Add CI policy, strengthen hash-pinning rule, add Gitea Actions workflow

- All Dockerfiles must run make check as a build step - Every repo needs a Gitea Actions workflow running docker build on push - Greatly strengthen the hash-pinning rule: explicitly list all reference types, ban curl|bash installs, mark as most important rule in document - Add model .gitea/workflows/check.yml pinned by commit hash
2026-02-22 16:35:42 +01:00 · 2026-02-22 16:35:42 +01:00 · f43445caea
commit f43445caea
parent 7f4ed7edbd
4 changed files with 40 additions and 8 deletions
--- a/.gitea/workflows/check.yml
+++ b/.gitea/workflows/check.yml
@ -0,0 +1,9 @@
+name: check
+on: [push]
+jobs:
+    check:
+        runs-on: ubuntu-latest
+        steps:
+            # actions/checkout v4.2.2, 2026-02-22
+            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+            - run: docker build .
--- a/prompts/EXISTING_REPO_CHECKLIST.md
+++ b/prompts/EXISTING_REPO_CHECKLIST.md
@ -24,7 +24,10 @@ with your task.
      fetch from `https://git.eeqj.de/sneak/prompts/raw/branch/main/.gitignore`
      if missing
 - [ ] `.editorconfig` exists
- [ ] `Dockerfile` and `.dockerignore` exist
+- [ ] `Dockerfile` and `.dockerignore` exist; Dockerfile runs `make check` as a
+      build step
+- [ ] Gitea Actions workflow in `.gitea/workflows/` runs `docker build .` on
+      push
 - [ ] Language-specific config:
    - [ ] Go: `go.mod`, `go.sum`, `.golangci.yml`
    - [ ] JS: `package.json`, `yarn.lock`, `.prettierrc`, `.prettierignore`
--- a/prompts/NEW_REPO_CHECKLIST.md
+++ b/prompts/NEW_REPO_CHECKLIST.md
@ -43,9 +43,12 @@ Template files can be fetched from:
 - [ ] `REPO_POLICIES.md` — fetch from `prompts/REPO_POLICIES.md` in the prompts
      repo
 - [ ] `Dockerfile` and `.dockerignore`
-    - Server: runs the application
+    - All Dockerfiles must run `make check` as a build step
+    - Server: also builds and runs the application
    - Non-server: brings up dev environment and runs `make check`
    - Image pinned by sha256 hash with version/date comment
+- [ ] Gitea Actions workflow at `.gitea/workflows/check.yml` that runs
+      `docker build .` on push
 - [ ] Language-specific:
    - [ ] Go: `go mod init sneak.berlin/go/<name>`, `.golangci.yml` (copy from
          `~/dev/upaas/.golangci.yml`)
--- a/prompts/REPO_POLICIES.md
+++ b/prompts/REPO_POLICIES.md
@ -6,9 +6,19 @@ Version: 2026-02-22
  `Version: YYYY-MM-DD` line near the top so it can be kept in sync with the
  authoritative source as policies evolve.

- All references to Docker images, Go modules, and packages must use
-  cryptographic hashes. Mutable references (tags, `@latest`, etc.) are remote
-  code execution vulnerabilities.
+- **ALL external references must be pinned by cryptographic hash.** This
+  includes Docker base images, Go modules, npm packages, GitHub Actions, and
+  anything else fetched from a remote source. Version tags (`@v4`, `@latest`,
+  `:3.21`, etc.) are server-mutable and therefore remote code execution
+  vulnerabilities. The ONLY acceptable way to reference an external dependency
+  is by its content hash (Docker `@sha256:...`, Go module hash in `go.sum`, npm
+  integrity hash in lockfile, GitHub Actions `@<commit-sha>`). No exceptions.
+  This also means never `curl | bash` to install tools like pyenv, nvm, rustup,
+  etc. Instead, download a specific release archive from GitHub, verify its hash
+  (hardcoded in the Dockerfile or script), and only then install. Unverified
+  install scripts are arbitrary remote code execution. This is the single most
+  important rule in this document. Double-check every external reference in
+  every file before committing. There are zero exceptions to this rule.

 - Every repo with software must have a root `Makefile` with these targets:
  `make test`, `make lint`, `make fmt` (writes), `make fmt-check` (read-only),
@ -20,9 +30,15 @@ Version: 2026-02-22
  instead of invoking the underlying tools directly. The Makefile is the single
  source of truth for how these operations are run.

- Every repo should have a `Dockerfile`. For non-server repos, the Dockerfile
-  should bring up a development environment and run `make check` (the build
-  should fail if the branch is not green).
+- Every repo should have a `Dockerfile`. All Dockerfiles must run `make check`
+  as a build step so the build fails if the branch is not green. For non-server
+  repos, the Dockerfile should bring up a development environment and run
+  `make check`. For server repos, `make check` should run as an early build
+  stage before the final image is assembled.
+
+- Every repo should have a Gitea Actions workflow (`.gitea/workflows/`) that
+  runs `docker build .` on push. Since the Dockerfile already runs `make check`,
+  a successful build implies all checks pass.

 - Use platform-standard formatters: `black` for Python, `prettier` for
  JS/CSS/Markdown/HTML, `go fmt` for Go. Always use default configuration with
@ -129,6 +145,7 @@ Version: 2026-02-22
    - `README.md`, `.git`, `.gitignore`, `.editorconfig`
    - `REPO_POLICIES.md` (copy from the `prompts` repo)
    - `Dockerfile`, `.dockerignore`
+    - `.gitea/workflows/check.yml`
    - Go: `go.mod`, `go.sum`, `.golangci.yml`
    - JS: `package.json`, `yarn.lock`, `.prettierrc`, `.prettierignore`
    - Python: `pyproject.toml`