Skip to content

Comments

Implement organization-wide safety standards with self-hosted runner support and automation#25

Open
Copilot wants to merge 6 commits intomasterfrom
copilot/implement-safety-standards
Open

Implement organization-wide safety standards with self-hosted runner support and automation#25
Copilot wants to merge 6 commits intomasterfrom
copilot/implement-safety-standards

Conversation

Copy link

Copilot AI commented Feb 14, 2026
edited
Loading

Establishes comprehensive security practices for GitHub Actions workflows across the organization, adds official ownership announcement, and provides automation for propagating these standards to other repositories.

Workflow Security Enhancements

  • Added security headers to all 7 workflow files documenting self-hosted runner usage, minimal permissions, and maintenance requirements
  • Example header structure: 
    # Security Best Practices:
# - Uses self-hosted runners where appropriate
# - Minimal permissions principle
# - Regular runner maintenance required
# - Actions pinned to specific versions

name: CI
permissions:
  contents: read
  actions: read

Global Ownership Announcement

  • Added announcement to README.md and created ANNOUNCEMENT.md
  • References all verified channels: kushmanmb.base.eth, kushmanmb.eth, kushmania.eth, kushmanmb.org, yaketh.eth
  • Centralized template in .github/templates/global-announcement.md

Documentation Updates

SECURITY.md (+64 lines):

  • Self-hosted runner setup and configuration
  • Workflow audit checklist (7 items)
  • Branch protection requirements
  • Secrets management with 90-day rotation policy
  • Maintenance schedules (monthly/quarterly/annual)

CONTRIBUTING.md (+28 lines):

  • Ownership verification section
  • Security and workflow practices reference

Organization-Wide Automation

Two propagation methods:

  1. CLI Tool (scripts/propagate-updates.sh):

    ./scripts/propagate-updates.sh --list              # List all repos
./scripts/propagate-updates.sh --dry-run          # Preview changes
./scripts/propagate-updates.sh --repo target-repo # Update specific repo

  2. GitHub Actions Workflow (.github/workflows/propagate-safety-standards.yml):

    • Manual trigger with dry-run support
    • Automated PR creation
    • Repository validation

Documentation:

  • ORG_WIDE_UPDATE_PROCESS.md - Complete manual and automated procedures (252 lines)
  • QUICK_START_GUIDE.md - Practical guide for maintainers, contributors, and DevOps (224 lines)

Files Changed

  • Modified: 9 files (7 workflows + README.md + SECURITY.md + CONTRIBUTING.md)
  • Created: 8 files (automation tools, templates, documentation)
  • Total: 1,200+ lines added

Security Validation

  • CodeQL scan: 0 vulnerabilities
  • No secrets or credentials in code
  • All workflows follow least privilege principle
Original prompt

Implement the following across the repository with highest safety standards:

  1. Workflows Using Self-Hosted Runners:

    • All GitHub Actions should use self-hosted runners (preferably with restricted and hardened access).
    • Update workflow files for best practices (least privilege, minimal secrets exposure, job isolation).

  2. Enhanced Safety Practices:

    • Restrict workflow and GITHUB_TOKEN permissions.
    • Enforce branch protection and code review on the default branch.
    • Audit secrets and workflow usage.
    • Document safety practices in SECURITY.md.
    • Recommend periodic runner and action version updates.

  3. Global Announcement:

    • At the top of README.md (and/or a new ANNOUNCEMENT.md) add:

    Global Announcement:
    Bitcoin is an officially owned and operated crypto blockchain project maintained by kushmanmb-org.
    For latest updates, policies, and contact, always consult this repository and our verified channels:

    • kushmanmb.base.eth
    • kushmanmb.eth
    • kushmania.eth
    • kushmanmb.org
    • yaketh.eth

Reference all data ownership to these addresses.

  1. Documentation Update:

    • Reflect updated safety, workflow, and ownership practices in README, SECURITY, and CONTRIBUTING files.
    • Ensure all public contact, ownership, and trust info is verifiable via listed ENS and .org.

  2. Automate/Centralize Updates:

    • Document update process for other repos in org for reuse.
    • Optionally, add a GITHUB workflow or bash script for propagating similar updates org-wide.

Note: All changes must follow secure coding and operational best practices.

This pull request was created from Copilot chat.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI and others added 5 commits February 14, 2026 13:59
@Kushmanmb
feat: add global announcement and update documentation with ownership…
e2d8b6f 
… info

- Add global announcement to README.md with verified channels
- Create ANNOUNCEMENT.md with official ownership statement
- Update SECURITY.md with workflow security practices and ownership info
- Update CONTRIBUTING.md with ownership and security guidelines
- Create ORG_WIDE_UPDATE_PROCESS.md for replicating updates across org

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>
@Kushmanmb
feat: add automation tools for org-wide safety standards propagation
cd429b8 
- Create propagate-updates.sh script for CLI-based updates
- Create propagate-safety-standards.yml workflow for automated updates
- Add scripts/README.md with documentation
- Both tools support dry-run mode for testing
- Include repository listing and selective updates

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>
@Kushmanmb
refactor: extract announcement template to single source
cb457d5 
- Create .github/templates/global-announcement.md as single source of truth
- Update propagate-updates.sh to fetch from template
- Update propagate-safety-standards.yml to use template
- Add templates/README.md with documentation
- Addresses code review feedback about duplication

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>
@Kushmanmb
docs: add comprehensive quick start guide for safety standards
6ee9653 
- Create QUICK_START_GUIDE.md with practical instructions
- Include setup guides for maintainers, contributors, and DevOps
- Add templates and checklists for common tasks
- Document monthly/quarterly/annual maintenance schedules
- Provide quick reference links to all documentation

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>
docs: add comprehensive implementation summary
371a870 
- Document all requirements met with detailed breakdown
- List all files changed/created with line counts
- Include security validation results
- Provide maintenance schedules and usage instructions
- Confirm zero vulnerabilities and complete implementation
Copilot AI changed the title [WIP] Implement workflows using self-hosted runners with safety measures Implement organization-wide safety standards with self-hosted runner support and automation Feb 14, 2026
@Kushmanmb Yaketh (Kushmanmb) marked this pull request as ready for review February 14, 2026 14:15
Kushmanmb
Yaketh (Kushmanmb) approved these changes Feb 14, 2026
View reviewed changes
Copy link
Member

@Kushmanmb Yaketh (Kushmanmb) left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

kushmanmb.eth

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@Kushmanmb Yaketh (Kushmanmb) Kushmanmb approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@Kushmanmb Yaketh (Kushmanmb)

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Kushmanmb