Description

Expands org shared CI workflows and standardizes how repos adopt them.
New reusable workflows

• dependency-review.yml — replaces security.yml; fails on high-severity dependency changes
• npm-audit.yml — npm audit for Node repos
• composer-audit.yml — composer audit for PHP repos
  Consistency
• link-asana-task converted to workflow_call (matches other shared workflows)
• Removed optional inputs from shared workflows — org defaults are hardcoded so repos don't configure knobs
• Removed legacy security.yml
  Adoption
• Added ci.yml.example — single bundled PR workflow; copy to .github/workflows/ci.yml, comment out what doesn't apply, add local jobs
• Simplified README — quick start + workflow table (replaces per-workflow caller examples)

Asana Task

EDVISEWEBAPP-461

Deployment Readiness*

Testing

Used the ci.yml.example1 in edvise-ui to test the workflows were called and run.

Describe or check:

• Created or updated unit, feature, and/or integration tests
• Typical manual testing in the local env browser, dev pipeline, etc.

Deployment Notes

Describe or check:

• No special deployment steps required

Rollback Plan

Describe or check:

• Standard revert is sufficient (git revert)

Reviewer Guidance / Questions*

Screenshots / Testing Evidence*

SOC 2 Change Management Checklist

• None of the below are true in this code
• New roles/permissions are introduced without review and approval by the product manager
• Hardcoded credentials, secrets, or API keys are present in this code
• Secrets are being managed outside of the approved secrets management process (e.g., GitHub Secrets, environment variables)
• PII or sensitive data handling is introduced or changed without being reviewed against our data classification policy
• Sensitive data is written to logs
• Input validation and sanitization is missing
• An unnecessary attack surface has been introduced (e.g., unused endpoints, open ports, debug modes left enabled)
• Common vulnerabilities have been introduced in the code (inc. any dependencies added or updated)
• No review for common vulnerabilities has been conducted
• Not tested in a non-production environment
• Breaking changes to existing APIs or integrations with downstream consumers being notified
• Performance impact has not been considered or acceptable
• Appropriate audit logging is missing for any security-relevant actions introduced by this change
• Log entries contain sensitive or PII data
• All existing tests do not pass locally (./vendor/bin/pest)

Provide justification if you are submitting a PR with any boxes checked other than the first.

Reminder for Reviewers: By approving this PR you are confirming that you have reviewed the code for correctness, security, and compliance with our engineering and SOC 2 standards. Do not approve PRs where SOC 2 checklist items are checked without documented justification.

*Optional

• To see the specific tasks where the Asana app for GitHub is being used, see below:
  • https://app.asana.com/0/0/1213914944659657