03 §7.3) +# - BuildKit-generated SBOM + provenance (NA-03 §7.2) +# +# Migration (drop-in): +# uses: nyuchi/.github/.github/workflows/reusable-ci-container.yml@main +# with: +# image-name: ghcr.io/nyuchi/ +# +# This file is kept for backwards-compatibility only. No new consumers +# should call it. It will be removed in a future release cycle. +# +# --------------------------------------------------------------------------- # Reusable workflow: Docker container CI. # # Lints the Dockerfile with hadolint, validates it builds successfully, @@ -69,7 +86,7 @@ jobs: outputs: docker: ${{ steps.filter.outputs.docker }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 with: fetch-depth: 0 - id: filter @@ -88,7 +105,7 @@ jobs: if: needs.changes.outputs.docker == 'true' runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 - name: Install hadolint env: HADOLINT_VERSION: ${{ inputs.hadolint-version }} @@ -127,7 +144,7 @@ jobs: contents: read security-events: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 - name: docker build env: @@ -181,7 +198,7 @@ jobs: "${IMAGE_NAME}:ci" - name: Upload Trivy SARIF to GitHub Security tab - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4 with: sarif_file: trivy-results.sarif category: trivy-docker diff --git a/.github/workflows/reusable-ci-terraform.yml b/.github/workflows/reusable-ci-terraform.yml index 118cd24..79ce8bb 100644 --- a/.github/workflows/reusable-ci-terraform.yml +++ b/.github/workflows/reusable-ci-terraform.yml @@ -1,3 +1,24 @@ +# DEPRECATED — use reusable-ci-opentofu.yml instead. +# +# This workflow is superseded by reusable-ci-opentofu.yml, which adds: +# - Trivy IaC security scan with SARIF upload (NA-03 §7.3) +# - tofu plan output posted as a PR comment +# - First-class support for HCP Terraform / Terraform Cloud backends +# +# Migration (drop-in for OpenTofu users): +# uses: nyuchi/.github/.github/workflows/reusable-ci-opentofu.yml@main +# with: +# working-directory: infra/ +# +# Note: hashicorp/setup-terraform and terraform-linters/setup-tflint are +# NOT in the org Actions allow-list. Consuming repos that have not yet +# migrated must add them to their own allow-list or migrate to the OpenTofu +# reusable, which uses opentofu/setup-opentofu (already in the allow-list). +# +# This file is kept for backwards-compatibility only. No new consumers +# should call it. It will be removed in a future release cycle. +# +# --------------------------------------------------------------------------- # Reusable workflow: Terraform / OpenTofu CI. # # Runs format-check, init, validate, and tflint on Terraform code. @@ -57,7 +78,7 @@ jobs: outputs: terraform: ${{ steps.filter.outputs.terraform }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 with: fetch-depth: 0 - id: filter @@ -76,7 +97,7 @@ jobs: if: needs.changes.outputs.terraform == 'true' runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 - uses: hashicorp/setup-terraform@dfe3c3f87815947d99a8997f908cb6525fc44e9e # v4.0.1 with: terraform_version: ${{ inputs.terraform-version }} @@ -99,7 +120,7 @@ jobs: if: needs.changes.outputs.terraform == 'true' runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 - uses: hashicorp/setup-terraform@dfe3c3f87815947d99a8997f908cb6525fc44e9e # v4.0.1 with: terraform_version: ${{ inputs.terraform-version }} @@ -128,7 +149,7 @@ jobs: if: needs.changes.outputs.terraform == 'true' runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 - uses: terraform-linters/setup-tflint@b480b8fcdaa6f2c577f8e4fa799e89e756bb7c93 # v6.2.2 with: tflint_version: ${{ inputs.tflint-version }} diff --git a/.github/workflows/reusable-ci-typescript-lib.yml b/.github/workflows/reusable-ci-typescript-lib.yml index 1d1f139..384428c 100644 --- a/.github/workflows/reusable-ci-typescript-lib.yml +++ b/.github/workflows/reusable-ci-typescript-lib.yml @@ -56,7 +56,7 @@ jobs: outputs: typescript: ${{ steps.filter.outputs.typescript }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 with: fetch-depth: 0 - id: filter @@ -84,8 +84,8 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: