From f43445caead1f3864957de1e9980b0084cac2cf0 Mon Sep 17 00:00:00 2001 From: sneak Date: Sun, 22 Feb 2026 16:35:42 +0100 Subject: [PATCH] Add CI policy, strengthen hash-pinning rule, add Gitea Actions workflow - All Dockerfiles must run make check as a build step - Every repo needs a Gitea Actions workflow running docker build on push - Greatly strengthen the hash-pinning rule: explicitly list all reference types, ban curl|bash installs, mark as most important rule in document - Add model .gitea/workflows/check.yml pinned by commit hash --- .gitea/workflows/check.yml | 9 +++++++++ prompts/EXISTING_REPO_CHECKLIST.md | 5 ++++- prompts/NEW_REPO_CHECKLIST.md | 5 ++++- prompts/REPO_POLICIES.md | 29 +++++++++++++++++++++++------ 4 files changed, 40 insertions(+), 8 deletions(-) create mode 100644 .gitea/workflows/check.yml diff --git a/.gitea/workflows/check.yml b/.gitea/workflows/check.yml new file mode 100644 index 0000000..aca7a51 --- /dev/null +++ b/.gitea/workflows/check.yml @@ -0,0 +1,9 @@ +name: check +on: [push] +jobs: + check: + runs-on: ubuntu-latest + steps: + # actions/checkout v4.2.2, 2026-02-22 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + - run: docker build . diff --git a/prompts/EXISTING_REPO_CHECKLIST.md b/prompts/EXISTING_REPO_CHECKLIST.md index 2b5855a..7a9a416 100644 --- a/prompts/EXISTING_REPO_CHECKLIST.md +++ b/prompts/EXISTING_REPO_CHECKLIST.md @@ -24,7 +24,10 @@ with your task. fetch from `https://git.eeqj.de/sneak/prompts/raw/branch/main/.gitignore` if missing - [ ] `.editorconfig` exists -- [ ] `Dockerfile` and `.dockerignore` exist +- [ ] `Dockerfile` and `.dockerignore` exist; Dockerfile runs `make check` as a + build step +- [ ] Gitea Actions workflow in `.gitea/workflows/` runs `docker build .` on + push - [ ] Language-specific config: - [ ] Go: `go.mod`, `go.sum`, `.golangci.yml` - [ ] JS: `package.json`, `yarn.lock`, `.prettierrc`, `.prettierignore` diff --git a/prompts/NEW_REPO_CHECKLIST.md b/prompts/NEW_REPO_CHECKLIST.md index 10c0981..458794d 100644 --- a/prompts/NEW_REPO_CHECKLIST.md +++ b/prompts/NEW_REPO_CHECKLIST.md @@ -43,9 +43,12 @@ Template files can be fetched from: - [ ] `REPO_POLICIES.md` — fetch from `prompts/REPO_POLICIES.md` in the prompts repo - [ ] `Dockerfile` and `.dockerignore` - - Server: runs the application + - All Dockerfiles must run `make check` as a build step + - Server: also builds and runs the application - Non-server: brings up dev environment and runs `make check` - Image pinned by sha256 hash with version/date comment +- [ ] Gitea Actions workflow at `.gitea/workflows/check.yml` that runs + `docker build .` on push - [ ] Language-specific: - [ ] Go: `go mod init sneak.berlin/go/`, `.golangci.yml` (copy from `~/dev/upaas/.golangci.yml`) diff --git a/prompts/REPO_POLICIES.md b/prompts/REPO_POLICIES.md index cfa1b0c..3f861cb 100644 --- a/prompts/REPO_POLICIES.md +++ b/prompts/REPO_POLICIES.md @@ -6,9 +6,19 @@ Version: 2026-02-22 `Version: YYYY-MM-DD` line near the top so it can be kept in sync with the authoritative source as policies evolve. -- All references to Docker images, Go modules, and packages must use - cryptographic hashes. Mutable references (tags, `@latest`, etc.) are remote - code execution vulnerabilities. +- **ALL external references must be pinned by cryptographic hash.** This + includes Docker base images, Go modules, npm packages, GitHub Actions, and + anything else fetched from a remote source. Version tags (`@v4`, `@latest`, + `:3.21`, etc.) are server-mutable and therefore remote code execution + vulnerabilities. The ONLY acceptable way to reference an external dependency + is by its content hash (Docker `@sha256:...`, Go module hash in `go.sum`, npm + integrity hash in lockfile, GitHub Actions `@`). No exceptions. + This also means never `curl | bash` to install tools like pyenv, nvm, rustup, + etc. Instead, download a specific release archive from GitHub, verify its hash + (hardcoded in the Dockerfile or script), and only then install. Unverified + install scripts are arbitrary remote code execution. This is the single most + important rule in this document. Double-check every external reference in + every file before committing. There are zero exceptions to this rule. - Every repo with software must have a root `Makefile` with these targets: `make test`, `make lint`, `make fmt` (writes), `make fmt-check` (read-only), @@ -20,9 +30,15 @@ Version: 2026-02-22 instead of invoking the underlying tools directly. The Makefile is the single source of truth for how these operations are run. -- Every repo should have a `Dockerfile`. For non-server repos, the Dockerfile - should bring up a development environment and run `make check` (the build - should fail if the branch is not green). +- Every repo should have a `Dockerfile`. All Dockerfiles must run `make check` + as a build step so the build fails if the branch is not green. For non-server + repos, the Dockerfile should bring up a development environment and run + `make check`. For server repos, `make check` should run as an early build + stage before the final image is assembled. + +- Every repo should have a Gitea Actions workflow (`.gitea/workflows/`) that + runs `docker build .` on push. Since the Dockerfile already runs `make check`, + a successful build implies all checks pass. - Use platform-standard formatters: `black` for Python, `prettier` for JS/CSS/Markdown/HTML, `go fmt` for Go. Always use default configuration with @@ -129,6 +145,7 @@ Version: 2026-02-22 - `README.md`, `.git`, `.gitignore`, `.editorconfig` - `REPO_POLICIES.md` (copy from the `prompts` repo) - `Dockerfile`, `.dockerignore` + - `.gitea/workflows/check.yml` - Go: `go.mod`, `go.sum`, `.golangci.yml` - JS: `package.json`, `yarn.lock`, `.prettierrc`, `.prettierignore` - Python: `pyproject.toml`