Skip to content

docs: record remediation-plan implementation status (2026-05-26)#65

Merged
NWarila merged 1 commit into
mainfrom
docs/remediation-plan-status-preamble
May 26, 2026
Merged

docs: record remediation-plan implementation status (2026-05-26)#65
NWarila merged 1 commit into
mainfrom
docs/remediation-plan-status-preamble

Conversation

@NWarila
Copy link
Copy Markdown
Contributor

@NWarila NWarila commented May 26, 2026

Adds a status preamble to REVIEW_REMEDIATION_PLAN.md recording per-finding implementation state. 7 of 9 findings now marked Done (Finding 4 closed by this session's PRs #62/#63); 1 REJECTED per existing doc; 1 follow-up tracked (manage_codeowners_files opt-in flag).

Test plan

  • CI green (markdownlint)

Local: markdownlint-cli2 → 0 errors.

@NWarila @claude
docs: record remediation-plan implementation status (2026-05-26)
cdfb267 
The REVIEW_REMEDIATION_PLAN.md was authored as a planning artifact for
the framework's hardening work. Most of the planned remediation has
since landed on main, but the doc wasn't updated to reflect the
implementation state — readers had to cross-reference the doc against
the live framework code to know what was still open.

Adds a "Status (as of 2026-05-26)" preamble with a per-finding matrix.
9 findings; 7 marked Done (Finding 4 done in PRs #62/#63 this session,
the rest already on main); 1 explicitly REJECTED in the existing doc;
1 follow-up tracked as "Remaining open items" (manage_codeowners_files
opt-in flag, which the unmerged chore/standardize-fleet-bead9a4 branch
had but main does not).

The preamble also documents the maintenance protocol so future PRs
keep the table current.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 26, 2026

Terraform Framework Test Results

Check Status
Format
Init
Validate
Test Suite

Runs: 54 total, 54 passed, 0 failed, 0 skipped

Full test output 
tests/normalization.tftest.hcl... in progress
  run "pattern_blocks_with_only_pattern_field_plans_clean"... pass

Warning: Argument is deprecated

  with github_repository.repo["good-partial-patterns-repo"],
  on 41-resources-github.tf line 78, in resource "github_repository" "repo":
  78:   vulnerability_alerts = each.value.vulnerability_alerts

Use the github_repository_vulnerability_alerts resource instead. This field
will be removed in a future version.

(and one more similar warning elsewhere)

  run "merge_queue_with_partial_fields_plans_clean"... pass

Warning: Argument is deprecated

  with github_repository.repo["good-partial-merge-queue-repo"],
  on 41-resources-github.tf line 78, in resource "github_repository" "repo":
  78:   vulnerability_alerts = each.value.vulnerability_alerts

Use the github_repository_vulnerability_alerts resource instead. This field
will be removed in a future version.

(and one more similar warning elsewhere)

  run "pull_request_with_only_merge_methods_plans_clean"... pass

Warning: Argument is deprecated

  with github_repository.repo["good-partial-pull-request-repo"],
  on 41-resources-github.tf line 78, in resource "github_repository" "repo":
  78:   vulnerability_alerts = each.value.vulnerability_alerts

Use the github_repository_vulnerability_alerts resource instead. This field
will be removed in a future version.

(and one more similar warning elsewhere)

  run "pages_partial_fields_plans_clean"... pass

Warning: Argument is deprecated

  with github_repository.repo["good-pages-partial-repo"],
  on 41-resources-github.tf line 28, in resource "github_repository" "repo":
  28: resource "github_repository" "repo" {

Use the github_repository_pages resource instead. This field will be removed
in a future version.

(and 2 more similar warnings elsewhere)

  run "repo_with_environments_plans_clean"... pass

Warning: Argument is deprecated

  with github_repository.repo["good-env-repo"],
  on 41-resources-github.tf line 78, in resource "github_repository" "repo":
  78:   vulnerability_alerts = each.value.vulnerability_alerts

Use the github_repository_vulnerability_alerts resource instead. This field
will be removed in a future version.

(and 3 more similar warnings elsewhere)

  run "archived_repo_plans_clean"... pass

Warning: Argument is deprecated

  with github_repository.repo["good-archived-repo"],
  on 41-resources-github.tf line 78, in resource "github_repository" "repo":
  78:   vulnerability_alerts = each.value.vulnerability_alerts

Use the github_repository_vulnerability_alerts resource instead. This field
will be removed in a future version.

