Skip to content

feat(ci): add APM audit enforcement workflow#39

Open
jsell-rh wants to merge 4 commits into
mainfrom
worktree-apm-ci-enforcement
Open

feat(ci): add APM audit enforcement workflow#39
jsell-rh wants to merge 4 commits into
mainfrom
worktree-apm-ci-enforcement

Conversation

@jsell-rh

@jsell-rh jsell-rh commented Jun 16, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Add apm-audit.yml workflow that runs apm audit --ci --no-cache --no-drift on PRs, merge queue, and push to main
  • Uses microsoft/apm-action@v1 (SHA-pinned) which handles APM CLI installation and apm install before running the audit
  • Summary job ("APM Audit CI Gate") integrates with the try-enqueue auto-merge pattern
  • Added "APM Audit CI Gate" to the GATES array in try-enqueue.sh
  • Uses --no-drift initially — existing drift from the APM adoption PR (chore: adopt APM and reorganize skills into SDLC buckets #37) needs separate resolution

Test plan

  • Workflow YAML validates (correct action inputs, SHA-pinned dependencies)
  • Gate name added to try-enqueue.sh GATES array
  • Follows existing patterns: concurrency group, if: always() summary, try-enqueue step
  • Verify workflow runs on this PR (will appear in checks)

🤖 Generated with Claude Code

@claude
feat(ci): add APM audit enforcement workflow
9d4854b 
Add apm-audit.yml that runs `apm audit --ci --no-cache --no-drift`
on PRs, merge queue, and push to main. Uses microsoft/apm-action@v1
which handles APM CLI installation and runs `apm install` before
the audit script. The summary job ("APM Audit CI Gate") follows the
try-enqueue pattern for auto-merge integration.

Uses --no-drift initially since existing drift from the APM adoption
PR needs to be resolved separately.

Co-Authored-By: Claude <noreply@anthropic.com>
@github-actions github-actions Bot added auto-merge-pending PR eligible for auto-merge, waiting for checks ci scripts labels Jun 16, 2026
@claude
fix(ci): use setup-only mode for APM audit
35ad670 
The agentic-sdlc dependency is private — apm install fails in CI
without auth. Use setup-only to install just the CLI, then run
apm audit directly as a shell command. The audit checks lockfile
integrity, content integrity, and ref consistency without needing
to clone the dependency.

Co-Authored-By: Claude <noreply@anthropic.com>
@jsell-rh jsell-rh mentioned this pull request Jun 16, 2026
Open
@claude
fix(ci): commit APM lockfile for CI audit
45840bc 
Un-ignore apm.lock.yaml and commit the generated lockfile so
apm audit --ci can verify lockfile-exists, ref-consistency, and
other structural checks in CI.

Co-Authored-By: Claude <noreply@anthropic.com>
markturansky
markturansky approved these changes Jun 16, 2026
View reviewed changes

@markturansky markturansky left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jsell-rh

jsell-rh commented Jun 25, 2026

Copy link
Copy Markdown
Collaborator Author

🤖 Amber Review

Clean CI implementation. One question to resolve, then this is good to go.

Summary: Workflow follows all existing patterns correctly. SHA-pinned, least-privilege, proper concurrency group. One question about whether apm audit requires apm install when setup-only: true is set.

Full Analysis

Strengths:

  • Uses pull_request trigger (not pull_request_target) — correct per CLAUDE.md security requirements ✅
  • Both actions SHA-pinned (actions/checkout@df4cb1c0..., microsoft/apm-action@e5650fb8...) ✅
  • audit job scoped to contents: read only ✅
  • summary job permissions are the minimum for try-enqueue (contents: write, pull-requests: write, checks: read) ✅
  • cancel-in-progress: true prevents redundant runs on rapid pushes ✅
  • timeout-minutes: 5
  • if: always() on summary job matches existing gate pattern ✅
  • Gate name "APM Audit CI Gate" matches the GATES addition in try-enqueue.sh exactly ✅
  • apm.lock.yaml committed (with .gitignore updated) — correct, CI needs it for apm audit

Question — setup-only: true + apm audit

The workflow installs the APM CLI with setup-only: 'true' (skips apm install) then runs apm audit --ci --no-cache --no-drift. Does apm audit validate the lockfile contents against a registry without needing local packages installed? Or does it need apm install to have run first?

If audit requires installed packages, removing setup-only: 'true' (so the action also runs apm install) would be the fix. If it's purely registry/lockfile validation, the current approach is correct. The PR description implies the action handles install, but with setup-only: 'true' it doesn't — worth a quick confirm from the apm audit docs or a test run on this PR's checks output.

Acknowledged tech debt: --no-drift is a known temporary flag pending drift cleanup from #37. This is fine to ship given the explicit acknowledgment.

Confidence: High on everything except the setup-only question above (Medium).

— Amber

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@markturansky markturansky markturansky approved these changes

Assignees

No one assigned

Labels

amber/approved auto-merge-pending PR eligible for auto-merge, waiting for checks ci scripts

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jsell-rh @markturansky