Skip to content

chore: standards remediation#18

Merged
ChelseaKR merged 1 commit into
mainfrom
standards-remediation
Jun 30, 2026
Merged

chore: standards remediation#18
ChelseaKR merged 1 commit into
mainfrom
standards-remediation

Conversation

@ChelseaKR

Copy link
Copy Markdown
Owner

Safe mechanical conformance fixes per STANDARDS backlog.

Remediated

  • persist-credentials: false added to every actions/checkout across all six workflows (ci, a11y, codeql, pages, release, tsa-integration). None of these checkouts run git push/fetch, so dropping the persisted GITHUB_TOKEN is safe — satisfies the SECURITY-AND-SUPPLY-CHAIN / CI-CD AUTO-GATE.
  • CITATION.cff added (valid CFF 1.2.0) per DOCUMENTATION-STANDARD §4: title, authors, version (0.2.0), date-released (2026-06-17), license (AGPL-3.0-or-later). ORCID omitted (none on record); DOI deferred until Zenodo archival.

Already conformant (no change needed)

  • Least-privilege tokens: every workflow already has an explicit permissions: block (contents: read top-level, scoped elevation only where required).
  • Action SHA-pinning: all uses: already pinned to full 40-char SHAs with # vX.Y.Z comments.
  • Coverage floor: Makefile cov target already runs --cov-fail-under=85 ungated via make verify; current branch coverage 86.04%.
  • No || true / continue-on-error anywhere in CI.

Flagged (out of scope — higher effort)

Verification

make verify green on Python 3.14.6: 122 passed, 86.04% branch coverage. EN/ES parity and crypto/threat-model/privacy gates untouched.

Safe, mechanical conformance fixes per vendored STANDARDS:

- persist-credentials: false on every actions/checkout across all six
  workflows (ci, a11y, codeql, pages, release, tsa-integration). None
  of these checkouts perform git push/fetch, so dropping the persisted
  GITHUB_TOKEN is safe and satisfies the SECURITY-AND-SUPPLY-CHAIN /
  CI-CD AUTO-GATE.
- Add CITATION.cff (valid CFF 1.2.0) per DOCUMENTATION-STANDARD §4:
  title, authors, version (0.2.0), date-released, license
  (AGPL-3.0-or-later). ORCID omitted (none on record).

No change to gates, permissions blocks (already least-privilege),
SHA pins (already full-SHA), or the coverage floor (already
--cov-fail-under=85). make verify is green: 122 passed,
86.04% branch coverage on Python 3.14.6.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Chelsea Kelly-Reif <3114598+ChelseaKR@users.noreply.github.com>
@ChelseaKR ChelseaKR merged commit 1448bd1 into main Jun 30, 2026
6 checks passed
@ChelseaKR ChelseaKR deleted the standards-remediation branch June 30, 2026 21:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant