What is not yet asserted
Scenario 28 round-trips the generated drift-check files through cascade verify, but it never asserts the least-privilege permissions: {} block the drift-comment companion is supposed to emit. The security posture of that companion workflow is generated but unchecked.
Features closed (2)
wf.drift.empty-permissions, sec.empty-permissions-default
Closing approach
Layer: act+gitea. Extend the drift-check scenario with a workflow_files.contains assertion pinning the permissions: {} (and the top-level contents: read) block on the emitted drift-comment workflow, mirroring the pattern already used in orchestrate/least-privilege-permissions.yaml.
Acceptance
- A
workflow_files.contains assertion on the drift-comment permissions: {} block.
- Scenario green.
What is not yet asserted
Scenario 28 round-trips the generated drift-check files through
cascade verify, but it never asserts the least-privilegepermissions: {}block the drift-comment companion is supposed to emit. The security posture of that companion workflow is generated but unchecked.Features closed (2)
wf.drift.empty-permissions, sec.empty-permissions-default
Closing approach
Layer: act+gitea. Extend the drift-check scenario with a
workflow_files.containsassertion pinning thepermissions: {}(and the top-levelcontents: read) block on the emitted drift-comment workflow, mirroring the pattern already used inorchestrate/least-privilege-permissions.yaml.Acceptance
workflow_files.containsassertion on the drift-commentpermissions: {}block.