feat(checkpoints): add GH-34/35/36 + reusable-workflow-pitfalls reference#71
Conversation
…ence GH-34 (mechanical, error): Composite-action references inside .github/workflows/*.yml must be SHA-pinned. Reusable-workflow refs (uses: org/repo/.github/workflows/foo.yml@main) remain exempt per the existing reusable-workflow-security.md doc, but composite-action refs (uses: org/repo/.github/actions/foo@main) break consumers that enforce SHA-pinning when this workflow is called as a reusable workflow. Implemented via PCRE negative lookahead in regex_not. GH-35 (mechanical, warning): Every workflow job with `steps:` should start with step-security/harden-runner. YAML-AST check via embedded python yaml.safe_load — a regex-only check cannot reliably reason about "first step of each job" across multi-line YAML. Pure reusable-workflow callers (job-level `uses:` instead of `steps:`) are exempt. No-ops if python3 or PyYAML are unavailable. GH-36 (llm_review, info): Before declaring PR review feedback addressed, verify zero unresolved review threads via GraphQL. Process check that catches the failure mode where only top-of-discussion threads are addressed and inline-code or earlier-reviewer threads stay open. New reference: references/reusable-workflow-pitfalls.md covers four operational traps distinct from the supply-chain focus of reusable-workflow-security.md: - ./ does NOT resolve to the reusable workflow's repo - composite-action SHA-pinning rule (paired with GH-34) - gh run rerun caches @ref resolution at original trigger time - permissions ceiling: caller's job-level permissions clamp the token SKILL.md description broadened to activate on reusable-workflow, composite-action, and harden-runner authoring tasks (329 chars total). References table gains rows for both reusable-workflow-* docs. Self-tested: skill repo's own workflows pass GH-34 and GH-35. Signed-off-by: Sebastian Mendel <sebastian.mendel@netresearch.de>
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
There was a problem hiding this comment.
Code Review
This pull request updates the github-project skill by expanding its description and adding new checkpoints for GitHub Actions security and process management. Specifically, it introduces checks for SHA-pinning composite actions (GH-34), ensuring harden-runner is the first step in workflow jobs (GH-35), and verifying that all PR review threads are resolved via GraphQL (GH-36). Additionally, a new reference document, reusable-workflow-pitfalls.md, has been added to provide guidance on common issues with reusable workflows and composite actions. I have no feedback to provide.
There was a problem hiding this comment.
Pull request overview
Adds new mechanical/process checkpoints and supporting documentation to make common reusable-workflow authoring pitfalls and PR-review completeness issues detectable and repeatable within the github-project skill.
Changes:
- Add three new checkpoints: GH-34 (composite-action SHA pinning), GH-35 (harden-runner first-step enforcement), GH-36 (verify all PR review threads resolved via GraphQL).
- Add a new reference doc:
references/reusable-workflow-pitfalls.md. - Update
SKILL.mddescription and references table to include reusable-workflow content.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| skills/github-project/checkpoints.yaml | Adds GH-34/35/36 checkpoint definitions (regex + embedded Python + process prompt). |
| skills/github-project/references/reusable-workflow-pitfalls.md | New reference documenting reusable-workflow authoring pitfalls (local action resolution, SHA pinning, rerun ref caching, permissions ceiling). |
| skills/github-project/SKILL.md | Expands activation description and links in new reusable-workflow reference docs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- SKILL.md: trim to 495 words (under 500 limit) — tightened description, removed redundant "See ..." pointers already covered by the references table. - SKILL.md / checkpoints.yaml GH-36: bump reviewThreads(first:50) to first:100 (GraphQL max) and document pageInfo.hasNextPage pagination so PRs with >100 threads aren't silently mis-reported as "all resolved". - checkpoints.yaml GH-34: tighten the 40-hex-SHA negative lookahead so refs like @<40hex>-tag are correctly flagged as non-SHA-pinned; the previous \b boundary let any 40-hex prefix pass. - checkpoints.yaml GH-35: drop the trailing "|| exit 0" and the "2>/dev/null" wrapper on the Python harden-runner check so real failures (and the "Jobs missing harden-runner..." message) actually surface; missing python3/PyYAML cases are still handled explicitly upstream. Signed-off-by: Sebastian Mendel <sebastian.mendel@netresearch.de>
|
