-
Notifications
You must be signed in to change notification settings - Fork 1
docs: archive PR 3026 #3059
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
docs: archive PR 3026 #3059
Changes from all commits
Commits
Show all changes
2 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
105 changes: 105 additions & 0 deletions
105
...ussions/PR-3026-feat-scaffold-b-0424-6-add-semgrep-yml-gha-injection-rule-to.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,105 @@ | ||
| --- | ||
| pr_number: 3026 | ||
| title: "feat(scaffold): B-0424.6 \u2014 add .semgrep.yml GHA injection rule to forge+ace scaffold templates" | ||
| author: "AceHack" | ||
| state: "MERGED" | ||
| created_at: "2026-05-13T20:24:05Z" | ||
| merged_at: "2026-05-13T20:34:47Z" | ||
| closed_at: "2026-05-13T20:34:47Z" | ||
| head_ref: "feat/b-0424-6-scaffold-semgrep" | ||
| base_ref: "main" | ||
| archived_at: "2026-05-13T23:22:43Z" | ||
| archive_tool: "tools/pr-preservation/archive-pr.ts" | ||
| --- | ||
|
|
||
| # PR #3026: feat(scaffold): B-0424.6 — add .semgrep.yml GHA injection rule to forge+ace scaffold templates | ||
|
|
||
| ## PR description | ||
|
|
||
| ## Summary | ||
|
|
||
| - **Slice**: B-0424.6 — ADR 2026-04-22 checklist item: *"Semgrep rule for GHA inline-untrusted-in-run injection (already landed on Zeta; generalise to Forge + ace)"* | ||
| - Adds `tools/scaffold/forge/.semgrep.yml` and `tools/scaffold/ace/.semgrep.yml`, each containing the `gha-untrusted-in-run-line` rule (Rule 17 from Zeta's `.semgrep.yml`) | ||
| - Updates `create-repo.ts` step07 manual steps: step 3 is now "wire gate workflow" since the config file is now scaffolded (only CI job wiring deferred to Stage 2) | ||
| - Updates `tools/scaffold/README.md` template tree listing and manual-steps note | ||
| - Extends existing step-06 tests to assert `.semgrep.yml` present for both forge and ace | ||
|
|
||
| ## Test plan | ||
|
|
||
| - [x] `bun test tools/scaffold/create-repo.test.ts` — **18 pass, 0 fail** | ||
| - [x] `semgrep --config tools/scaffold/forge/.semgrep.yml --validate` — 0 errors, 1 rule | ||
| - [x] `semgrep --config tools/scaffold/ace/.semgrep.yml --validate` — 0 errors, 1 rule | ||
| - [x] `dotnet build -c Release` — 0 warnings, 0 errors | ||
|
|
||
| ## Context | ||
|
|
||
| B-0424 Stage 1 is the three-repo split scaffold (`LFG/Forge` + `LFG/ace`). Previous slices: | ||
| - B-0424.1: pre-start gate + scope decision (scaffold deferred actual creation) | ||
| - B-0424.2: `scaffold-stage1-create-repos.yml` CI dispatch workflow | ||
| - B-0424.3–B-0424.4: governance templates + `create-repo.ts` tool | ||
| - B-0424.5 (PR #3025): dry-run test suite (18 tests) | ||
|
|
||
| This slice completes one remaining ADR checklist item for the template set. The `.semgrep.yml` files are pushed as day-one governance files by `create-repo.ts` step 06 (before branch protection). CI wiring of the `semgrep` lint job remains a Stage-2 task. | ||
|
|
||
| operative-authorization: aaron 2026-05-13: "Cooling period: TBD. The memory file IS the durable record" | ||
|
|
||
| 🤖 Generated with [Claude Code](https://claude.com/claude-code) | ||
|
|
||
| ## Reviews | ||
|
|
||
| ### COMMENTED — @copilot-pull-request-reviewer (2026-05-13T20:27:14Z) | ||
|
|
||
| ## Pull request overview | ||
|
|
||
| Adds Semgrep governance to the Stage-1 scaffold templates for the Forge and ace repos, ensuring the GitHub Actions inline-untrusted-in-`run:` injection rule is present from day one and reflected in the scaffold tool/docs. | ||
|
|
||
| **Changes:** | ||
| - Add `.semgrep.yml` to both `tools/scaffold/forge/` and `tools/scaffold/ace/` containing `gha-untrusted-in-run-line`. | ||
| - Update scaffold docs + `create-repo.ts` step-07 manual steps to reflect that only CI wiring remains manual (Stage 2). | ||
