diff --git a/.github/contracts/org-control-plane.yml b/.github/contracts/org-control-plane.yml index aceb429..27f5cf9 100644 --- a/.github/contracts/org-control-plane.yml +++ b/.github/contracts/org-control-plane.yml @@ -85,7 +85,7 @@ requirements: - .github/workflows/codex-rails-check.yml github_security_configuration: id: 245233 - name: EvalOps Blacksmith recommended + name: EvalOps security baseline recommended default_for_new_repos: all required_settings: advanced_security: secret_protection diff --git a/SECURITY.md b/SECURITY.md index ae9276d..a152b72 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -26,7 +26,7 @@ This policy applies to all repositories in the [evalops](https://github.com/eval ## Code Scanning EvalOps does not use GitHub CodeQL or GitHub default code scanning. Every -repository is attached to the **EvalOps Blacksmith recommended** code security +repository is attached to the **EvalOps security baseline recommended** code security configuration (`id=245233`), which sets `advanced_security: secret_protection` and `code_scanning_default_setup: disabled`, and is the default for new repositories. diff --git a/profile/GITHUB_ACTIONS_QUOTA.md b/profile/GITHUB_ACTIONS_QUOTA.md index f2a3244..2a3b6bb 100644 --- a/profile/GITHUB_ACTIONS_QUOTA.md +++ b/profile/GITHUB_ACTIONS_QUOTA.md @@ -40,7 +40,9 @@ passing coverage, lint, or drift check into a failed required status. ## Runner Budget -Prefer Blacksmith runners for normal CI unless a vendor workflow requires -GitHub-hosted OIDC or trusted publishing. When a job stays on `ubuntu-latest`, +Prefer owned EvalOps runners for trusted CI: `evalops-private-ci` for short +private-repo checks and `evalops-internal` for deploy, release, GKE, or +production-confirmation work. Keep public/fork, Dependabot, or vendor OIDC +work on `ubuntu-latest` until a separate public-safe owned pool exists, and leave a comment explaining the dependency so later runner migrations do not re-introduce quota or authentication failures.