(and one more similar warning elsewhere)

  run "empty_repo_set_plans_clean"... pass

Warning: Argument is deprecated

  with github_actions_environment_secret.env_secret,
  on 41-resources-github.tf line 528, in resource "github_actions_environment_secret" "env_secret":
 528:   plaintext_value = ""

Use value.

  run "org_mode_explicit_codeowners_plans_clean"... pass

Warning: Argument is deprecated

  with github_repository.repo["good-org-codeowners-repo"],
  on 41-resources-github.tf line 78, in resource "github_repository" "repo":
  78:   vulnerability_alerts = each.value.vulnerability_alerts

Use the github_repository_vulnerability_alerts resource instead. This field
will be removed in a future version.

(and one more similar warning elsewhere)

  run "personal_mode_synthesizes_codeowners"... pass

Warning: Argument is deprecated

  with github_repository.repo["good-personal-synthesized-repo"],
  on 41-resources-github.tf line 78, in resource "github_repository" "repo":
  78:   vulnerability_alerts = each.value.vulnerability_alerts

Use the github_repository_vulnerability_alerts resource instead. This field
will be removed in a future version.

(and one more similar warning elsewhere)

  run "push_ruleset_on_private_when_supported_plans_clean"... pass

Warning: Argument is deprecated

  with github_repository.repo["good-push-ruleset-repo"],
  on 41-resources-github.tf line 78, in resource "github_repository" "repo":
  78:   vulnerability_alerts = each.value.vulnerability_alerts

Use the github_repository_vulnerability_alerts resource instead. This field
will be removed in a future version.

(and one more similar warning elsewhere)

  run "license_template_defaults_null_not_MIT"... pass

Warning: Argument is deprecated

  with github_repository.repo["example-public-repo"],
  on 41-resources-github.tf line 78, in resource "github_repository" "repo":
  78:   vulnerability_alerts = each.value.vulnerability_alerts

Use the github_repository_vulnerability_alerts resource instead. This field
will be removed in a future version.

(and one more similar warning elsewhere)

  run "good_minimal_produces_expected_resource_counts"... pass

Warning: Argument is deprecated

  with github_repository.repo["example-public-repo"],
  on 41-resources-github.tf line 78, in resource "github_repository" "repo":
  78:   vulnerability_alerts = each.value.vulnerability_alerts

Use the github_repository_vulnerability_alerts resource instead. This field
will be removed in a future version.

(and one more similar warning elsewhere)

  run "good_minimal_carries_expected_defaults"... pass

Warning: Argument is deprecated

  with github_repository.repo["example-public-repo"],
  on 41-resources-github.tf line 78, in resource "github_repository" "repo":
  78:   vulnerability_alerts = each.value.vulnerability_alerts

Use the github_repository_vulnerability_alerts resource instead. This field
will be removed in a future version.

(and one more similar warning elsewhere)

  run "archived_repo_filters_out_downstream_locals"... pass

Warning: Argument is deprecated

  with github_repository.repo["good-archived-repo"],
  on 41-resources-github.tf line 78, in resource "github_repository" "repo":
  78:   vulnerability_alerts = each.value.vulnerability_alerts

Use the github_repository_vulnerability_alerts resource instead. This field
will be removed in a future version.

(and one more similar warning elsewhere)

  run "empty_repo_set_exercises_every_filter_on_zero_input"... pass

Warning: Argument is deprecated

  with github_actions_environment_secret.env_secret,
  on 41-resources-github.tf line 528, in resource "github_actions_environment_secret" "env_secret":
 528:   plaintext_value = ""

Use value.

  run "good_minimal_produces_zero_environments_zero_codeowners"... pass

Warning: Argument is deprecated

  with github_repository.repo["example-public-repo"],
  on 41-resources-github.tf line 78, in resource "github_repository" "repo":
  78:   vulnerability_alerts = each.value.vulnerability_alerts

Use the github_repository_vulnerability_alerts resource instead. This field
will be removed in a future version.

(and one more similar warning elsewhere)

  run "explicit_security_and_analysis_overrides_baseline"... pass

Warning: Argument is deprecated

  with github_repository.repo["good-explicit-security-override-repo"],
  on 41-resources-github.tf line 78, in resource "github_repository" "repo":
  78:   vulnerability_alerts = each.value.vulnerability_alerts

Use the github_repository_vulnerability_alerts resource instead. This field
will be removed in a future version.

