harald/zeroclaw
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 3

docs(ci): define phase-1 actions source allowlist policy (#405)

Browse source
This commit is contained in:
Will Sarg 2026-02-16 12:26:10 -05:00 committed by GitHub
parent 40e592ffed
commit 90deb8fd5e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 65 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

62
docs/actions-source-policy.md Normal file
View file

@ -0,0 +1,62 @@
# Actions Source Policy (Phase 1)
This document defines the current GitHub Actions source-control policy for this repository.
Phase 1 objective: lock down action sources with minimal disruption, before full SHA pinning.
## Current Policy
- Repository Actions permissions: enabled
- Allowed actions mode: selected
- SHA pinning required: false (deferred to Phase 2)
Selected allowlist patterns:
- `actions/*` (covers `actions/cache`, `actions/checkout`, `actions/upload-artifact`, `actions/download-artifact`, and other first-party actions)
- `docker/*`
- `dtolnay/rust-toolchain@*`
- `Swatinem/rust-cache@*`
- `DavidAnson/markdownlint-cli2-action@*`
- `lycheeverse/lychee-action@*`
- `EmbarkStudios/cargo-deny-action@*`
- `rhysd/actionlint@*`
- `softprops/action-gh-release@*`
## Why This Phase
- Reduces supply-chain risk from unreviewed marketplace actions.
- Preserves current CI/CD functionality with low migration overhead.
- Prepares for Phase 2 full SHA pinning without blocking active development.
## Agentic Workflow Guardrails
Because this repository has high agent-authored change volume:
- Any PR that adds or changes `uses:` action sources must include an allowlist impact note.
- New third-party actions require explicit maintainer review before allowlisting.
- Expand allowlist only for verified missing actions; avoid broad wildcard exceptions.
- Keep rollback instructions in the PR description for Actions policy changes.
## Validation Checklist
After allowlist changes, validate:
1. `CI`
2. `Docker`
3. `Security Audit`
4. `Workflow Sanity`
5. `Release` (when safe to run)
Failure mode to watch for:
- `action is not allowed by policy`
If encountered, add only the specific trusted missing action, rerun, and document why.
## Rollback
Emergency unblock path:
1. Temporarily set Actions policy back to `all`.
2. Restore selected allowlist after identifying missing entries.
3. Record incident and final allowlist delta.

1
docs/ci-map.md
View file

@ -76,6 +76,7 @@ Merge-blocking checks should stay small and deterministic. Optional checks are u
- Keep merge-blocking checks deterministic and reproducible (`--locked` where applicable).
- Prefer explicit workflow permissions (least privilege).
- Keep Actions source policy restricted to approved allowlist patterns (see `docs/actions-source-policy.md`).
- Use path filters for expensive workflows when practical.
- Keep docs quality checks low-noise (`markdownlint` + offline link checks).
- Keep dependency update volume controlled (grouping + PR limits).