From fd66b119b39ee263b88947d12374964292d5a128 Mon Sep 17 00:00:00 2001 From: "privilegedescalation-engineer[bot]" <269729446+privilegedescalation-engineer[bot]@users.noreply.github.com> Date: Sat, 21 Mar 2026 23:55:40 +0000 Subject: [PATCH 1/3] ci: add dual-approval caller workflow Calls the shared privilegedescalation/.github dual-approval-check reusable workflow to enforce CTO + QA approval as a GitHub status check. Once privilegedescalation/.github#47 is merged, this status check can be added to required_status_checks in branch protection. Co-Authored-By: Paperclip --- .github/workflows/dual-approval.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 .github/workflows/dual-approval.yaml diff --git a/.github/workflows/dual-approval.yaml b/.github/workflows/dual-approval.yaml new file mode 100644 index 0000000..a2de07c --- /dev/null +++ b/.github/workflows/dual-approval.yaml @@ -0,0 +1,18 @@ +name: Dual Approval (CTO + QA) + +# Calls the shared dual-approval-check workflow. +# Passes when both privilegedescalation-cto and privilegedescalation-qa +# have approved the PR. Add "Dual Approval (CTO + QA)" to required_status_checks +# in branch protection to enforce this gate. + +on: + pull_request_review: + types: [submitted, dismissed] + pull_request: + branches: [main] + types: [opened, reopened, synchronize] + +jobs: + dual-approval: + uses: privilegedescalation/.github/.github/workflows/dual-approval-check.yaml@main + secrets: inherit From d1097c2dbf2f57e96308adc94361ceb083725a0f Mon Sep 17 00:00:00 2001 From: Hugh Hackman Date: Sun, 22 Mar 2026 05:49:14 +0000 Subject: [PATCH 2/3] ci: trigger fresh CI run with updated shared workflows From c08f3fbdbe7c7ee0996d772094edb21694d1cf43 Mon Sep 17 00:00:00 2001 From: "privilegedescalation-engineer[bot]" <269729446+privilegedescalation-engineer[bot]@users.noreply.github.com> Date: Sun, 22 Mar 2026 07:16:04 +0000 Subject: [PATCH 3/3] chore(renovate): add pinDigests to ensure SHA pinning for GitHub Actions The org renovate-config.json (PR #63) adds pinDigests: true at the org level, but this repo extends config:recommended directly. Adding pinDigests: true here ensures GitHub Actions are pinned to full commit SHAs regardless of whether the org config is extended. Related: privilegedescalation/.github#63, PRI-757 --- renovate.json | 2 ++ 1 file changed, 2 insertions(+) diff --git a/renovate.json b/renovate.json index 9ca1ba1..d9ce489 100644 --- a/renovate.json +++ b/renovate.json @@ -4,6 +4,7 @@ "baseBranches": ["main"], "schedule": ["every weekend"], "prConcurrentLimit": 10, + "pinDigests": true, "packageRules": [ { "matchManagers": ["npm"], @@ -17,3 +18,4 @@ } ] } +