diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index bed0bbd..c58af84 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -91,9 +91,10 @@ Closes # - [ ] **Schema.org compliance** — new database tables, columns, or API fields map to Schema.org types, or the PR description justifies any deviation. - [ ] **Locked counts respected** — no change to the platform's locked counts - (17 mini-apps · 7 Enterprise products · 7 data layers · 7 covenants · - 40 interest categories · 12 manifesto sections · 3 sources of truth) - without Founder approval documented in the PR description. + (17 mini-apps · 7 data layers · 7 covenants · 40 interest categories · + 12 manifesto sections · 3 sources of truth) without Founder approval + documented in the PR description. Nyuchi Enterprise products are + **not** a locked count (NA-03 §3.3) — do not re-add a count for them. - [ ] **Frontier defaults** — for user-facing or infrastructure work: offline / local-first behaviour has been considered; any new cryptographic primitive has a documented post-quantum migration path; diff --git a/ORG_SETTINGS.md b/ORG_SETTINGS.md index 40823b6..32863e1 100644 --- a/ORG_SETTINGS.md +++ b/ORG_SETTINGS.md @@ -95,7 +95,9 @@ At **Settings → Actions → General**: aquasecurity/trivy-action@*, sigstore/cosign-installer@*, opentofu/setup-opentofu@*, - actions/attest-build-provenance@* + actions/attest-build-provenance@*, + hashicorp/setup-terraform@*, + terraform-linters/setup-tflint@* ``` To audit drift against what's actually referenced in the @@ -265,12 +267,12 @@ tokens. in this repo: - `main-branch-protection.json` — applied to `nyuchi/.github` - (2-approver, 5 lint checks). + (0-approver pre-scale posture per the table above, 5 lint checks). - `release-tag-protection.json` — applied to `nyuchi/.github` (protects `v*.*.*` tags). - `org-wide-main-protection.json` — applied at the org level to - all repos except `sandbox-*` and `archive-*` (1-approver, 5 lint - checks). + all repos except `sandbox-*` and `archive-*` (0-approver + pre-scale posture, 5 lint checks). Apply or update via: diff --git a/README.md b/README.md index 4e5ae47..c3c2a34 100644 --- a/README.md +++ b/README.md @@ -96,6 +96,7 @@ reusable by commit SHA rather than `@main`. | Path | Purpose | Status | | --------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :----: | | `.github/workflows/reusable-ci-typescript.yml` | TypeScript CI for non-monorepo projects (pnpm, tsc, Vitest/Jest, ESLint/Biome). Inputs: `node-version-file`, `typecheck-script`, `lint-script`, `test-script`, `build-script`, `skip-build`. | ✅ | +| `.github/workflows/reusable-ci-typescript-lib.yml` | TypeScript library/package CI (non-Next.js). Jobs: `tsc --noEmit`, `lint`, `test`, `build`. Inputs: `node-version-file`, `skip-build`, `working-directory`. | ✅ | | `.github/workflows/reusable-ci-nextjs-monorepo.yml` | Turborepo + pnpm CI. Inputs: `tasks`, `node-version-file`. Secrets: `TURBO_TOKEN`, `TURBO_TEAM`. | ✅ | | `.github/workflows/reusable-ci-rust-monorepo.yml` | Cargo workspace CI. Input: `toolchain` (default `stable`). | ✅ | | `.github/workflows/reusable-ci-python-monorepo.yml` | uv workspace CI. Convention-based, no inputs. | ✅ | @@ -113,6 +114,8 @@ reusable by commit SHA rather than `@main`. | `.github/workflows/reusable-openssf-scorecard.yml` | OpenSSF Scorecard analysis. Runs supply-chain security checks and uploads SARIF results to the GitHub Security tab. Inputs: `publish-results`. | ✅ | | `.github/workflows/reusable-ci-container.yml` | Docker / OCI CI. Jobs: Trivy vulnerability scan, multi-platform build + push (linux/amd64 + arm64), cosign keyless signing. Inputs: `image-name`, `push`, `sign`. | ✅ | | `.github/workflows/reusable-ci-opentofu.yml` | OpenTofu / Terraform IaC CI. Jobs: `tofu fmt --check`, `tofu validate`, Trivy IaC scan, `tofu plan` (PR comment). Inputs: `working-directory`, `tofu-version`. | ✅ | +| `.github/workflows/reusable-ci-terraform.yml` | HashiCorp Terraform CI (fmt, validate, tflint) for repos not using OpenTofu. Inputs: `working-directory`, `terraform-version`, `tflint-version`. | ✅ | +| `.github/workflows/reusable-ci-docker.yml` | Dockerfile CI gate: hadolint, image build, Trivy vulnerability scan (SARIF to Security tab). No registry push. Inputs: `dockerfile`, `context`, `image-name`, `trivy-severity`. | ✅ | Legend: ✅ shipped · ⏳ planned