Add CI policy, strengthen hash-pinning rule, add Gitea Actions workflow
All checks were successful
check / check (push) Successful in 16s
All checks were successful
check / check (push) Successful in 16s
- All Dockerfiles must run make check as a build step - Every repo needs a Gitea Actions workflow running docker build on push - Greatly strengthen the hash-pinning rule: explicitly list all reference types, ban curl|bash installs, mark as most important rule in document - Add model .gitea/workflows/check.yml pinned by commit hash
This commit is contained in:
@@ -6,9 +6,19 @@ Version: 2026-02-22
|
||||
`Version: YYYY-MM-DD` line near the top so it can be kept in sync with the
|
||||
authoritative source as policies evolve.
|
||||
|
||||
- All references to Docker images, Go modules, and packages must use
|
||||
cryptographic hashes. Mutable references (tags, `@latest`, etc.) are remote
|
||||
code execution vulnerabilities.
|
||||
- **ALL external references must be pinned by cryptographic hash.** This
|
||||
includes Docker base images, Go modules, npm packages, GitHub Actions, and
|
||||
anything else fetched from a remote source. Version tags (`@v4`, `@latest`,
|
||||
`:3.21`, etc.) are server-mutable and therefore remote code execution
|
||||
vulnerabilities. The ONLY acceptable way to reference an external dependency
|
||||
is by its content hash (Docker `@sha256:...`, Go module hash in `go.sum`, npm
|
||||
integrity hash in lockfile, GitHub Actions `@<commit-sha>`). No exceptions.
|
||||
This also means never `curl | bash` to install tools like pyenv, nvm, rustup,
|
||||
etc. Instead, download a specific release archive from GitHub, verify its hash
|
||||
(hardcoded in the Dockerfile or script), and only then install. Unverified
|
||||
install scripts are arbitrary remote code execution. This is the single most
|
||||
important rule in this document. Double-check every external reference in
|
||||
every file before committing. There are zero exceptions to this rule.
|
||||
|
||||
- Every repo with software must have a root `Makefile` with these targets:
|
||||
`make test`, `make lint`, `make fmt` (writes), `make fmt-check` (read-only),
|
||||
@@ -20,9 +30,15 @@ Version: 2026-02-22
|
||||
instead of invoking the underlying tools directly. The Makefile is the single
|
||||
source of truth for how these operations are run.
|
||||
|
||||
- Every repo should have a `Dockerfile`. For non-server repos, the Dockerfile
|
||||
should bring up a development environment and run `make check` (the build
|
||||
should fail if the branch is not green).
|
||||
- Every repo should have a `Dockerfile`. All Dockerfiles must run `make check`
|
||||
as a build step so the build fails if the branch is not green. For non-server
|
||||
repos, the Dockerfile should bring up a development environment and run
|
||||
`make check`. For server repos, `make check` should run as an early build
|
||||
stage before the final image is assembled.
|
||||
|
||||
- Every repo should have a Gitea Actions workflow (`.gitea/workflows/`) that
|
||||
runs `docker build .` on push. Since the Dockerfile already runs `make check`,
|
||||
a successful build implies all checks pass.
|
||||
|
||||
- Use platform-standard formatters: `black` for Python, `prettier` for
|
||||
JS/CSS/Markdown/HTML, `go fmt` for Go. Always use default configuration with
|
||||
@@ -129,6 +145,7 @@ Version: 2026-02-22
|
||||
- `README.md`, `.git`, `.gitignore`, `.editorconfig`
|
||||
- `REPO_POLICIES.md` (copy from the `prompts` repo)
|
||||
- `Dockerfile`, `.dockerignore`
|
||||
- `.gitea/workflows/check.yml`
|
||||
- Go: `go.mod`, `go.sum`, `.golangci.yml`
|
||||
- JS: `package.json`, `yarn.lock`, `.prettierrc`, `.prettierignore`
|
||||
- Python: `pyproject.toml`
|
||||
|
||||
Reference in New Issue
Block a user