{"id":47307430,"url":"https://github.com/hummbl-dev/ci-governance","last_synced_at":"2026-03-17T08:50:01.346Z","repository":{"id":338276501,"uuid":"1127454792","full_name":"hummbl-dev/ci-governance","owner":"hummbl-dev","description":null,"archived":false,"fork":false,"pushed_at":"2026-02-13T17:24:09.000Z","size":40,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-02-14T01:19:56.841Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hummbl-dev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":"GOVERNANCE.md","roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-01-03T23:15:29.000Z","updated_at":"2026-02-13T17:24:14.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/hummbl-dev/ci-governance","commit_stats":null,"previous_names":["hummbl-dev/ci-governance"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/hummbl-dev/ci-governance","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hummbl-dev%2Fci-governance","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hummbl-dev%2Fci-governance/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hummbl-dev%2Fci-governance/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hummbl-dev%2Fci-governance/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hummbl-dev","download_url":"https://codeload.github.com/hummbl-dev/ci-governance/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hummbl-dev%2Fci-governance/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30619228,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-17T08:10:05.930Z","status":"ssl_error","status_checked_at":"2026-03-17T08:10:04.972Z","response_time":56,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-03-17T08:50:00.751Z","updated_at":"2026-03-17T08:50:01.337Z","avatar_url":"https://github.com/hummbl-dev.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# CI Governance\n\n## Overview\n\nThis repository serves as the **enforcement kernel** for CI/CD governance policies. It defines the policy structure and standards for CI/CD operations without implementing enforcement mechanisms or bindings to downstream repositories.\n\n**Role**: Policy definition and audit framework  \n**Status**: Reference implementation  \n**Base120 Version**: v1.0 (FROZEN)  \n**Base120 Binding**: ✓ ACTIVE (Hash-pinned, CI-enforced)\n\n## Base120 v1.0 Binding\n\nThis repository is **built on Base120 v1.0** as immutable infrastructure:\n\n- **SHA256**: `6df3bd9f64693183ed2509e2ca6855a5690c721646e2357b088c3bd4d2cd88b1`\n- **Status**: Immutable, frozen, hash-pinned\n- **Enforcement**: Automated CI verification on every commit\n- **Compliance**: Non-canonical, audit-grade\n\n**Key Files**:\n- `base120-dependency.yaml` - Dependency declaration with hash pinning\n- `base120-mrcc.yaml` - Machine-readable compliance claim\n- `base120-narrative-claim.md` - Narrative compliance documentation\n- `.github/workflows/base120-*.yml` - CI enforcement workflows\n\n**Documentation**:\n- `ARCHITECTURE.md` - Technical architecture and binding design\n- `_CURRENT_STATE.md` - Current binding status and verification results\n- `GOVERNANCE.md` - Governance model including Base120 enforcement\n\n## Repository Structure\n\n```\nci-governance/\n├── base120-invariant-registry.yaml    # Read-only invariant definitions (FROZEN)\n├── base120-dependency.yaml            # Base120 v1.0 binding declaration\n├── base120-mrcc.yaml                  # Machine-readable compliance claim\n├── base120-narrative-claim.md         # Narrative compliance claim\n├── policies/\n│   ├── workflow-baselines/            # Workflow policy baselines\n│   │   ├── pr-validation-baseline.yaml\n│   │   ├── build-baseline.yaml\n│   │   └── release-baseline.yaml\n│   └── pr-classification/             # PR classification rules\n│       └── classification-rules.yaml\n├── schemas/\n│   └── policy-schema.yaml             # Policy structure schemas\n├── .github/workflows/                 # CI enforcement\n│   ├── base120-hash-verification.yml\n│   ├── base120-schema-validation.yml\n│   └── base120-drift-detection.yml\n├── ARCHITECTURE.md                    # Architecture documentation\n├── _CURRENT_STATE.md                  # Current state tracking\n├── GOVERNANCE.md                      # Governance model\n└── README.md                          # This file\n```\n\n## Components\n\n### 1. Base120 Invariant Registry\n\n**File**: `base120-invariant-registry.yaml`  \n**Status**: FROZEN (v1.0)  \n**Purpose**: Read-only reference of governance invariants\n\nThe invariant registry defines immutable CI/CD governance rules across categories:\n- Build Integrity (INV-001, INV-002)\n- Artifact Integrity (INV-003, INV-004)\n- Code Quality (INV-005, INV-006)\n- Security (INV-007, INV-008, INV-009)\n- Access Control (INV-010, INV-011)\n- Audit Trail (INV-012, INV-013)\n- Deployment (INV-014, INV-015)\n\n**Important**: This registry is frozen and must not be mutated. It serves as the canonical source of truth for policy definitions.