(and one more similar warning elsewhere)

  run "multi_branch_sources_all_from_default_not_serially"... pass

Warning: Argument is deprecated

  with github_repository.repo["good-multi-branch-repo"],
  on 41-resources-github.tf line 78, in resource "github_repository" "repo":
  78:   vulnerability_alerts = each.value.vulnerability_alerts

Use the github_repository_vulnerability_alerts resource instead. This field
will be removed in a future version.

(and one more similar warning elsewhere)

  run "fork_repo_passes_through_source_fields"... pass

Warning: Argument is deprecated

  with github_repository.repo["good-fork-repo"],
  on 41-resources-github.tf line 78, in resource "github_repository" "repo":
  78:   vulnerability_alerts = each.value.vulnerability_alerts

Use the github_repository_vulnerability_alerts resource instead. This field
will be removed in a future version.

(and one more similar warning elsewhere)

tests/normalization.tftest.hcl... tearing down
tests/normalization.tftest.hcl... pass
tests/preconditions.tftest.hcl... in progress
  run "rejects_invalid_visibility_enum"... pass

Warning: Argument is deprecated

  with github_actions_environment_secret.env_secret,
  on 41-resources-github.tf line 528, in resource "github_actions_environment_secret" "env_secret":
 528:   plaintext_value = ""

Use value.

  run "rejects_public_repo_without_description"... pass

Warning: Argument is deprecated

  with github_actions_environment_secret.env_secret,
  on 41-resources-github.tf line 528, in resource "github_actions_environment_secret" "env_secret":
 528:   plaintext_value = ""

Use value.

  run "rejects_invalid_ruleset_enforcement"... pass

Warning: Argument is deprecated

  with github_repository.repo["bad-ruleset-enforcement-repo"],
  on 41-resources-github.tf line 78, in resource "github_repository" "repo":
  78:   vulnerability_alerts = each.value.vulnerability_alerts

Use the github_repository_vulnerability_alerts resource instead. This field
will be removed in a future version.

(and one more similar warning elsewhere)

  run "rejects_org_mode_codeowners_required_but_missing"... pass

Warning: Argument is deprecated

  with github_repository.repo["bad-codeowners-org-repo"],
  on 41-resources-github.tf line 78, in resource "github_repository" "repo":
  78:   vulnerability_alerts = each.value.vulnerability_alerts

Use the github_repository_vulnerability_alerts resource instead. This field
will be removed in a future version.

(and one more similar warning elsewhere)

  run "rejects_env_wait_timer_out_of_range"... pass

Warning: Argument is deprecated

  with github_repository.repo["bad-env-wait-timer-repo"],
  on 41-resources-github.tf line 78, in resource "github_repository" "repo":
  78:   vulnerability_alerts = each.value.vulnerability_alerts

Use the github_repository_vulnerability_alerts resource instead. This field
will be removed in a future version.

(and one more similar warning elsewhere)

  run "rejects_env_branch_policy_mutually_exclusive"... pass

Warning: Argument is deprecated

  with github_repository.repo["bad-env-branch-policy-both-repo"],
  on 41-resources-github.tf line 78, in resource "github_repository" "repo":
  78:   vulnerability_alerts = each.value.vulnerability_alerts

Use the github_repository_vulnerability_alerts resource instead. This field
will be removed in a future version.

(and one more similar warning elsewhere)

  run "rejects_actions_allowed_actions_enum"... pass

Warning: Argument is deprecated

  with github_repository.repo["bad-actions-enum-repo"],
  on 41-resources-github.tf line 78, in resource "github_repository" "repo":
  78:   vulnerability_alerts = each.value.vulnerability_alerts

Use the github_repository_vulnerability_alerts resource instead. This field
will be removed in a future version.

(and one more similar warning elsewhere)

  run "rejects_actions_selected_without_config"... pass

Warning: Argument is deprecated

  with github_repository.repo["bad-actions-selected-no-config-repo"],
  on 41-resources-github.tf line 78, in resource "github_repository" "repo":
  78:   vulnerability_alerts = each.value.vulnerability_alerts

Use the github_repository_vulnerability_alerts resource instead. This field
will be removed in a future version.

(and one more similar warning elsewhere)

tests/preconditions.tftest.hcl... tearing down
tests/preconditions.tftest.hcl... pass
tests/security.tftest.hcl... in progress
  run "strict_mode_no_gap_plans_clean"... pass

Warning: Argument is deprecated

  with github_repository.repo["example-public-repo"],
  on 41-resources-github.tf line 78, in resource "github_repository" "repo":
  78:   vulnerability_alerts = each.value.vulnerability_alerts

Use the github_repository_vulnerability_alerts resource instead. This field
will be removed in a future version.

