feat(scaffold): B-0424.6 — add .semgrep.yml GHA injection rule to forge+ace scaffold templates#3026
Merged
Merged
Conversation
…ge+ace templates ADR 2026-04-22 checklist item: "Semgrep rule for GHA inline-untrusted-in-run injection (already landed on Zeta; generalise to Forge + ace)". - Add tools/scaffold/forge/.semgrep.yml and tools/scaffold/ace/.semgrep.yml, each containing the gha-untrusted-in-run-line rule (Rule 17 from Zeta's .semgrep.yml). Both configs validated: 0 errors, 1 rule each. - Update step07_summary in create-repo.ts: manual step 3 is now "wire gate workflow" (the .semgrep.yml config file is scaffolded; only CI job wiring is deferred to Stage 2) instead of "add Semgrep rule". - Update tools/scaffold/README.md to list .semgrep.yml in the template tree and update manual-steps note accordingly. - Extend existing step-06 tests in create-repo.test.ts to assert .semgrep.yml is present in scaffold files for both forge and ace. All 18 tests pass. Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Claude <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Adds Semgrep governance to the Stage-1 scaffold templates for the Forge and ace repos, ensuring the GitHub Actions inline-untrusted-in-run: injection rule is present from day one and reflected in the scaffold tool/docs.
Changes:
- Add
.semgrep.ymlto bothtools/scaffold/forge/andtools/scaffold/ace/containinggha-untrusted-in-run-line. - Update scaffold docs +
create-repo.tsstep-07 manual steps to reflect that only CI wiring remains manual (Stage 2). - Extend the existing dry-run tests to assert
.semgrep.ymlis included in the scaffolded file set.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| tools/scaffold/README.md | Updates template tree listing and manual-step guidance to include Semgrep wiring. |
| tools/scaffold/forge/.semgrep.yml | Adds Forge Semgrep config with the GHA injection rule. |
| tools/scaffold/ace/.semgrep.yml | Adds ace Semgrep config with the same GHA injection rule. |
| tools/scaffold/create-repo.ts | Adjusts step-07 manual steps to “wire gate workflow” now that .semgrep.yml is scaffolded. |
| tools/scaffold/create-repo.test.ts | Adds assertions that .semgrep.yml is present in step-06 planned scaffold files. |
…ide .semgrep.yml Addresses Copilot P2 review threads on both forge + ace .semgrep.yml: the header claimed `pipx:semgrep` was pinned in `.mise.toml` but no `.mise.toml` existed in the scaffold templates. Consumers of the template would find the comment misleading. Fix: add minimal .mise.toml (uv + semgrep pinned) to both scaffold template directories so the pin claim is accurate. Update .semgrep.yml header to clarify that `pipx:` is mise's registry prefix that routes through `uv tool install` when uv is present (per ADR 2026-04-27). Extend dry-run tests to assert .mise.toml is present in step-06 files. Co-Authored-By: Claude <noreply@anthropic.com>
Merged
AceHack
added a commit
that referenced
this pull request
May 13, 2026
* docs: archive PR #3026 * fix(archive): reconcile PR-3026 Copilot file count 6→5-out-of-6 with archive note Copilot review thread on PR #3059 flagged that the archived Copilot review summary said '6 out of 6 changed files' while the per-file table listed only 5 files. Reconciles by changing to '5 out of 6' and adding an archive note explaining that the 6th file (forge/.mise.toml) was added in fix commit dbcad11 after the review was generated. Keeps the archive as a reliable provenance record per the reviewer's request. Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com>
4 tasks
AceHack
added a commit
that referenced
this pull request
May 14, 2026
…tep documented (#3114) * backlog(b-0424): mark in-progress — document slices 1-8 merged; add --apply next-step All 8 scaffolding slices (PRs #2994, #2996, #3003, #3019, #3025, #3026, #3027, #3028) are merged and tests pass (30/30). Update status to in-progress and document the completed slices table, dry-run verification (12 ops planned for each repo, 2026-05-14), and the --apply execution instructions Aaron needs to review before irreversible repo creation. operative-authorization: aaron 2026-05-13: "Cooling period: TBD. The memory file IS the durable record" Co-Authored-By: Claude <noreply@anthropic.com> * fix(b-0424): add blank line before list — resolve MD032 markdownlint Co-Authored-By: Claude <noreply@anthropic.com> * fix(b-0424): valid status + route --apply through workflow - status: in-progress → open (in-progress not in schema enum) - Next-step instructions now reference scaffold-stage1-create-repos GitHub Actions workflow (actor allowlist + CONFIRM gate + PAT handling + concurrency protection) instead of raw --apply bash Resolves Copilot P1 threads on #3114. Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
tools/scaffold/forge/.semgrep.ymlandtools/scaffold/ace/.semgrep.yml, each containing thegha-untrusted-in-run-linerule (Rule 17 from Zeta's.semgrep.yml)create-repo.tsstep07 manual steps: step 3 is now "wire gate workflow" since the config file is now scaffolded (only CI job wiring deferred to Stage 2)tools/scaffold/README.mdtemplate tree listing and manual-steps note.semgrep.ymlpresent for both forge and aceTest plan
bun test tools/scaffold/create-repo.test.ts— 18 pass, 0 failsemgrep --config tools/scaffold/forge/.semgrep.yml --validate— 0 errors, 1 rulesemgrep --config tools/scaffold/ace/.semgrep.yml --validate— 0 errors, 1 ruledotnet build -c Release— 0 warnings, 0 errorsContext
B-0424 Stage 1 is the three-repo split scaffold (
LFG/Forge+LFG/ace). Previous slices:scaffold-stage1-create-repos.ymlCI dispatch workflowcreate-repo.tstoolThis slice completes one remaining ADR checklist item for the template set. The
.semgrep.ymlfiles are pushed as day-one governance files bycreate-repo.tsstep 06 (before branch protection). CI wiring of thesemgreplint job remains a Stage-2 task.operative-authorization: aaron 2026-05-13: "Cooling period: TBD. The memory file IS the durable record"
🤖 Generated with Claude Code