ci(warden): Add global security review baseline (#179)

Add an org-wide Warden base config using the built-in security-review skill and load it from the global workflow. Keep the rollout non-blocking while Warden reports security findings across repositories.

Also add concise agent instructions for this metadata repository.

Refs getsentry/warden#279

Co-authored-by: Codex <codex@openai.com>

Author: dcramer

.github/workflows/warden.yml

@@ -18,6 +18,12 @@ jobs:
       - name: Checkout Code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
+      - name: Checkout Org GitHub Repo
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          repository: ${{ github.repository_owner }}/.github
+          path: .warden-org
+
       - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
         id: app-token
         with:
@@ -30,6 +36,7 @@ jobs:
         continue-on-error: true # throw no error for now
         with:
           github-token: ${{ steps.app-token.outputs.token }}
+          base-config-path: .warden-org/warden.toml
 
       - name: Authenticate to Google Cloud
         continue-on-error: true
@@ -54,4 +61,4 @@ jobs:
         if: always() && steps.rename-findings.outputs.path != ''
         with:
           path: ${{ steps.rename-findings.outputs.path }}
-          destination: warden-logs/${{ github.repository }}
+          destination: warden-logs/${{ github.repository }}

AGENTS.md

@@ -0,0 +1,31 @@
+# Agent Instructions
+
+## Repository
+- Org-level GitHub metadata repository for Getsentry.
+- Edit org profile content in `profile/README.md`.
+- Edit GitHub configuration under `.github/`; root files cover shared policies and metadata.
+
+## Package Manager
+- No package manager, lockfile, or local build system is configured.
+
+## File-Scoped Commands
+| Task | Command |
+|------|---------|
+| YAML syntax | `ruby -e 'require "yaml"; ARGV.each { |f| YAML.load_file(f) }' .github/workflows/<file>.yml` |
+| Whitespace | `git diff --check -- <path>` |
+
+## GitHub Actions
+- Org-wide Warden base config lives in `warden.toml`.
+- Preserve existing third-party action pinning to full commit SHAs when editing workflows.
+- Keep version comments beside pinned actions when present.
+- `secret-scan.yml` reports to SIEM before failing detected secret scans; keep that flow intact.
+
+## Security
+- Follow `SECURITY.md` for vulnerability reporting text.
+- Use inert placeholder values in examples; do not add realistic tokens or secrets.
+
+## Commit Attribution
+AI commits MUST include:
+```
+Co-Authored-By: (the agent's name and attribution byline)
+```

CLAUDE.md

@@ -0,0 +1 @@
+AGENTS.md

warden.toml

@@ -0,0 +1,14 @@
+version = 1
+
+[defaults]
+reportOn = "medium"
+failOn = "off"
+failCheck = false
+requestChanges = false
+
+[[skills]]
+name = "security-review"
+
+[[skills.triggers]]
+type = "pull_request"
+actions = ["opened", "synchronize", "reopened"]