Skip to content

chore(apm): document explicit secure-baseline pin rationale#8

Merged
danielmeppiel merged 1 commit into
mainfrom
chore/baseline-pin-rationale
May 7, 2026
Merged

chore(apm): document explicit secure-baseline pin rationale#8
danielmeppiel merged 1 commit into
mainfrom
chore/baseline-pin-rationale

Conversation

@danielmeppiel

Copy link
Copy Markdown
Contributor

Why

Storefront's apm.yml already pins secure-baseline correctly. What's missing is why — future contributors might wonder if collapsing it to a transitive dep through one of the phase kits would simplify things.

Answer: no, and the answer is now in a comment block.

What

Comment-only change above dependencies.apm:

  • Phase kits (code-kit / review-kit / release-kit / operate-kit) ship with zero transitive APM deps by design.
  • Carrying the secure-baseline pin in this consumer file gives the org grep-able proof-of-coverage, surfaces Renovate / Dependabot bumps in the consumer's PR diff, and lets the reusable apm-baseline-check.yml workflow fail the build deterministically when the floor is missing.
  • Trade: one extra line per consumer apm.yml in exchange for an unambiguous audit trail.

Backed by the zava-agent-config CATALOG.md "Consumption patterns" section (PR #3, currently in flight).

Validation

No behavioural change. apm install resolves the same lockfile.

Out of scope (follow-up)

Wiring apm-baseline-check.yml as a CI job in .github/workflows/ci.yml waits for zava-agent-config@v6.0.0 to tag, so the workflow ref can pin to a stable tag rather than @main.

Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com

Adds a comment block above the dependencies.apm list explaining why
storefront pins secure-baseline EXPLICITLY rather than relying on a
transitive shortcut through code-kit / review-kit / release-kit /
operate-kit (none of which redeclare the floor as a transitive dep, by
design — see zava-agent-config CATALOG.md 'Consumption patterns').

Trade: one extra line per consumer apm.yml in exchange for:
  - a grep-friendly proof-of-coverage across the org;
  - bot bumps that surface in the consumer's PR diff (not buried in a
    transitive lockfile change);
  - deterministic CI enforcement via apm-baseline-check.yml.

No behavioural change; comment-only.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@danielmeppiel danielmeppiel merged commit 9b17339 into main May 7, 2026
2 checks passed
@danielmeppiel danielmeppiel deleted the chore/baseline-pin-rationale branch May 7, 2026 20:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant