From 49922536c03284d50a4c5125564eb1b794a47392 Mon Sep 17 00:00:00 2001 From: Joshua Gilman Date: Wed, 24 Jun 2026 13:32:38 -0700 Subject: [PATCH] chore: ignore local tooling artifacts and document CLI checksum verification MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Ignore the maintainer-local tooling that was cluttering git status but is not template content: `.codex-security/` (Codex scan output) and `.agents/skills/codex-security-scan/` (a local scanning skill living under the otherwise-committed `.agents/skills`). Document the build-CLI supply-chain story in the CI and Security section: golangci-lint, goose, and mockery verify their downloads against their publishers' checksum files, while sqlc is verified against a repository-committed digest because it publishes none. Repo-pinning the other three was deliberately left out — they already verify upstream, so committing per-platform digests would duplicate that control and add maintenance on every version bump. Co-Authored-By: Claude Opus 4.8 (1M context) --- .gitignore | 7 ++++++- README.md | 2 ++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 8f4b40d..d1a3646 100644 --- a/.gitignore +++ b/.gitignore @@ -2,10 +2,15 @@ .moon/cache/ .moon/docker/ -# Agent/runtime state (`.agents/skills` is committed template content, not ignored) +# Agent/runtime state. `.agents/skills` holds committed template skills; the +# entries below are local maintainer tooling and runtime state, not template +# content. `.codex-security/` is Codex scan output; `codex-security-scan` is a +# local scanning skill that lives under the otherwise-committed `.agents/skills`. .claude/ .journal/ .wt/ +.codex-security/ +.agents/skills/codex-security-scan/ # Environment .env diff --git a/README.md b/README.md index 5159ba5..d25295b 100644 --- a/README.md +++ b/README.md @@ -692,6 +692,8 @@ The docs workflow builds the MkDocs site on pull requests and deploys `docs/buil The scheduled security scan workflow builds the local container image weekly, scans it for high/critical fixed vulnerabilities, and uploads SARIF results to GitHub code scanning. Dependabot covers GitHub Actions, Docker base images, the root Go module, and the docs uv project. +The build CLIs are pinned by version through [Proto](https://moonrepo.dev/proto) and their downloads are integrity-verified: golangci-lint, goose, and mockery verify against their publishers' checksum files (`checksum-url`), while sqlc — which publishes no checksums — is verified against a repository-committed per-platform digest (`.moon/proto/sqlc.sha256`) by the `sqlc-verify` task before it runs. Repo-pinning the other three was considered and deliberately left out: they already verify against upstream checksums, so committing per-platform digests would duplicate that control and add maintenance on every version bump. + Repository settings live in `.github/repository-settings.toml`. They default to immutable releases, private vulnerability reporting, signed commits, squash-only merges, GitHub Pages workflow publishing, and protected tags.