Skip to content

docs: basectl-ci.md Actions example lacks CI supply-chain policy cross-reference #1270

Description

@codeforester

The example GitHub Actions step manually runs python -m pip install PyYAML click. Since 1.3.0 added a CI supply-chain policy (docs/ci-supply-chain-policy.md) covering Python dependency auditing and GitHub Action pinning requirements, this example is potentially out of alignment with Base's own declared policy. A user following this example to set up CI will not discover Base's CI supply-chain requirements for their own workflow.

Fix: Add a "See also: CI Supply Chain Policy" cross-reference after the example. Review whether the pip install step should use pinned hashes or a requirements file to align with the policy, or at minimum note that the example is a minimal starter and real CI should follow the policy.

File: docs/basectl-ci.md

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type
No fields configured for issues without a type.

Projects

Status
Done

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions