ci(security): SLSA L2 provenance, quarterly audit, governance amendment flow

[bryanfawcett]

Summary

Enterprise-grade hardening pass on the governing .github repo, addressing the highest-priority gaps identified in a full audit of all 44 files. Changes are grouped by priority tier.

P0 — Supply-chain security (SLSA L2 provenance)

• reusable-release.yml — every release now generates a SHA256SUMS file covering all release assets, then creates a signed GitHub Artifact Attestation (SLSA L2 provenance) via actions/attest-build-provenance. Callers must grant attestations: write. A hashes output (base64-encoded SHA-256s) is exposed for downstream provenance consumers.
• reusable-sbom.yml — prints the SHA-256 of the SBOM file to the CI log (the checksum is also included in the release SHA256SUMS via the release job).
• reusable-slsa-provenance.yml (new) — standalone SLSA L2 provenance workflow for repos that attest artifacts outside the full release flow. Verifiable by anyone with repo read access via gh attestation verify <artifact> --repo nyuchi/<repo>.

P0 — ORG_SETTINGS.md fixes

• Secret scanning non-provider patterns: corrected from "Enabled for public repos" to "Enabled org-wide". Private repos should have the same coverage.
• Actions allowlist: actions/attest-build-provenance@* added.
• New §Artifact provenance and supply-chain security: SLSA posture table, OpenSSF alignment targets, reusable-workflow versioning/rollback SOP.
• New §OIDC federation: Cloudflare, Fly.io, and AWS/GCP examples replacing the prose-only note.
• Quarterly audit: updated to reference the new automated scheduled workflow.

P1 — Operational rigour

• scheduled-settings-audit.yml (new) — quarterly scheduled workflow (08:00 UTC on 1 Jan / 1 Apr / 1 Jul / 1 Oct) that opens a GitHub Issue with a structured checklist. Idempotent: skips creation if an open issue for the current quarter already exists. Uses a separate template file (.github/audit-issue-body.md) to avoid YAML block-scalar indentation issues with multi-line heredoc bodies.
• .github/ISSUE_TEMPLATE/governance_amendment.yml (new) — structured form for proposing amendments to NA-01/NA-02/NA-03/ORG_SETTINGS.md. Includes document selector, section citation, current/proposed text, rationale, security-impact dropdown, Board-notification acknowledgement, and changelog-entry draft.

P1/P2 — Documentation

• CONTRIBUTING.md: adds §Dependabot PRs (weekly cadence review, major-version handling, security-advisory SLA, prohibited-dep check) and §Governance amendments (issue-before-PR requirement, review bar, Board-notification trigger per NA-03 §13).
• AGENTS.md: adds rule requiring a Governance Amendment issue before any agent proposes changes to governance docs; clarifies the SHA-comment format requirement.
• README.md: adds new workflow rows to the reusable-workflows inventory table.

Test plan

• CI lint passes (actionlint, JSON validity, prettier, markdownlint, yamllint).
• Verify actions/attest-build-provenance and actions/upload-artifact SHA pins — these are best-effort from training data; Dependabot will issue corrected SHA-pin PRs on the next weekly github-actions update cycle per NA-03 §7.1.1.
• Manually trigger scheduled-settings-audit.yml via workflow_dispatch to confirm issue creation flow works end-to-end.
• Confirm the governance_amendment issue template renders correctly in the GitHub new-issue picker.
• In a consuming repo, call reusable-slsa-provenance.yml from a test release and verify gh attestation verify succeeds.

Gaps deferred to follow-up PRs

• SLSA L3 (hermetic isolated build runners) — requires separate infra work.
• OpenSSF Scorecard action (ossf/scorecard-action) — tracked in ORG_SETTINGS.md §OpenSSF alignment.
• Terraform integrations/github provider for ORG_SETTINGS.md as generated artifact — tracked in ORG_SETTINGS.md §Enforcement and audit.
• License-header validation workflow — separate PR.
• Schema.org compliance CI check — separate PR.

https://claude.ai/code/session_018gMESVfRNN1qqndg2LACYx

---

Generated by Claude Code