Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 4 additions & 3 deletions .github/PULL_REQUEST_TEMPLATE.md
Original file line number Diff line number Diff line change
Expand Up @@ -91,9 +91,10 @@ Closes #
- [ ] **Schema.org compliance** — new database tables, columns, or API fields
map to Schema.org types, or the PR description justifies any deviation.
- [ ] **Locked counts respected** — no change to the platform's locked counts
(17 mini-apps · 7 Enterprise products · 7 data layers · 7 covenants ·
40 interest categories · 12 manifesto sections · 3 sources of truth)
without Founder approval documented in the PR description.
(17 mini-apps · 7 data layers · 7 covenants · 40 interest categories ·
12 manifesto sections · 3 sources of truth) without Founder approval
documented in the PR description. Nyuchi Enterprise products are
**not** a locked count (NA-03 §3.3) — do not re-add a count for them.
- [ ] **Frontier defaults** — for user-facing or infrastructure work:
offline / local-first behaviour has been considered; any new
cryptographic primitive has a documented post-quantum migration path;
Expand Down
10 changes: 6 additions & 4 deletions ORG_SETTINGS.md
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,9 @@ At **Settings → Actions → General**:
aquasecurity/trivy-action@*,
sigstore/cosign-installer@*,
opentofu/setup-opentofu@*,
actions/attest-build-provenance@*
actions/attest-build-provenance@*,
hashicorp/setup-terraform@*,
terraform-linters/setup-tflint@*
```

To audit drift against what's actually referenced in the
Expand Down Expand Up @@ -265,12 +267,12 @@ tokens.
in this repo:

- `main-branch-protection.json` — applied to `nyuchi/.github`
(2-approver, 5 lint checks).
(0-approver pre-scale posture per the table above, 5 lint checks).
- `release-tag-protection.json` — applied to `nyuchi/.github`
(protects `v*.*.*` tags).
- `org-wide-main-protection.json` — applied at the org level to
all repos except `sandbox-*` and `archive-*` (1-approver, 5 lint
checks).
all repos except `sandbox-*` and `archive-*` (0-approver
pre-scale posture, 5 lint checks).

Apply or update via:

Expand Down
3 changes: 3 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,7 @@ reusable by commit SHA rather than `@main`.
| Path | Purpose | Status |
| --------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :----: |
| `.github/workflows/reusable-ci-typescript.yml` | TypeScript CI for non-monorepo projects (pnpm, tsc, Vitest/Jest, ESLint/Biome). Inputs: `node-version-file`, `typecheck-script`, `lint-script`, `test-script`, `build-script`, `skip-build`. | ✅ |
| `.github/workflows/reusable-ci-typescript-lib.yml` | TypeScript library/package CI (non-Next.js). Jobs: `tsc --noEmit`, `lint`, `test`, `build`. Inputs: `node-version-file`, `skip-build`, `working-directory`. | ✅ |
| `.github/workflows/reusable-ci-nextjs-monorepo.yml` | Turborepo + pnpm CI. Inputs: `tasks`, `node-version-file`. Secrets: `TURBO_TOKEN`, `TURBO_TEAM`. | ✅ |
| `.github/workflows/reusable-ci-rust-monorepo.yml` | Cargo workspace CI. Input: `toolchain` (default `stable`). | ✅ |
| `.github/workflows/reusable-ci-python-monorepo.yml` | uv workspace CI. Convention-based, no inputs. | ✅ |
Expand All @@ -113,6 +114,8 @@ reusable by commit SHA rather than `@main`.
| `.github/workflows/reusable-openssf-scorecard.yml` | OpenSSF Scorecard analysis. Runs supply-chain security checks and uploads SARIF results to the GitHub Security tab. Inputs: `publish-results`. | ✅ |
| `.github/workflows/reusable-ci-container.yml` | Docker / OCI CI. Jobs: Trivy vulnerability scan, multi-platform build + push (linux/amd64 + arm64), cosign keyless signing. Inputs: `image-name`, `push`, `sign`. | ✅ |
| `.github/workflows/reusable-ci-opentofu.yml` | OpenTofu / Terraform IaC CI. Jobs: `tofu fmt --check`, `tofu validate`, Trivy IaC scan, `tofu plan` (PR comment). Inputs: `working-directory`, `tofu-version`. | ✅ |
| `.github/workflows/reusable-ci-terraform.yml` | HashiCorp Terraform CI (fmt, validate, tflint) for repos not using OpenTofu. Inputs: `working-directory`, `terraform-version`, `tflint-version`. | ✅ |
| `.github/workflows/reusable-ci-docker.yml` | Dockerfile CI gate: hadolint, image build, Trivy vulnerability scan (SARIF to Security tab). No registry push. Inputs: `dockerfile`, `context`, `image-name`, `trivy-severity`. | ✅ |

Legend: ✅ shipped · ⏳ planned

Expand Down