diff --git a/docs/work/2026-05-14-ci-security-and-supply-chain/06-codeql-and-audit-signatures/_story.md b/docs/work/2026-05-14-ci-security-and-supply-chain/06-codeql-and-audit-signatures/_story.md index 8581848..6ab71b5 100644 --- a/docs/work/2026-05-14-ci-security-and-supply-chain/06-codeql-and-audit-signatures/_story.md +++ b/docs/work/2026-05-14-ci-security-and-supply-chain/06-codeql-and-audit-signatures/_story.md @@ -3,7 +3,7 @@ id: 06-codeql-and-audit-signatures epic: 2026-05-14-ci-security-and-supply-chain title: CodeQL workflow + pnpm audit signatures type: technical-story -status: in-progress +status: done feature: tooling depends-on: [] blocks: [08-reviewer-prompt-update] @@ -37,4 +37,4 @@ Add two baseline GitHub-native gates: (1) a `pnpm audit signatures --audit-level ## Tasks - [x] Add `pnpm audit signatures --audit-level=high` as a step in `ci.yml`'s `validate` job; one commit, all gates pass. -- [ ] Create `.github/workflows/codeql.yml` (language: `javascript-typescript`; triggers: push to main, pull_request, weekly schedule Wednesday 02:00 UTC; default queries; consumer note about GitHub Advanced Security requirement for private repos); one commit, all gates pass. +- [x] Create `.github/workflows/codeql.yml` (language: `javascript-typescript`; triggers: push to main, pull_request, weekly schedule Wednesday 02:00 UTC; default queries; consumer note about GitHub Advanced Security requirement for private repos); one commit, all gates pass. diff --git a/docs/work/_state.json b/docs/work/_state.json index 42c4e29..d8d3ac4 100644 --- a/docs/work/_state.json +++ b/docs/work/_state.json @@ -1,5 +1,5 @@ { - "updated_at": "2026-05-14T17:54:43.702Z", + "updated_at": "2026-05-14T17:56:41.640Z", "epics": { "2026-05-13-binder-wrap-helper": { "status": "done", @@ -100,10 +100,10 @@ ] }, "06-codeql-and-audit-signatures": { - "status": "in-progress", + "status": "done", "title": "CodeQL workflow + pnpm audit signatures", "ac_total": 2, - "ac_completed": 1, + "ac_completed": 2, "depends_on": [], "blocks": [ "08-reviewer-prompt-update" @@ -260,13 +260,13 @@ "ready": [ { "epic": "2026-05-14-ci-security-and-supply-chain", - "story": "06-codeql-and-audit-signatures", - "title": "CodeQL workflow + pnpm audit signatures" + "story": "07-gitleaks-precommit", + "title": "Gitleaks pre-commit hook" }, { "epic": "2026-05-14-ci-security-and-supply-chain", - "story": "07-gitleaks-precommit", - "title": "Gitleaks pre-commit hook" + "story": "08-reviewer-prompt-update", + "title": "Sandcastle reviewer prompt update" }, { "epic": "2026-05-14-ci-security-and-supply-chain", @@ -274,15 +274,6 @@ "title": "CI security guide + CLAUDE.md" } ], - "blocked": [ - { - "epic": "2026-05-14-ci-security-and-supply-chain", - "story": "08-reviewer-prompt-update", - "title": "Sandcastle reviewer prompt update", - "waiting_on": [ - "2026-05-14-ci-security-and-supply-chain/06-codeql-and-audit-signatures" - ] - } - ], + "blocked": [], "needs_prd_ship": [] }