(and one more similar warning elsewhere)

  run "compatibility_mode_no_gap_plans_clean_with_empty_preview"... pass

Warning: Argument is deprecated

  with github_repository.repo["example-public-repo"],
  on 41-resources-github.tf line 78, in resource "github_repository" "repo":
  78:   vulnerability_alerts = each.value.vulnerability_alerts

Use the github_repository_vulnerability_alerts resource instead. This field
will be removed in a future version.

(and one more similar warning elsewhere)

  run "strict_mode_reports_gaps_across_multiple_visibilities"... pass

Warning: Argument is deprecated

  with github_repository.repo["example-public-repo"],
  on 41-resources-github.tf line 78, in resource "github_repository" "repo":
  78:   vulnerability_alerts = each.value.vulnerability_alerts

Use the github_repository_vulnerability_alerts resource instead. This field
will be removed in a future version.

(and one more similar warning elsewhere)

  run "no_baseline_no_yaml_collapses_security_to_null"... pass

Warning: Argument is deprecated

  with github_repository.repo["example-public-repo"],
  on 41-resources-github.tf line 78, in resource "github_repository" "repo":
  78:   vulnerability_alerts = each.value.vulnerability_alerts

Use the github_repository_vulnerability_alerts resource instead. This field
will be removed in a future version.

(and one more similar warning elsewhere)

  run "baseline_feature_enabled_when_capability_matches"... pass

Warning: Argument is deprecated

  with github_repository.repo["example-public-repo"],
  on 41-resources-github.tf line 78, in resource "github_repository" "repo":
  78:   vulnerability_alerts = each.value.vulnerability_alerts

Use the github_repository_vulnerability_alerts resource instead. This field
will be removed in a future version.

(and one more similar warning elsewhere)

tests/security.tftest.hcl... tearing down
tests/security.tftest.hcl... pass
tests/validation.tftest.hcl... in progress
  run "good_minimal_plans_clean"... pass

Warning: Argument is deprecated

  with github_repository.repo["example-public-repo"],
  on 41-resources-github.tf line 78, in resource "github_repository" "repo":
  78:   vulnerability_alerts = each.value.vulnerability_alerts

Use the github_repository_vulnerability_alerts resource instead. This field
will be removed in a future version.

(and one more similar warning elsewhere)

  run "rejects_unknown_top_level_key"... pass

Warning: Argument is deprecated

  with github_actions_environment_secret.env_secret,
  on 41-resources-github.tf line 528, in resource "github_actions_environment_secret" "env_secret":
 528:   plaintext_value = ""

Use value.

  run "rejects_unknown_nested_key"... pass

Warning: Argument is deprecated

  with github_actions_environment_secret.env_secret,
  on 41-resources-github.tf line 528, in resource "github_actions_environment_secret" "env_secret":
 528:   plaintext_value = ""

Use value.

  run "rejects_duplicate_repo_keys"... pass

Warning: Argument is deprecated

  with github_actions_environment_secret.env_secret,
  on 41-resources-github.tf line 528, in resource "github_actions_environment_secret" "env_secret":
 528:   plaintext_value = ""

Use value.

  run "rejects_unsupported_push_ruleset"... pass

Warning: Argument is deprecated

  with github_actions_environment_secret.env_secret,
  on 41-resources-github.tf line 528, in resource "github_actions_environment_secret" "env_secret":
 528:   plaintext_value = ""

Use value.

  run "rejects_code_scanning_tool_typo"... pass

Warning: Argument is deprecated

  with github_actions_environment_secret.env_secret,
  on 41-resources-github.tf line 528, in resource "github_actions_environment_secret" "env_secret":
 528:   plaintext_value = ""

Use value.

  run "rejects_multiple_nested_typos_in_one_repo"... pass

Warning: Argument is deprecated

  with github_actions_environment_secret.env_secret,
  on 41-resources-github.tf line 528, in resource "github_actions_environment_secret" "env_secret":
 528:   plaintext_value = ""

Use value.

  run "rejects_secrets_written_as_map"... pass

Warning: Argument is deprecated

  with github_actions_environment_secret.env_secret,
  on 41-resources-github.tf line 528, in resource "github_actions_environment_secret" "env_secret":
 528:   plaintext_value = ""

Use value.

  run "rejects_token_mode_missing_token"... pass

Warning: Argument is deprecated

  with github_actions_environment_secret.env_secret,
  on 41-resources-github.tf line 528, in resource "github_actions_environment_secret" "env_secret":
 528:   plaintext_value = ""

