feat(policy): add workflow baseline and pinning guidance

[anmolnagpal]

Summary\n- add org baseline policy doc for reusable workflow pinning\n- document immutable SHA/tag requirement for reusable workflows\n- document Terraform module baseline expectations ( + )\n\n## Severity\n- Medium: org CI/workflow hygiene\n\n## Migration Notes\n- Documentation-only change.

[gemini-code-assist]

Summary of Changes

Hello @anmolnagpal, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a new policy document, WORKFLOW_BASELINE.md, to establish clear organizational standards for GitHub collaboration and CI/CD hygiene. The document aims to reduce supply-chain risk and improve CI reproducibility by mandating specific practices for reusable workflows, pull request management, and Terraform module configurations.

Highlights

• Reusable Workflow Pinning Policy: Introduces a new organizational policy document outlining the requirement to use immutable references (pinned commit SHAs or immutable release tags) for reusable workflows, explicitly prohibiting floating references like @master or @main.
• Terraform Module Baseline Standards: Defines baseline expectations for Terraform module repositories, including the necessity of terraform.required_version, explicit required_providers constraints, and pinned shared workflow references.
• General CI/PR Hygiene: Establishes general pull request baseline requirements such as Conventional Commit titles, Semantic PR title checks, and mandatory passing CI checks before merging.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• WORKFLOW_BASELINE.md
  • Added a new documentation file outlining the organization's baseline policy for GitHub workflows, including reusable workflow reference policies, pull request baselines, and Terraform module standards.

Activity

• No human activity has been recorded on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a valuable workflow baseline policy document. The guidelines for reusable workflows, pull requests, and Terraform modules are clear and promote good CI/CD hygiene. I have one suggestion to enhance the clarity and security of the reusable workflow reference policy regarding immutable tags.

[gemini-code-assist]

This is a great start for a workflow policy. To make the guidance on 'immutable release tag' more robust, it would be beneficial to explain how to ensure a tag is immutable. Standard git tags can be moved (force-pushed), which would make them a 'floating ref' again. Adding a note about using GitHub Releases and protected tags provides actionable advice and reduces ambiguity.

Suggested change

	- immutable release tag.
	- immutable release tag.
	**Note:** To be truly immutable, use tags from GitHub Releases and consider protecting them in repository settings, as standard git tags can be moved.

[anmolnagpal]

Thanks — clarified the guidance to call out GitHub Releases + protected tags so refs remain immutable in practice.

[anmolnagpal]

[gemini-followup-2026-02-09]
Reviewed Gemini feedback for this PR.

Disposition: resolved / non-blocking for this branch.

• Any informational suggestions were reviewed and accounted for.
• If CI is red on PR-title validation, that is currently due to org-level reusable workflow regex configuration (terraform-az-modules/.github#29), not module code in this PR.

[anmolnagpal]

[gemini-followup-2026-02-09]
Reviewed Gemini feedback for this PR. Resolution: addressed/non-blocking for this branch. If PR-title CI fails, it's blocked by org-level workflow regex config (terraform-az-modules/.github#29), not module code.