fix(checkpoints): GH-08/09 .yml form templates + GH-19/20 reusable workflow#63
Conversation
…kflow **GH-8 / GH-9** issue templates: accept the modern `.yml` form templates (structured fields, validation, required inputs) in addition to the legacy `.md` files. The `.yml` form is the recommended Netresearch standard. **GH-19 / GH-20** CodeQL / OpenSSF Scorecard: same fix pattern as ER-19/20 from PR #55 — accept either a dedicated workflow file OR a job in another workflow that calls the canonical action (github/codeql-action, ossf/scorecard-action) or delegates to the netresearch reusable workflow. Verified against netresearch/t3x-nr-llm — all four pass with the project's modern setup (.yml templates + reusable-workflow CodeQL/ Scorecard jobs in ci.yml). Signed-off-by: Sebastian Mendel <sebastian.mendel@netresearch.de>
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
There was a problem hiding this comment.
Code Review
This pull request updates the checkpoints.yaml file to support modern .yml issue templates alongside legacy .md files and transitions CodeQL and OpenSSF Scorecard checks from simple file existence to regex-based pattern matching within workflow files. The review feedback suggests using shell command chains for multi-file existence checks to align with existing repository patterns and recommends refining regex patterns to target unique path strings instead of the uses: prefix to improve robustness against formatting variations.
There was a problem hiding this comment.
Pull request overview
Updates the github-project skill’s mechanical checkpoints to better align with Netresearch’s preferred GitHub configuration patterns (issue form templates and reusable workflows), reducing drift across repos.
Changes:
- Allow issue templates to be satisfied by either modern
.ymlissue forms or legacy.mdtemplates (with.ymlpreferred). - Change CodeQL and OpenSSF Scorecard checks from “file exists” to workflow content detection (supports dedicated workflows or jobs delegating to reusable workflows).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Sebastian Mendel <sebastian.mendel@netresearch.de>
## Release v2.14.0 Minor release. `.claude-plugin/plugin.json` and `skills/github-project/SKILL.md` frontmatter `metadata.version` were already synced to `2.14.0` on `main` via [#74](#74) — this PR is the empty release marker that closes the v2.13.1 → v2.14.0 window and triggers the signed-tag release. ### Highlights since v2.13.1 - **`agentic-workflows` reference** documenting `gh-aw` and `awf` workflow-as-prompt tooling for autonomous GitHub Actions — new patterns for running AI agents on PRs/issues without bespoke wiring ([#75](#75)). - **AI reviewer pushback patterns** — handling Copilot/Sourcery review comments that disagree with the codebase intent, including when to defer and when to push back ([#66](#66), [#74](#74)). - **PR-merge / branch-protection / CodeQL gotchas** documented, plus auto-detection of allowed merge strategy in the `--delete-branch` snippet so the recipe doesn't break on repos with merge-commit-only policies ([#69](#69), [#71](#71), [#72](#72)). - **GraphQL `Repository.mergeQueue`** for queue detection — replaces a brittle REST probe ([#70](#70)). - **Assessment checkpoints overhaul**: new GH-34/GH-35/GH-36, follow_uses delegation for CodeQL/Scorecard, org_provides for community-health files, broader licence/Dependabot/workflow targets, plus reusable-workflow-pitfalls reference. Multiple false-positive findings demoted to `info` to reduce assessment noise ([#56](#56), [#57](#57), [#58](#58), [#59](#59), [#60](#60), [#61](#61), [#62](#62), [#63](#63), [#64](#64), [#65](#65), [#73](#73)). - **npm distribution** — the skill now also ships via `@netresearch/agent-skill-coordinator` ([#54](#54), [#55](#55)). - **Release pipeline hardening** — dropped the deprecated `with: bump:` block + `workflow_dispatch.bump` input so releases happen exclusively via locally-signed tags, plus SLSA-provenance permissions on the caller ([#52](#52), [#53](#53)). ### Release plan After merge: tag main with a signed annotated tag, push, the `skill-repo-skill` reusable workflow publishes archives + SHA256SUMS with cosign + SLSA attestation, then narrative notes get applied via `gh release edit ... --notes-file`.
Skill batch fix series — see commit messages for per-checkpoint rationale and verification against netresearch/t3x-nr-llm. Part of the 2026-04 unification sweep to eliminate skill drift across the Netresearch TYPO3 portfolio.