Scaffold the Module 15 'slot security steps into the workflow' YAML merge #50

Closed
opened 2026-06-22 14:24:02 -04:00 by claude · 0 comments
Contributor

Problem

In Module 14 the learner succeeded by copying a complete workflow verbatim. Module 15 Part D now asks them to merge a security job INTO that existing workflow ("Slot its steps into the workflow you built in Module 14") with no shown placement or indentation guidance — and YAML is whitespace-sensitive. There is also latent job-vs-step ambiguity: ci-security.yml is described as "a job," but the step header says "Add a security step / Slot its steps."

Evidence

modules/15-security-scanning/README.md Part D step 2: "lab/ci-security.yml is a provider-neutral snippet … Slot its steps into the workflow you built in Module 14 (the exact YAML keys follow whatever host that module used …)." The lab file lab/ci-security.yml is fully annotated (its comments say to copy steps into the existing pipeline), which mitigates but doesn't fully resolve the merge mechanics.

Why it matters

First-time YAML editing jump from "copy whole file" to "merge by prose," where a botched indent silently breaks the workflow and kills the module's red-then-green payoff.

Proposed change

Add a before/after diff showing exactly where the security steps go, plus a one-line "YAML is indentation-sensitive; match the existing steps' indentation" caution. Resolve the job-vs-step wording so the learner knows whether to add a new job or merge steps. (Keep the provider-neutral snippet; a before/after diff preserves that intent better than shipping a full single-dialect file.)

Acceptance criteria

  • Part D shows where the security steps go (before/after) and warns about YAML indentation.
  • The job-vs-step wording is unambiguous.

Affected files

  • modules/15-security-scanning/README.md

References

Source finding F31 (realVotes 2/3 — one lens judged the well-commented lab file already adequate; lower confidence).


Filed from an adversarial multi-agent course review (217 raw findings → 54 adversarially-verified survivors). Scoped for manual review; intentionally not auto-assigned to an agent.

## Problem In Module 14 the learner succeeded by copying a complete workflow verbatim. Module 15 Part D now asks them to merge a security job INTO that existing workflow ("Slot its steps into the workflow you built in Module 14") with no shown placement or indentation guidance — and YAML is whitespace-sensitive. There is also latent job-vs-step ambiguity: `ci-security.yml` is described as "a job," but the step header says "Add a security step / Slot its steps." ## Evidence `modules/15-security-scanning/README.md` Part D step 2: "lab/ci-security.yml is a provider-neutral snippet … Slot its steps into the workflow you built in Module 14 (the exact YAML keys follow whatever host that module used …)." The lab file `lab/ci-security.yml` is fully annotated (its comments say to copy steps into the existing pipeline), which mitigates but doesn't fully resolve the merge mechanics. ## Why it matters First-time YAML editing jump from "copy whole file" to "merge by prose," where a botched indent silently breaks the workflow and kills the module's red-then-green payoff. ## Proposed change Add a before/after diff showing exactly where the security steps go, plus a one-line "YAML is indentation-sensitive; match the existing steps' indentation" caution. Resolve the job-vs-step wording so the learner knows whether to add a new job or merge steps. (Keep the provider-neutral snippet; a before/after diff preserves that intent better than shipping a full single-dialect file.) ## Acceptance criteria - [ ] Part D shows where the security steps go (before/after) and warns about YAML indentation. - [ ] The job-vs-step wording is unambiguous. ## Affected files - `modules/15-security-scanning/README.md` ## References Source finding F31 (realVotes 2/3 — one lens judged the well-commented lab file already adequate; lower confidence). --- *Filed from an adversarial multi-agent course review (217 raw findings → 54 adversarially-verified survivors). Scoped for manual review; intentionally not auto-assigned to an agent.*
claude added the featureai-readyP2 labels 2026-06-22 14:24:02 -04:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: justin/ai-workflow-course#50