chore(apm): document explicit secure-baseline pin rationale#8
Merged
Conversation
Adds a comment block above the dependencies.apm list explaining why
storefront pins secure-baseline EXPLICITLY rather than relying on a
transitive shortcut through code-kit / review-kit / release-kit /
operate-kit (none of which redeclare the floor as a transitive dep, by
design — see zava-agent-config CATALOG.md 'Consumption patterns').
Trade: one extra line per consumer apm.yml in exchange for:
- a grep-friendly proof-of-coverage across the org;
- bot bumps that surface in the consumer's PR diff (not buried in a
transitive lockfile change);
- deterministic CI enforcement via apm-baseline-check.yml.
No behavioural change; comment-only.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Storefront's
apm.ymlalready pinssecure-baselinecorrectly. What's missing is why — future contributors might wonder if collapsing it to a transitive dep through one of the phase kits would simplify things.Answer: no, and the answer is now in a comment block.
What
Comment-only change above
dependencies.apm:code-kit/review-kit/release-kit/operate-kit) ship with zero transitive APM deps by design.secure-baselinepin in this consumer file gives the orggrep-able proof-of-coverage, surfaces Renovate / Dependabot bumps in the consumer's PR diff, and lets the reusableapm-baseline-check.ymlworkflow fail the build deterministically when the floor is missing.apm.ymlin exchange for an unambiguous audit trail.Backed by the
zava-agent-configCATALOG.md "Consumption patterns" section (PR #3, currently in flight).Validation
No behavioural change.
apm installresolves the same lockfile.Out of scope (follow-up)
Wiring
apm-baseline-check.ymlas a CI job in.github/workflows/ci.ymlwaits forzava-agent-config@v6.0.0to tag, so the workflow ref can pin to a stable tag rather than@main.Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com