Surfaced by Copilot review on #420 and verified against the tree and live repo state. Both are documentation drift in WORKFLOW.md, pre-existing on develop (carried in with #417), not regressions from #420.
1. configure.sh check / apply no longer exist
WORKFLOW.md references subcommands the script does not implement:
- line 589: "Run
repo-config/configure.sh check (section 6)"
- line 659: "
repo-config/configure.sh check reads the live rulesets ... that command is the 5D audit"
- line 660: "
repo-config/configure.sh apply configures a fresh repo"
The current interface is repo-config/configure.sh [owner/repo] [release|operational]. Because arg 1 is the repo, invoking configure.sh check would be parsed as repo name check, not a subcommand -- so the documented command silently does the wrong thing rather than erroring helpfully.
The audit flow also moved to AUDIT.md, which is now the read-only drift-reporting authority. WORKFLOW.md still describes configure.sh check as "the 5D audit".
Fix: update the three WORKFLOW.md references to point at the AUDIT.md flow for auditing and the current configure.sh argument form for applying.
2. NUGET_USERNAME secret store is documented inconsistently
WORKFLOW.md line 621-622 says NUGET_USERNAME is Actions store, and pointedly contrasts it with the App pair, which it says is "required in both the Actions and Dependabot secret stores".
But spec/secrets.json declares "stores": ["actions", "dependabot"] for the nuget-oidc mechanism, and AUDIT.md line 42 states the name "live[s] in both the Actions and Dependabot stores" and iterates both stores in its check snippet.
Note the consequence Copilot predicted does not occur. The review claimed the audit would report a false defect; live state shows the secret is present in both stores:
actions: CODECOV_TOKEN CODEGEN_APP_CLIENT_ID CODEGEN_APP_PRIVATE_KEY NUGET_USERNAME
dependabot: CODECOV_TOKEN CODEGEN_APP_CLIENT_ID CODEGEN_APP_PRIVATE_KEY NUGET_USERNAME
So the audit passes today. The defect is purely that the three documents disagree, which will mislead the next person reconciling them.
Fix: decide which is authoritative and align. spec/secrets.json and AUDIT.md match live state, so the likely correction is WORKFLOW.md line 621. Worth confirming against the fleet hub's canonical spec, and worth asking whether Dependabot genuinely needs NUGET_USERNAME -- publishing runs on push to main with the Actions store, so the Dependabot copy may be unnecessary rather than required.
Fleet note
WORKFLOW.md and repo-config/ are carried from ProjectTemplate, so both items may need fixing upstream rather than only here.
Surfaced by Copilot review on #420 and verified against the tree and live repo state. Both are documentation drift in
WORKFLOW.md, pre-existing ondevelop(carried in with #417), not regressions from #420.1.
configure.sh check/applyno longer existWORKFLOW.mdreferences subcommands the script does not implement:repo-config/configure.sh check(section 6)"repo-config/configure.sh checkreads the live rulesets ... that command is the 5D audit"repo-config/configure.sh applyconfigures a fresh repo"The current interface is
repo-config/configure.sh [owner/repo] [release|operational]. Because arg 1 is the repo, invokingconfigure.sh checkwould be parsed as repo namecheck, not a subcommand -- so the documented command silently does the wrong thing rather than erroring helpfully.The audit flow also moved to
AUDIT.md, which is now the read-only drift-reporting authority.WORKFLOW.mdstill describesconfigure.sh checkas "the 5D audit".Fix: update the three
WORKFLOW.mdreferences to point at theAUDIT.mdflow for auditing and the currentconfigure.shargument form for applying.2.
NUGET_USERNAMEsecret store is documented inconsistentlyWORKFLOW.mdline 621-622 saysNUGET_USERNAMEis Actions store, and pointedly contrasts it with the App pair, which it says is "required in both the Actions and Dependabot secret stores".But
spec/secrets.jsondeclares"stores": ["actions", "dependabot"]for thenuget-oidcmechanism, andAUDIT.mdline 42 states the name "live[s] in both the Actions and Dependabot stores" and iterates both stores in its check snippet.Note the consequence Copilot predicted does not occur. The review claimed the audit would report a false defect; live state shows the secret is present in both stores:
So the audit passes today. The defect is purely that the three documents disagree, which will mislead the next person reconciling them.
Fix: decide which is authoritative and align.
spec/secrets.jsonandAUDIT.mdmatch live state, so the likely correction isWORKFLOW.mdline 621. Worth confirming against the fleet hub's canonical spec, and worth asking whether Dependabot genuinely needsNUGET_USERNAME-- publishing runs onpushtomainwith the Actions store, so the Dependabot copy may be unnecessary rather than required.Fleet note
WORKFLOW.mdandrepo-config/are carried from ProjectTemplate, so both items may need fixing upstream rather than only here.