## Release v2.14.0 Minor release. `.claude-plugin/plugin.json` and `skills/github-project/SKILL.md` frontmatter `metadata.version` were already synced to `2.14.0` on `main` via [#74](#74) — this PR is the empty release marker that closes the v2.13.1 → v2.14.0 window and triggers the signed-tag release. ### Highlights since v2.13.1 - **`agentic-workflows` reference** documenting `gh-aw` and `awf` workflow-as-prompt tooling for autonomous GitHub Actions — new patterns for running AI agents on PRs/issues without bespoke wiring ([#75](#75)). - **AI reviewer pushback patterns** — handling Copilot/Sourcery review comments that disagree with the codebase intent, including when to defer and when to push back ([#66](#66), [#74](#74)). - **PR-merge / branch-protection / CodeQL gotchas** documented, plus auto-detection of allowed merge strategy in the `--delete-branch` snippet so the recipe doesn't break on repos with merge-commit-only policies ([#69](#69), [#71](#71), [#72](#72)). - **GraphQL `Repository.mergeQueue`** for queue detection — replaces a brittle REST probe ([#70](#70)). - **Assessment checkpoints overhaul**: new GH-34/GH-35/GH-36, follow_uses delegation for CodeQL/Scorecard, org_provides for community-health files, broader licence/Dependabot/workflow targets, plus reusable-workflow-pitfalls reference. Multiple false-positive findings demoted to `info` to reduce assessment noise ([#56](#56), [#57](#57), [#58](#58), [#59](#59), [#60](#60), [#61](#61), [#62](#62), [#63](#63), [#64](#64), [#65](#65), [#73](#73)). - **npm distribution** — the skill now also ships via `@netresearch/agent-skill-coordinator` ([#54](#54), [#55](#55)). - **Release pipeline hardening** — dropped the deprecated `with: bump:` block + `workflow_dispatch.bump` input so releases happen exclusively via locally-signed tags, plus SLSA-provenance permissions on the caller ([#52](#52), [#53](#53)). ### Release plan After merge: tag main with a signed annotated tag, push, the `skill-repo-skill` reusable workflow publishes archives + SHA256SUMS with cosign + SLSA attestation, then narrative notes get applied via `gh release edit ... --notes-file`.



Motivation
A recent multi-day session shipping reusable GHA workflows in
netresearch/typo3-ci-workflowsand a consumer wiring innetresearch/t3x-rte_ckeditor_imagehit three avoidable issues that this PR makes catchable mechanically:uses: …/preflight-gate@mainself-reference inside reusable workflows broke SHA-pinned consumers. Composite-action references inside reusable workflows are resolved at the consumer's runner under the consumer's allow-list policy. PR docs(reusable-workflows): fix CI gaps upstream in the shared workflow, not per-project #82 had to be followed by PR docs(github-project): repo-level Actions/security hardening + API gotchas #83 (inline the bash, drop the composite action) once a SHA-pinned consumer rejected@main. feat: add GraphQL --input pattern for special characters #34 catches this.step-security/harden-runner. Caught only after Copilot flagged five separate workflow files in the same PR. The convention is consistent across the repo: every job's first step is the pinned harden-runner. Add GitHub Actions upgrade guide with breaking changes reference #35 catches this mechanically.A fourth, related observation made it into the new reference doc:
gh run reruncachesuses: …@refresolution from the original run trigger time, so re-running after an upstream fix lands picks up nothing — the workflow_ref has to change.Changes
Three new checkpoints
(See the diff for the full embedded python script in GH-35 and the full prompt in GH-36.)
New reference doc —
references/reusable-workflow-pitfalls.mdThis complements rather than overlaps
references/reusable-workflow-security.md:reusable-workflow-security.md— supply-chain trust, SHA-pinning external actions, transitive-dependency risks, audit checklist for adopting third-party workflows.reusable-workflow-pitfalls.md(new) — operational/structural traps when authoring internal reusable workflows:./does NOT resolve to the reusable workflow's repo (linked to GitHub docs)gh run reruncaches@refresolution at original trigger timeSKILL.md
description:broadened to activate on reusable-workflow, composite-action, and harden-runner authoring tasks (329 chars total, under the ~350 ceiling).reusable-workflow-security.md(previously not listed) and the newreusable-workflow-pitfalls.md.Self-test
python3 -c 'import yaml; yaml.safe_load(open("checkpoints.yaml"))'— parses cleanly.yamllint -c .yamllint.yml skills/github-project/checkpoints.yaml— no warnings..github/workflows/*.ymlexits 0 (all jobs already start withstep-security/harden-runner)..github/workflows/*.yml— clean.Test plan
automated-assessmentskill against a known-bad repo (composite action@mainref) and confirm feat: add GraphQL --input pattern for special characters #34 firesharden-runnerand confirm Add GitHub Actions upgrade guide with breaking changes reference #35 fires