pnpm/action-setup@71c92474e7e4f5bca283fb17ef80fba9cdb2b4b1 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 + - uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6 - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version-file: ${{ inputs.node-version-file }} @@ -102,8 +102,8 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: pnpm/action-setup@71c92474e7e4f5bca283fb17ef80fba9cdb2b4b1 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 + - uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6 - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version-file: ${{ inputs.node-version-file }} @@ -120,8 +120,8 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: pnpm/action-setup@71c92474e7e4f5bca283fb17ef80fba9cdb2b4b1 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 + - uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6 - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version-file: ${{ inputs.node-version-file }} @@ -138,8 +138,8 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: pnpm/action-setup@71c92474e7e4f5bca283fb17ef80fba9cdb2b4b1 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 + - uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6 - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version-file: ${{ inputs.node-version-file }} diff --git a/CLAUDE.md b/CLAUDE.md index 2ea7179..d33fc55 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -141,9 +141,10 @@ that would change them. - **No prohibited dependencies:** no Flutter, no Couchbase. - **Post-quantum migration path required** for every new cryptographic primitive adopted by the platform. -- **Locked counts:** 17 Mukoko mini-apps, 7 data layers, 40 interest - categories. Do not mutate via PR. **Nyuchi Enterprise products are - not a locked count** — that line grows; do not treat it as fixed. +- **Locked counts:** 17 Mukoko mini-apps, 7 data layers, 7 covenants, + 40 interest categories, 12 manifesto sections, 3 sources of truth. + Do not mutate via PR. **Nyuchi Enterprise products are not a locked + count** — that line grows; do not treat it as fixed. --- diff --git a/ORG_SETTINGS.md b/ORG_SETTINGS.md index 40823b6..5e64dd7 100644 --- a/ORG_SETTINGS.md +++ b/ORG_SETTINGS.md @@ -95,9 +95,16 @@ At **Settings → Actions → General**: aquasecurity/trivy-action@*, sigstore/cosign-installer@*, opentofu/setup-opentofu@*, - actions/attest-build-provenance@* + actions/attest-build-provenance@*, + hashicorp/setup-terraform@*, + terraform-linters/setup-tflint@* ``` + Note: `hashicorp/setup-terraform` and `terraform-linters/setup-tflint` are + required only by the **deprecated** `reusable-ci-terraform.yml`. Repos that + have migrated to `reusable-ci-opentofu.yml` do not need these two entries. + They will be removed from this list once the legacy workflow is deleted. + To audit drift against what's actually referenced in the reusables: diff --git a/README.md b/README.md index 4e5ae47..86b2dd7 100644 --- a/README.md +++ b/README.md @@ -96,6 +96,7 @@ reusable by commit SHA rather than `@main`. | Path | Purpose | Status | | --------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :----: | | `.github/workflows/reusable-ci-typescript.yml` | TypeScript CI for non-monorepo projects (pnpm, tsc, Vitest/Jest, ESLint/Biome). Inputs: `node-version-file`, `typecheck-script`, `lint-script`, `test-script`, `build-script`, `skip-build`. | ✅ | +| `.github/workflows/reusable-ci-typescript-lib.yml` | TypeScript library / package CI with path-based change detection. Adds `working-directory` support for sub-directory packages. Inputs: `node-version-file`, `skip-build`, `working-directory`. | ✅ | | `.github/workflows/reusable-ci-nextjs-monorepo.yml` | Turborepo + pnpm CI. Inputs: `tasks`, `node-version-file`. Secrets: `TURBO_TOKEN`, `TURBO_TEAM`. | ✅ | | `.github/workflows/reusable-ci-rust-monorepo.yml` | Cargo workspace CI. Input: `toolchain` (default `stable`). | ✅ | | `.github/workflows/reusable-ci-python-monorepo.yml` | uv workspace CI. Convention-based, no inputs. | ✅ |