From 748c3070090750cf2d25ef702ce227f2da559f5c Mon Sep 17 00:00:00 2001 From: jdalton Date: Sat, 4 Apr 2026 10:01:14 -0400 Subject: [PATCH 1/2] =?UTF-8?q?docs:=20clarify=20SHA=20pin=20cascade=20?= =?UTF-8?q?=E2=80=94=20propagation=20SHA=20is=20Layer=203,=20not=20Layer?= =?UTF-8?q?=204?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- CLAUDE.md | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/CLAUDE.md b/CLAUDE.md index 59cf842b..e05b858c 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -254,18 +254,29 @@ Layer 4 — _local workflows (reference Layer 3, not reused externally): ``` 1. PR: Update Layer 2a pins (setup) → merge → get SHA 2. PR: Update Layer 2b pins (setup-and-install) → merge → get SHA -3. PR: Update Layer 3 pins (ci.yml, provenance.yml) → merge → get SHA -4. PR: Update Layer 4 pins (_local workflows) → merge → get SHA -5. Update any open feature PRs with new SHA +3. PR: Update Layer 3 pins (ci.yml, provenance.yml) → merge → get SHA ← THIS IS THE PROPAGATION SHA +4. PR: Update Layer 4 pins (_local workflows) → merge +5. Propagate the Layer 3 SHA to all consuming repos ``` +**The propagation SHA is the Layer 3 merge SHA** — the one where ci.yml and +provenance.yml were updated. Layer 4 (`_local-not-for-reuse-*`) and external +repos all pin to this SAME SHA. The Layer 4 merge SHA is NOT used for pinning +because it only changed _local wrappers, not the reusable workflows that +consumers reference. + +**External consuming repos** (all pin the same SHA as Layer 4 does): +socket-btm, socket-cli, socket-sdk-js, socket-packageurl-js, +socket-sbom-generator, socket-lib, ultrathink + **Rules:** -- Each layer gets its own PR — never combine layers or sub-layers. +- Each layer gets its own PR — never combine layers. - Always `git fetch origin main && git rev-parse origin/main` to get the SHA after merge. - Use `--no-verify` for pin-only commits (no code changes). - Verify with: `grep -rn "SocketDev/socket-registry" .github/ | grep "@" | grep -v ""`. -- The `_local-not-for-reuse-weekly-update.yml` also references `actions/upload-artifact` — don't clobber third-party SHAs when doing blanket replacements. +- Don't clobber third-party SHAs (e.g., `actions/upload-artifact`) when doing blanket replacements. +- For external repos: push directly to main where allowed, create PRs where branch protection requires it. ### Testing & Coverage From 0648c95518c5aff8800705f9ab0b6e6ac9fa4cc7 Mon Sep 17 00:00:00 2001 From: jdalton Date: Sat, 4 Apr 2026 10:02:28 -0400 Subject: [PATCH 2/2] style: format CLAUDE.md --- CLAUDE.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CLAUDE.md b/CLAUDE.md index e05b858c..b9f999fb 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -262,7 +262,7 @@ Layer 4 — _local workflows (reference Layer 3, not reused externally): **The propagation SHA is the Layer 3 merge SHA** — the one where ci.yml and provenance.yml were updated. Layer 4 (`_local-not-for-reuse-*`) and external repos all pin to this SAME SHA. The Layer 4 merge SHA is NOT used for pinning -because it only changed _local wrappers, not the reusable workflows that +because it only changed \_local wrappers, not the reusable workflows that consumers reference. **External consuming repos** (all pin the same SHA as Layer 4 does):