| - Extend the existing dry-run tests to assert `.semgrep.yml` is included in the scaffolded file set. | ||
|
|
||
| ### Reviewed changes | ||
|
|
||
| Copilot reviewed 5 out of 6 changed files in this pull request and generated 2 comments. (Archive note: the review listed 5 files in the per-file table; the 6th file, `tools/scaffold/forge/.mise.toml`, was added in the fix commit dbcad11d after this review was generated.) | ||
|
|
||
| <details> | ||
| <summary>Show a summary per file</summary> | ||
|
|
||
| | File | Description | | ||
| | ---- | ----------- | | ||
| | tools/scaffold/README.md | Updates template tree listing and manual-step guidance to include Semgrep wiring. | | ||
| | tools/scaffold/forge/.semgrep.yml | Adds Forge Semgrep config with the GHA injection rule. | | ||
| | tools/scaffold/ace/.semgrep.yml | Adds ace Semgrep config with the same GHA injection rule. | | ||
| | tools/scaffold/create-repo.ts | Adjusts step-07 manual steps to “wire gate workflow” now that `.semgrep.yml` is scaffolded. | | ||
| | tools/scaffold/create-repo.test.ts | Adds assertions that `.semgrep.yml` is present in step-06 planned scaffold files. | | ||
| </details> | ||
|
|
||
| ### COMMENTED — @AceHack (2026-05-13T20:31:15Z) | ||
|
|
||
| _(no body)_ | ||
|
|
||
| ### COMMENTED — @AceHack (2026-05-13T20:31:16Z) | ||
|
|
||
| _(no body)_ | ||
|
|
||
| ## Review threads | ||
|
|
||
| ### Thread 1: tools/scaffold/forge/.semgrep.yml:10 (resolved) | ||
|
|
||
| **@copilot-pull-request-reviewer** (2026-05-13T20:27:13Z): | ||
|
|
||
| The header comment claims Semgrep is pinned via `pipx:semgrep` in `.mise.toml`, but the scaffolded Forge repo template currently does not include a `.mise.toml` (or an install script) in this directory. This is likely to confuse consumers of the template. Either scaffold the corresponding toolchain pin file as well, or reword to point at the current source of truth (e.g., Zeta’s toolchain) and/or note that the pin lands in Stage 2. Also consider calling out that `pipx:` is mise’s registry name and installs via `uv` when present (per ADR 2026-04-27) to avoid implying pipx is required. | ||
|
|
||
| **@AceHack** (2026-05-13T20:31:15Z): | ||
|
|
||
| Fixed in the latest commit (dbcad11d): added `tools/scaffold/forge/.mise.toml` with `uv = "0.11.8"` and `"pipx:semgrep" = "1.161.0"` so the pin claim in the header is accurate. Also updated the header comment to clarify that `pipx:` is mise's registry prefix routing through `uv tool install` (per ADR 2026-04-27). Dry-run test extended to assert `.mise.toml` is present in the step-06 file set. | ||
|
|
||
| ### Thread 2: tools/scaffold/ace/.semgrep.yml:10 (resolved) | ||
|
|
||
| **@copilot-pull-request-reviewer** (2026-05-13T20:27:14Z): | ||
|
|
||
| The header comment claims Semgrep is pinned via `pipx:semgrep` in `.mise.toml`, but the scaffolded ace repo template currently does not include a `.mise.toml` (or an install script) in this directory. This is likely to confuse consumers of the template. Either scaffold the corresponding toolchain pin file as well, or reword to point at the current source of truth (e.g., Zeta’s toolchain) and/or note that the pin lands in Stage 2. Also consider calling out that `pipx:` is mise’s registry name and installs via `uv` when present (per ADR 2026-04-27) to avoid implying pipx is required. | ||
|
|
||
| **@AceHack** (2026-05-13T20:31:16Z): | ||
|
|
||
| Fixed in the latest commit (dbcad11d): added `tools/scaffold/ace/.mise.toml` with `uv = "0.11.8"` and `"pipx:semgrep" = "1.161.0"` so the pin claim in the header is accurate. Also updated the header comment to clarify that `pipx:` is mise's registry prefix routing through `uv tool install` (per ADR 2026-04-27). Dry-run test extended to assert `.mise.toml` is present in the step-06 file set. | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.