chore(ci): pin reusable workflow refs + baseline policy doc

[anmolnagpal]

Summary

• pin reusable workflow calls from floating refs (for example @master) to immutable SHA 88efd7724e007c8f721a219498be29e0c9ad471b
• add .github/WORKFLOW_BASELINE.md from org baseline repository

Scope

• no runtime code changes
• CI/workflow hygiene only

Risk

Low: non-breaking metadata/workflow reference hardening.

[gemini-code-assist]

Summary of Changes

Hello @anmolnagpal, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly improves the organization's CI/CD hygiene and security posture by standardizing workflow practices. It introduces a comprehensive policy document that mandates the use of immutable references for reusable workflows and establishes clear baselines for pull request and Terraform module configurations. These changes are designed to enhance the reliability and reproducibility of CI processes while mitigating supply-chain risks.

Highlights

• CI/CD Workflow Hardening: Reusable workflow calls are now pinned to immutable SHAs instead of floating references (e.g., @master), enhancing security and reproducibility.
• New Workflow Baseline Policy Document: A new document, .github/WORKFLOW_BASELINE.md, has been added to define organizational standards for GitHub collaboration and CI hygiene.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• .github/WORKFLOW_BASELINE.md
  • Added a new document outlining the Workflow Baseline Policy for GitHub collaboration and CI hygiene.
  • Defined a policy for reusable workflow references, mandating the use of pinned commit SHAs or immutable release tags.
  • Established baseline requirements for pull requests, including Conventional Commit titles, semantic PR title checks, and passing CI checks.
  • Specified organizational standards for Terraform module repositories, such as terraform.required_version, explicit required_providers constraints, and pinned shared workflow refs.

Ignored Files

• Ignored by pattern: .github/workflows/** (7)
  • .github/workflows/automerge.yml
  • .github/workflows/checkov.yml
  • .github/workflows/pr_checks.yml
  • .github/workflows/stale_pr.yml
  • .github/workflows/tag-release.yml
  • .github/workflows/terraform-diff.yml
  • .github/workflows/tf-checks.yml

Activity

• No specific activity (comments, reviews, etc.) has been recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a WORKFLOW_BASELINE.md file to document the organization's CI/CD and collaboration standards. This is a positive step towards ensuring consistency and security in workflows. I have provided a couple of suggestions to enhance the clarity of the new policy document.

[gemini-code-assist]

For clarity, consider rephrasing this sentence. A repository contains documents, but it's the document itself that defines the policy. Using 'This document' makes the scope clearer.

Suggested change

	This repository defines the organization-level baseline for GitHub collaboration and CI hygiene.
	This document defines the organization-level baseline for GitHub collaboration and CI hygiene.

[gemini-code-assist]

The requirements for 'Conventional Commit title' and 'Semantic PR title check' are closely related and could be confusing as separate items, as 'Semantic PR' is often the tool that enforces 'Conventional Commits'. It would be clearer to rephrase these points to reflect their relationship.

Suggested change

	- Conventional Commit title required.
	- Semantic PR title check required.
	- PR titles must follow the Conventional Commits specification.
	- This requirement is enforced by an automated check.

[anmolnagpal]

[gemini-followup-2026-02-09]
Thanks @gemini-code-assist — reviewed the feedback. No repository-local code changes are required at this point; feedback is either informational or blocked by org-level workflow policy configuration.

Where CI is red on title validation, the failure is due to the org reusable workflow regex configuration (terraform-az-modules/.github#29), not this branch's module code.

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[anmolnagpal]

[gemini-followup-2026-02-09]
Reviewed Gemini feedback for this PR. Resolution: addressed/non-blocking for this branch. If PR-title CI fails, it's blocked by org-level workflow regex config (terraform-az-modules/.github#29), not module code.