Use value.

  run "rejects_app_mode_missing_app_auth"... pass

Warning: Argument is deprecated

  with github_actions_environment_secret.env_secret,
  on 41-resources-github.tf line 528, in resource "github_actions_environment_secret" "env_secret":
 528:   plaintext_value = ""

Use value.

  run "rejects_token_mode_with_app_auth_also_set"... pass

Warning: Argument is deprecated

  with github_actions_environment_secret.env_secret,
  on 41-resources-github.tf line 528, in resource "github_actions_environment_secret" "env_secret":
 528:   plaintext_value = ""

Use value.

  run "rejects_app_mode_with_token_also_set"... pass

Warning: Argument is deprecated

  with github_actions_environment_secret.env_secret,
  on 41-resources-github.tf line 528, in resource "github_actions_environment_secret" "env_secret":
 528:   plaintext_value = ""

Use value.

  run "valid_app_auth_plans_clean"... pass

Warning: Argument is deprecated

  with github_repository.repo["example-public-repo"],
  on 41-resources-github.tf line 78, in resource "github_repository" "repo":
  78:   vulnerability_alerts = each.value.vulnerability_alerts

Use the github_repository_vulnerability_alerts resource instead. This field
will be removed in a future version.

(and one more similar warning elsewhere)

  run "strict_mode_fails_on_capability_gap"... pass

Warning: Argument is deprecated

  with github_actions_environment_secret.env_secret,
  on 41-resources-github.tf line 528, in resource "github_actions_environment_secret" "env_secret":
 528:   plaintext_value = ""

Use value.

  run "compatibility_mode_tolerates_capability_gap"... pass

Warning: Argument is deprecated

  with github_repository.repo["example-public-repo"],
  on 41-resources-github.tf line 78, in resource "github_repository" "repo":
  78:   vulnerability_alerts = each.value.vulnerability_alerts

Use the github_repository_vulnerability_alerts resource instead. This field
will be removed in a future version.

(and one more similar warning elsewhere)

  run "push_ruleset_public_supports_true_still_fails"... pass

Warning: Argument is deprecated

  with github_actions_environment_secret.env_secret,
  on 41-resources-github.tf line 528, in resource "github_actions_environment_secret" "env_secret":
 528:   plaintext_value = ""

Use value.

  run "push_ruleset_private_supports_false_fails"... pass

Warning: Argument is deprecated

  with github_actions_environment_secret.env_secret,
  on 41-resources-github.tf line 528, in resource "github_actions_environment_secret" "env_secret":
 528:   plaintext_value = ""

Use value.

  run "push_ruleset_internal_supports_true_passes"... pass

Warning: Argument is deprecated

  with github_repository.repo["good-internal-push-ruleset-repo"],
  on 41-resources-github.tf line 78, in resource "github_repository" "repo":
  78:   vulnerability_alerts = each.value.vulnerability_alerts

Use the github_repository_vulnerability_alerts resource instead. This field
will be removed in a future version.

(and one more similar warning elsewhere)

  run "push_ruleset_internal_supports_false_fails"... pass

Warning: Argument is deprecated

  with github_actions_environment_secret.env_secret,
  on 41-resources-github.tf line 528, in resource "github_actions_environment_secret" "env_secret":
 528:   plaintext_value = ""

Use value.

  run "rejects_invalid_github_owner_regex"... pass

Warning: Argument is deprecated

  with github_actions_environment_secret.env_secret,
  on 41-resources-github.tf line 528, in resource "github_actions_environment_secret" "env_secret":
 528:   plaintext_value = ""

Use value.

  run "rejects_invalid_auth_mode_enum"... pass

Warning: Argument is deprecated

  with github_actions_environment_secret.env_secret,
  on 41-resources-github.tf line 528, in resource "github_actions_environment_secret" "env_secret":
 528:   plaintext_value = ""

Use value.

  run "rejects_invalid_baseline_mode_enum"... pass

Warning: Argument is deprecated

  with github_actions_environment_secret.env_secret,
  on 41-resources-github.tf line 528, in resource "github_actions_environment_secret" "env_secret":
 528:   plaintext_value = ""

Use value.

tests/validation.tftest.hcl... tearing down
tests/validation.tftest.hcl... pass

Success! 54 passed, 0 failed.

Commit: a2784f5

@NWarila NWarila merged commit af49741 into main May 26, 2026
11 checks passed
@NWarila NWarila deleted the docs/remediation-plan-status-preamble branch May 26, 2026 16:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@NWarila