Skip to content

WORKFLOW.md drift: stale configure.sh subcommands and NUGET_USERNAME secret store #421

Description

@ptr727

Surfaced by Copilot review on #420 and verified against the tree and live repo state. Both are documentation drift in WORKFLOW.md, pre-existing on develop (carried in with #417), not regressions from #420.

1. configure.sh check / apply no longer exist

WORKFLOW.md references subcommands the script does not implement:

  • line 589: "Run repo-config/configure.sh check (section 6)"
  • line 659: "repo-config/configure.sh check reads the live rulesets ... that command is the 5D audit"
  • line 660: "repo-config/configure.sh apply configures a fresh repo"

The current interface is repo-config/configure.sh [owner/repo] [release|operational]. Because arg 1 is the repo, invoking configure.sh check would be parsed as repo name check, not a subcommand -- so the documented command silently does the wrong thing rather than erroring helpfully.

The audit flow also moved to AUDIT.md, which is now the read-only drift-reporting authority. WORKFLOW.md still describes configure.sh check as "the 5D audit".

Fix: update the three WORKFLOW.md references to point at the AUDIT.md flow for auditing and the current configure.sh argument form for applying.

2. NUGET_USERNAME secret store is documented inconsistently

WORKFLOW.md line 621-622 says NUGET_USERNAME is Actions store, and pointedly contrasts it with the App pair, which it says is "required in both the Actions and Dependabot secret stores".

But spec/secrets.json declares "stores": ["actions", "dependabot"] for the nuget-oidc mechanism, and AUDIT.md line 42 states the name "live[s] in both the Actions and Dependabot stores" and iterates both stores in its check snippet.

Note the consequence Copilot predicted does not occur. The review claimed the audit would report a false defect; live state shows the secret is present in both stores:

actions:    CODECOV_TOKEN CODEGEN_APP_CLIENT_ID CODEGEN_APP_PRIVATE_KEY NUGET_USERNAME
dependabot: CODECOV_TOKEN CODEGEN_APP_CLIENT_ID CODEGEN_APP_PRIVATE_KEY NUGET_USERNAME

So the audit passes today. The defect is purely that the three documents disagree, which will mislead the next person reconciling them.

Fix: decide which is authoritative and align. spec/secrets.json and AUDIT.md match live state, so the likely correction is WORKFLOW.md line 621. Worth confirming against the fleet hub's canonical spec, and worth asking whether Dependabot genuinely needs NUGET_USERNAME -- publishing runs on push to main with the Actions store, so the Dependabot copy may be unnecessary rather than required.

Fleet note

WORKFLOW.md and repo-config/ are carried from ProjectTemplate, so both items may need fixing upstream rather than only here.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions