Skip to content

feat: require actions pinned to a full-length commit SHA on all repos but actions#67

Open
devantler wants to merge 3 commits into
mainfrom
feat/require-actions-sha-pinning
Open

feat: require actions pinned to a full-length commit SHA on all repos but actions#67
devantler wants to merge 3 commits into
mainfrom
feat/require-actions-sha-pinning

Conversation

@devantler

Copy link
Copy Markdown
Contributor

Draft — gated on crossplane-contrib/provider-upjet-github#288 and devantler-tech/platform#2250. Do not promote/merge until a provider release embedding terraform-provider-github ≥ 6.11.0 ships and platform#2250 activates the MRD.

What

Adds deploy/actions-permissions/ — one RepositoryPermissions
(actions.github.m.upbound.io, terraform github_actions_repository_permissions)
per managed repo, asserting shaPinningRequired: true via a shared kustomize
patch, enforcing GitHub's Require actions to be pinned to a full-length commit
SHA
policy declaratively.

Scope

Every repo managed in labels/ except devantler-tech/actions (16 repos:
.github, platform, ksail, maintenance, agent-skills, agent-plugins, unifi,
gitops-tenant-template, platform-template, go-template, dotnet-template,
homebrew-tap, reusable-workflows, ascoachingogvaner, wedding-app, fleet-gitops).
actions is intentionally excluded per request.

Design

  • The policy value lives once in actions-permissions/kustomization.yaml
    (shared patch — single source of truth), mirroring the org-wide patches in
    repositories/ and labels/; per-repo files only bind it to a repo.
  • managementPolicies: [Observe, Create, Update, LateInitialize] — matches every
    other resource in deploy/. LateInitialize adopts each repo's live
    enabled/allowedActions before any write, so enabling SHA-pinning never
    disturbs existing Actions permissions. (If you prefer strict Observe-first
    adoption, drop to [Observe] and promote after confirming live state.)

Gating

sha_pinning_required is absent from the deployed provider v0.19.1 (TF
6.6.0). Requires (1) a provider release embedding TF ≥ 6.11.0
(crossplane-contrib/provider-upjet-github#288) and (2) activation of
repositorypermissions.actions.github.m.upbound.io in the platform MRAP
(devantler-tech/platform#2250).

Validation

kubectl kustomize deploy/ builds: 16 RepositoryPermissions, 16
shaPinningRequired: true, 0 for actions. .github binds to external-name
.github.

🤖 Generated with Claude Code

…ut actions

Add deploy/actions-permissions/ — one RepositoryPermissions
(actions.github.m.upbound.io, terraform github_actions_repository_permissions)
per managed repo, asserting shaPinningRequired: true via a shared kustomize
patch (single source of truth), mirroring the org-wide patches in
repositories/ and labels/.

Scope = every repo in labels/ EXCEPT devantler-tech/actions (intentionally
excluded). Observe+LateInitialize adopts each repo's live enabled/allowedActions
so enabling SHA-pinning never disturbs them.

Requires a provider-upjet-github release embedding terraform-provider-github
>= 6.11.0 (sha_pinning_required) and activation of
repositorypermissions.actions.github.m.upbound.io in the platform MRAP.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
devantler and others added 2 commits June 25, 2026 20:24
…ns/ (mirror CR kind)

The folder holds RepositoryPermissions resources, so name the subfolder after the CR
kind — consistent with the per-CR-kind layout (repositories/, organization-rulesets/,
repository-rulesets/, team-*/). Per-repo files keep the <repo>.yaml convention. Folder
rename + reference updates (base kustomization, README) only; resource bodies unchanged.
`kubectl kustomize deploy/` validated (16 RepositoryPermissions, SHA-pinning patch intact).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…sha-pinning

# Conflicts:
#	deploy/README.md
#	deploy/kustomization.yaml
@devantler devantler marked this pull request as ready for review June 25, 2026 18:29
@devantler devantler marked this pull request as draft June 27, 2026 23:22
@devantler devantler marked this pull request as ready for review July 2, 2026 17:58
@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 66a6fa07-c386-4402-a7c2-8a06bcebb04d

📥 Commits

Reviewing files that changed from the base of the PR and between 696d43a and 67b1fe0.

📒 Files selected for processing (19)
  • deploy/README.md
  • deploy/kustomization.yaml
  • deploy/repository-permissions/agent-plugins.yaml
  • deploy/repository-permissions/agent-skills.yaml
  • deploy/repository-permissions/ascoachingogvaner.yaml
  • deploy/repository-permissions/dot-github.yaml
  • deploy/repository-permissions/dotnet-template.yaml
  • deploy/repository-permissions/fleet-gitops.yaml
  • deploy/repository-permissions/gitops-tenant-template.yaml
  • deploy/repository-permissions/go-template.yaml
  • deploy/repository-permissions/homebrew-tap.yaml
  • deploy/repository-permissions/ksail.yaml
  • deploy/repository-permissions/kustomization.yaml
  • deploy/repository-permissions/maintenance.yaml
  • deploy/repository-permissions/platform-template.yaml
  • deploy/repository-permissions/platform.yaml
  • deploy/repository-permissions/reusable-workflows.yaml
  • deploy/repository-permissions/unifi.yaml
  • deploy/repository-permissions/wedding-app.yaml

📝 Walkthrough

Walkthrough

This PR adds a repository-permissions/ Kustomize directory containing per-repository Crossplane RepositoryPermissions manifests for 17 repositories, plus a shared kustomization patch enforcing shaPinningRequired: true. The root deploy/kustomization.yaml and deploy/README.md are updated accordingly.

Changes

Repository permissions enforcement

Layer / File(s) Summary
Documentation and root wiring
deploy/README.md, deploy/kustomization.yaml
Documents the new sha_pinning_required policy and adds repository-permissions/ to the root Kustomization resources list.
Shared SHA-pinning patch
deploy/repository-permissions/kustomization.yaml
Lists all per-repo manifests as resources and applies a JSON6902 patch setting /spec/forProvider/shaPinningRequired to true for all matching RepositoryPermissions resources.
Per-repository manifests
deploy/repository-permissions/*.yaml
Adds 17 individual RepositoryPermissions custom resources (one per repo), each configuring Observe/Create/Update/LateInitialize management policies, external-name annotation, target repository, and providerConfigRef: default.

Estimated code review effort: 2 (Simple) | ~15 minutes

Sequence Diagram(s)

Not applicable — this PR consists of homogeneous declarative YAML manifests and configuration wiring with no multi-component runtime control flow to visualize.

Related PRs: None identified.

Suggested labels: deploy, kustomize, github-actions, documentation

Suggested reviewers: devantler

Poem:
🐰 Seventeen repos, each gets a scroll,
Pinned to SHAs, that's the goal,
One patch to bind them, kustomized tight,
README updated, README done right,
Hop, hop — the manifests all take flight!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: enforcing SHA-pinned GitHub Actions across repos except actions.
Description check ✅ Passed The description is directly about the same GitHub Actions permissions change and its gating details.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/require-actions-sha-pinning

Comment @coderabbitai help to get the list of available commands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant