The example GitHub Actions step manually runs python -m pip install PyYAML click. Since 1.3.0 added a CI supply-chain policy (docs/ci-supply-chain-policy.md) covering Python dependency auditing and GitHub Action pinning requirements, this example is potentially out of alignment with Base's own declared policy. A user following this example to set up CI will not discover Base's CI supply-chain requirements for their own workflow.
Fix: Add a "See also: CI Supply Chain Policy" cross-reference after the example. Review whether the pip install step should use pinned hashes or a requirements file to align with the policy, or at minimum note that the example is a minimal starter and real CI should follow the policy.
File: docs/basectl-ci.md
The example GitHub Actions step manually runs
python -m pip install PyYAML click. Since 1.3.0 added a CI supply-chain policy (docs/ci-supply-chain-policy.md) covering Python dependency auditing and GitHub Action pinning requirements, this example is potentially out of alignment with Base's own declared policy. A user following this example to set up CI will not discover Base's CI supply-chain requirements for their own workflow.Fix: Add a "See also: CI Supply Chain Policy" cross-reference after the example. Review whether the pip install step should use pinned hashes or a requirements file to align with the policy, or at minimum note that the example is a minimal starter and real CI should follow the policy.
File:
docs/basectl-ci.md