Skip to content

ci: wire org governance gates#38

Merged
NWarila merged 1 commit into
mainfrom
pt-m4-governance-wiring
Jun 4, 2026
Merged

ci: wire org governance gates#38
NWarila merged 1 commit into
mainfrom
pt-m4-governance-wiring

Conversation

@NWarila

@NWarila NWarila commented Jun 4, 2026

Copy link
Copy Markdown
Owner

PT-M4 - Governance CI wiring

Makes the template dogfood the org governance standard it is measured against.

A - Vendored doc/ADR gate tools + governance job

  • Vendor check_docs_layout.py, check_ai_residue.py, check_adr_schema.py (byte-identical to NWarila/.github/tools/) into tools/; register in sync-manifest.json.
  • New governance job in template-ci.yml runs them (PR-base refs) + check_pin_parity.py.

B - Org reusables (ADR-0007), SHA-pinned

  • repo-hygiene, codeql, scorecard via NWarila/.github reusables @ 5da716c; scorecard gated off PRs.

C - Pin parity

  • tools/check_pin_parity.py fails if reference/pyproject.toml dev pins and reference/pre-commit-config.yaml revs drift.

Audited locally: vendored tools byte-identical; gate tools + pin-parity pass; reusables resolve at the real SHA with correct inputs/permissions. Note: CodeQL is actions-only by default (ruff S already covers bandit-class SAST); vendored-tool drift vs .github has no inbound sync yet (tracked follow-on).

@NWarila
ci: wire org governance gates
a87c79a 
Vendor the docs layout, ADR schema, and attribution residue gates from NWarila/.github.

Pin repo-hygiene, CodeQL, and Scorecard reusables to NWarila/.github@5da716c.

Skip Scorecard on pull_request; it runs on push, schedule, branch_protection_rule, and workflow_dispatch because it needs id-token and security-events scopes.

Defer the baseline manifest gate until this repo owns baseline-manifest.json.
@github-advanced-security

github-advanced-security AI commented Jun 4, 2026

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@NWarila NWarila merged commit 61d5033 into main Jun 4, 2026
18 checks passed
@NWarila NWarila deleted the pt-m4-governance-wiring branch June 4, 2026 12:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@NWarila @github-advanced-security