feat: require actions pinned to a full-length commit SHA on all repos but actions#67
feat: require actions pinned to a full-length commit SHA on all repos but actions#67devantler wants to merge 3 commits into
Conversation
…ut actions Add deploy/actions-permissions/ — one RepositoryPermissions (actions.github.m.upbound.io, terraform github_actions_repository_permissions) per managed repo, asserting shaPinningRequired: true via a shared kustomize patch (single source of truth), mirroring the org-wide patches in repositories/ and labels/. Scope = every repo in labels/ EXCEPT devantler-tech/actions (intentionally excluded). Observe+LateInitialize adopts each repo's live enabled/allowedActions so enabling SHA-pinning never disturbs them. Requires a provider-upjet-github release embedding terraform-provider-github >= 6.11.0 (sha_pinning_required) and activation of repositorypermissions.actions.github.m.upbound.io in the platform MRAP. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…ns/ (mirror CR kind) The folder holds RepositoryPermissions resources, so name the subfolder after the CR kind — consistent with the per-CR-kind layout (repositories/, organization-rulesets/, repository-rulesets/, team-*/). Per-repo files keep the <repo>.yaml convention. Folder rename + reference updates (base kustomization, README) only; resource bodies unchanged. `kubectl kustomize deploy/` validated (16 RepositoryPermissions, SHA-pinning patch intact). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…sha-pinning # Conflicts: # deploy/README.md # deploy/kustomization.yaml
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (19)
📝 WalkthroughWalkthroughThis PR adds a ChangesRepository permissions enforcement
Estimated code review effort: 2 (Simple) | ~15 minutes Sequence Diagram(s)Not applicable — this PR consists of homogeneous declarative YAML manifests and configuration wiring with no multi-component runtime control flow to visualize. Related PRs: None identified. Suggested labels: deploy, kustomize, github-actions, documentation Suggested reviewers: devantler Poem: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
What
Adds
deploy/actions-permissions/— oneRepositoryPermissions(
actions.github.m.upbound.io, terraformgithub_actions_repository_permissions)per managed repo, asserting
shaPinningRequired: truevia a shared kustomizepatch, enforcing GitHub's Require actions to be pinned to a full-length commit
SHA policy declaratively.
Scope
Every repo managed in
labels/exceptdevantler-tech/actions(16 repos:.github, platform, ksail, maintenance, agent-skills, agent-plugins, unifi,gitops-tenant-template, platform-template, go-template, dotnet-template,
homebrew-tap, reusable-workflows, ascoachingogvaner, wedding-app, fleet-gitops).
actionsis intentionally excluded per request.Design
actions-permissions/kustomization.yaml(shared patch — single source of truth), mirroring the org-wide patches in
repositories/andlabels/; per-repo files only bind it to a repo.managementPolicies: [Observe, Create, Update, LateInitialize]— matches everyother resource in
deploy/. LateInitialize adopts each repo's liveenabled/allowedActionsbefore any write, so enabling SHA-pinning neverdisturbs existing Actions permissions. (If you prefer strict Observe-first
adoption, drop to
[Observe]and promote after confirming live state.)Gating
sha_pinning_requiredis absent from the deployed provider v0.19.1 (TF6.6.0). Requires (1) a provider release embedding TF ≥ 6.11.0
(crossplane-contrib/provider-upjet-github#288) and (2) activation of
repositorypermissions.actions.github.m.upbound.ioin the platform MRAP(devantler-tech/platform#2250).
Validation
kubectl kustomize deploy/builds: 16RepositoryPermissions, 16shaPinningRequired: true, 0 foractions..githubbinds to external-name.github.🤖 Generated with Claude Code