\n\n### 2. Workflow Baselines\n\n**Directory**: `policies/workflow-baselines/`  \n**Purpose**: Define CI workflow policy structures\n\nWorkflow baselines establish the reference implementation for CI/CD workflows:\n\n- **PR Validation Baseline** (`pr-validation-baseline.yaml`)\n  - Pre-validation checks\n  - Code quality validation\n  - Security scanning\n  - Test execution requirements\n\n- **Build Baseline** (`build-baseline.yaml`)\n  - Pre-build validation\n  - Reproducible build requirements\n  - Artifact generation policies\n  - Provenance and SBOM requirements\n\n- **Release Baseline** (`release-baseline.yaml`)\n  - Pre-release validation\n  - Security validation\n  - Approval gate requirements\n  - Publication policies\n\nEach baseline references applicable invariants from the Base120 registry.\n\n### 3. PR Classification Rules\n\n**File**: `policies/pr-classification/classification-rules.yaml`  \n**Purpose**: Define how pull requests are classified\n\nClassification dimensions include:\n- **Impact Scope**: critical, standard, documentation, configuration\n- **Change Size**: small, medium, large, massive\n- **Risk Level**: high-risk, medium-risk, low-risk\n\nClassifications determine which workflow baselines and additional checks apply to each PR.\n\n### 4. Policy Schema\n\n**File**: `schemas/policy-schema.yaml`  \n**Purpose**: Document policy structure formats\n\nDefines the schema for:\n- Invariant registry structure\n- Workflow baseline format\n- PR classification format\n- Validation rules\n\n## Design Principles\n\n### 1. Enforcement Kernel, Not Executor\nThis repository defines **what** should be governed, not **how** to enforce it. Implementation and enforcement are the responsibility of downstream systems.\n\n### 2. Audit-Grade Language\nAll policies use neutral, precise language suitable for compliance audits and security reviews.\n\n### 3. No Downstream Enforcement\nThis repository does **not**:\n- Enforce policies on downstream repositories\n- Contain executable workflows\n- Store secrets or production credentials\n- Perform org-wide actions\n- Mutate the frozen Base120 invariant registry\n\n### 4. Read-Only Reference\nThe Base120 invariant registry is frozen and serves as a read-only reference. Modifications require a new major version.\n\n## Usage\n\n### For Policy Consumers\n\n1. **Reference Invariants**: Use invariant IDs (e.g., INV-007) to reference specific governance requirements\n2. **Apply Baselines**: Map workflow baselines to your CI/CD pipelines\n3. **Classify PRs**: Use classification rules to determine applicable policies\n4. **Validate Compliance**: Compare implementations against defined policies\n\n### For Auditors\n\n1. Review `base120-invariant-registry.yaml` for governance requirements\n2. Verify downstream implementations reference correct invariant IDs\n3. Check workflow implementations against baseline policies\n4. Validate PR classification logic against defined rules\n\n## Compliance and Audit\n\n### Audit Trail Requirements\n- All policies include audit trail specifications\n- Retention periods are defined per policy type\n- Classification decisions must be logged\n\n### Validation\nPolicy structures can be validated against schemas defined in `schemas/policy-schema.yaml`.\n\n## Extending Policies\n\nWhile the Base120 invariant registry is frozen, organizations can:\n- Define additional workflow baselines\n- Create custom classification dimensions\n- Add organization-specific checks (referencing existing invariants)\n\nExtensions must not contradict or weaken frozen invariants.\n\n## Versioning\n\n- **Base120 Registry**: v1.0 (FROZEN)\n- **Policy Schema**: v1.0.0\n- **Workflow Baselines**: v1.0\n- **Classification Rules**: v1.0\n\n## Security Considerations\n\nThis repository contains **policy definitions only**:\n- No secrets or credentials\n- No production configurations\n- No executable enforcement code\n- No access to org-wide resources\n\n## License\n\nInternal Use Only - Governance Reference\n\n## Contact\n\nFor questions about governance policies, consult your organization's compliance team.\n\n---\n\n**Note**: This is a scaffolding repository. Policies are advisory by default and require implementation in downstream systems for enforcement.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhummbl-dev%2Fci-governance","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhummbl-dev%2Fci-governance","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhummbl-dev%2Fci-governance/lists"}