Scaffold the Module 15 'slot security steps into the workflow' YAML merge #50
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Problem
In Module 14 the learner succeeded by copying a complete workflow verbatim. Module 15 Part D now asks them to merge a security job INTO that existing workflow ("Slot its steps into the workflow you built in Module 14") with no shown placement or indentation guidance — and YAML is whitespace-sensitive. There is also latent job-vs-step ambiguity:
ci-security.ymlis described as "a job," but the step header says "Add a security step / Slot its steps."Evidence
modules/15-security-scanning/README.mdPart D step 2: "lab/ci-security.yml is a provider-neutral snippet … Slot its steps into the workflow you built in Module 14 (the exact YAML keys follow whatever host that module used …)." The lab filelab/ci-security.ymlis fully annotated (its comments say to copy steps into the existing pipeline), which mitigates but doesn't fully resolve the merge mechanics.Why it matters
First-time YAML editing jump from "copy whole file" to "merge by prose," where a botched indent silently breaks the workflow and kills the module's red-then-green payoff.
Proposed change
Add a before/after diff showing exactly where the security steps go, plus a one-line "YAML is indentation-sensitive; match the existing steps' indentation" caution. Resolve the job-vs-step wording so the learner knows whether to add a new job or merge steps. (Keep the provider-neutral snippet; a before/after diff preserves that intent better than shipping a full single-dialect file.)
Acceptance criteria
Affected files
modules/15-security-scanning/README.mdReferences
Source finding F31 (realVotes 2/3 — one lens judged the well-commented lab file already adequate; lower confidence).
Filed from an adversarial multi-agent course review (217 raw findings → 54 adversarially-verified survivors). Scoped for manual review; intentionally not auto-assigned to an agent.