ci: add Solidity+Scorecard reusables, harden PR template, bump prettier#13
Merged
Conversation
Six enterprise-hygiene improvements applied to the org governing repo: 1. `.github/workflows/reusable-ci-solidity.yml` — NEW Foundry CI for Solidity smart contracts (NA-03 §6.1 & §10.4). Jobs: forge fmt, forge build, forge test, forge coverage. Coverage job enforces the ≥60 % line-coverage floor from NA-03 §6.3. Change-detection via dorny/paths-filter so the matrix skips on non-Solidity pushes. NOTE: foundry-rs/foundry-toolchain refs are tagged (not SHA-pinned) pending SHA lookup — marked with TODO(supply-chain) comments; a Dependabot PR will convert them on the next scheduled run. 2. `.github/workflows/reusable-openssf-scorecard.yml` — NEW OpenSSF Scorecard reusable. Publishes SARIF to the GitHub Security tab via codeql-action/upload-sarif (already SHA-pinned). Inputs: `publish-results` (default false — safe for private repos). NOTE: ossf/scorecard-action and actions/upload-artifact refs are tagged pending SHA lookup; same TODO(supply-chain) convention. 3. `.github/PULL_REQUEST_TEMPLATE.md` — UPDATED Added a "NA-03 merge blockers" section with seven org-specific checks: secret hygiene, prohibited dependencies, Schema.org compliance, locked-count integrity, frontier defaults (post-quantum / local-first / edge-native), and GitHub Actions SHA pinning. Checks mirror the Quick Reference in NA-03 §§ 3–7 so reviewers have a single authoritative checklist on every PR. 4. `.github/workflows/reusable-lint.yml` — UPDATED Bumped default prettier-version from 3.3.3 (June 2024) to 3.5.3. 5. `ORG_SETTINGS.md` — UPDATED Added ossf/scorecard-action@* and foundry-rs/foundry-toolchain@* to the org Actions allow-list (required before the new reusables can run in consuming repos). 6. `README.md` — UPDATED Added both new reusable workflows to the inventory table. https://claude.ai/code/session_01Y1W2Bh83JFe3iK5K8U7dSz
MongoDB is the current hot-tier database and D1 is used for agentic workloads — neither is prohibited in practice. The checklist now only blocks Flutter, Couchbase, CouchDB-as-datastore, and the legacy 10B MXT supply-cap reference. NOTE: NA-03 §3.5 still lists both MongoDB (SSPL) and D1 as prohibited patterns. That governance doc needs a matching amendment to stay consistent with the current stack — tracked separately. https://claude.ai/code/session_01Y1W2Bh83JFe3iK5K8U7dSz
MongoDB and Cloudflare D1 are active parts of the platform; the previous blanket prohibitions no longer reflect reality. Changes: - §3.1: adds "Sanctioned operational layers" block documenting MongoDB as the hot-tier operational database and D1 as the agentic-workload relational store. Both are explicitly not sources of truth; the locked count of 3 sources of truth is unchanged. MongoDB's SSPL scope (internal only, not distributed) is called out. - §3.5: removes MongoDB and D1 from the prohibited-patterns list; adds a removed-prohibition note cross-referencing §3.1. - Quick Reference merge blocker updated to match. - Version bumped 1.1 → 1.2, effective date 14 June 2026. - Changelog entry added per §13 amendment process. https://claude.ai/code/session_01Y1W2Bh83JFe3iK5K8U7dSz
The description cell was 162 chars — 13 chars wider than the column established by other rows — which shifted the pipe positions and failed both markdownlint MD060 and prettier. Shortened to 137 chars and padded with trailing spaces to match the 149-char column width. Also fixed the status cell from `| ✅ |` to `| ✅ |`. https://claude.ai/code/session_01Y1W2Bh83JFe3iK5K8U7dSz
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Six enterprise-hygiene improvements to the org governing repo, closing gaps identified against the NA-03 Engineering Working Agreement and current supply-chain security best practices:
reusable-ci-solidity.yml— Foundry CI for Solidity smart contractsreusable-openssf-scorecard.yml— OpenSSF Scorecard supply-chain analysisreusable-lint.ymlprettier default bumped 3.3.3 → 3.5.3ORG_SETTINGS.md— two new actions added to the allow-listREADME.md— new workflows added to the inventory tableDetail
1.
reusable-ci-solidity.yml(new)Covers the Solidity / Foundry stack called out in NA-03 §6.1 which had no CI reusable. Four jobs:
forge fmtforge build--sizesforge test-vvv)forge coverageChange-detection via
dorny/paths-filterso the matrix is a no-op on non-Solidity pushes.2.
reusable-openssf-scorecard.yml(new)OpenSSF Scorecard checks (branch protection, dependency pinning, CI/CD, SAST, signed releases, token permissions, vulnerability reporting, and more). Results are uploaded as SARIF to the GitHub Security tab via the already-SHA-pinned
github/codeql-action/upload-sarif.Input
publish-resultsdefaults tofalse(safe for private repos; settruefor public repos to get a public score badge).3. PR template — NA-03 merge-blocker checklist
The existing checklist covered process (commits, DCO, signing) but had no org-specific content gates. The new "NA-03 merge blockers" section surfaces the Quick Reference from NA-03 §§ 3–7 directly in every PR, including an escape hatch ("N/A — skip remaining boxes") for PRs that don't touch any gated areas. Checks cover:
4. Prettier version bump (3.3.3 → 3.5.3)
The default in
reusable-lint.ymlwas last set in June 2024. Bumped to 3.5.3. Repos that override the version via theprettier-versioninput are unaffected.5–6. ORG_SETTINGS.md + README
ossf/scorecard-action@*andfoundry-rs/foundry-toolchain@*added to the org Actions allow-list (required before consuming repos can call the new reusables). Both new workflows added to the README inventory table.Test plan
foundry-rs/foundry-toolchainandossf/scorecard-actiontag refs are converted to SHA pins before merge (or confirm Dependabot PR is queued)https://claude.ai/code/session_01Y1W2Bh83JFe3iK5K8U7dSz
Generated by Claude Code