fix(workflows): add job-level permissions to validate-version in extension-publish-prerelease (#731)

WilliamBerryiii · Bill Berry · katriendg · web-flow · commit b7db43ba2bda · 2026-02-23T09:40:09.000+01:00
Added an explicit empty `permissions: {}` block to the `validate-version` job in *.github/workflows/extension-publish-prerelease.yml*. This resolves OpenSSF Scorecard Token-Permissions alerts that flagged the job for missing job-level permissions. The `validate-version` job performs pure shell computation for version string validation and does not require repository content access or elevated token permissions. The `package` and `publish` jobs already had explicit job-level permissions and required no changes. ## Related Issue(s) Fixes #524 Related to #456, #460 ## Type of Change Select all that apply: **Code & Documentation:** - [x] Bug fix (non-breaking change fixing an issue) - [ ] New feature (non-breaking change adding functionality) - [ ] Breaking change (fix or feature causing existing functionality to change) - [ ] Documentation update **Infrastructure & Configuration:** - [x] GitHub Actions workflow - [ ] Linting configuration (markdown, PowerShell, etc.) - [x] Security configuration - [ ] DevContainer configuration - [ ] Dependency update **AI Artifacts:** - [ ] Reviewed contribution with `prompt-builder` agent and addressed all feedback - [ ] Copilot instructions (`.github/instructions/*.instructions.md`) - [ ] Copilot prompt (`.github/prompts/*.prompt.md`) - [ ] Copilot agent (`.github/agents/*.agent.md`) - [ ] Copilot skill (`.github/skills/*/SKILL.md`) > **Note for AI Artifact Contributors**: > > - **Agents**: Research, indexing/referencing other project (using standard VS Code GitHub Copilot/MCP tools), planning, and general implementation agents likely already exist. Review `.github/agents/` before creating new ones. > - **Skills**: Must include both bash and PowerShell scripts. See [Skills](../docs/contributing/skills.md). > - **Model Versions**: Only contributions targeting the **latest Anthropic and OpenAI models** will be accepted. Older model versions (e.g., GPT-3.5, Claude 3) will be rejected. > - See [Agents Not Accepted](../docs/contributing/custom-agents.md#agents-not-accepted) and [Model Version Requirements](../docs/contributing/ai-artifacts-common.md#model-version-requirements). **Other:** - [ ] Script/automation (`.ps1`, `.sh`, `.py`) - [ ] Other (please describe): ## Sample Prompts (for AI Artifact Contributions)   **User Request:**  **Execution Flow:**  **Output Artifacts:**  **Success Indicators:**  For detailed contribution requirements, see: - **Common Standards**: [docs/contributing/ai-artifacts-common.md](../docs/contributing/ai-artifacts-common.md) - Shared standards for XML blocks, markdown quality, RFC 2119, validation, and testing - **Agents**: [docs/contributing/custom-agents.md](../docs/contributing/custom-agents.md) - Agent configurations with tools and behavior patterns - **Prompts**: [docs/contributing/prompts.md](../docs/contributing/prompts.md) - Workflow-specific guidance with template variables - **Instructions**: [docs/contributing/instructions.md](../docs/contributing/instructions.md) - Technology-specific standards with glob patterns - **Skills**: [docs/contributing/skills.md](../docs/contributing/skills.md) - Task execution utilities with cross-platform scripts ## Testing Automated validation commands executed: | Check | Command | Result | |---|---|---| | Markdown linting | `npm run lint:md` | Passed | | Spell checking | `npm run spell-check` | Passed (7 pre-existing issues in unrelated files) | | Frontmatter validation | `npm run lint:frontmatter` | Passed | | Skill structure validation | `npm run validate:skills` | Passed | | Link validation | `npm run lint:md-links` | Passed | | PowerShell analysis | `npm run lint:ps` | Passed | | Plugin freshness | `npm run plugin:generate` | Passed (no changes) | | YAML linting | `npm run lint:yaml` | Passed | **Security analysis:** The change restricts token permissions to the minimum required (none) for the `validate-version` job. No sensitive data exposure, dependency changes, or privilege escalation detected. **Diff-based assessment:** Confirmed `package` and `publish` jobs already declare explicit job-level permissions. Verified that `gh release view` in the `validate-version` job works on public repositories without elevated token permissions. Manual testing was not performed. ## Checklist ### Required Checks - [x] Documentation is updated (if applicable) (N/A — no documentation changes required) - [x] Files follow existing naming conventions - [x] Changes are backwards compatible (if applicable) - [ ] Tests added for new functionality (if applicable) (N/A — no new functionality) ### AI Artifact Contributions  - [ ] Used `/prompt-analyze` to review contribution - [ ] Addressed all feedback from `prompt-builder` review - [ ] Verified contribution follows common standards and type-specific requirements ### Required Automated Checks The following validation commands must pass before merging: - [x] Markdown linting: `npm run lint:md` - [x] Spell checking: `npm run spell-check` - [x] Frontmatter validation: `npm run lint:frontmatter` - [x] Skill structure validation: `npm run validate:skills` - [x] Link validation: `npm run lint:md-links` - [x] PowerShell analysis: `npm run lint:ps` - [x] Plugin freshness: `npm run plugin:generate` ## Security Considerations  - [x] This PR does not contain any sensitive or NDA information - [x] Any new dependencies have been reviewed for security issues (N/A — no dependency changes) - [x] Security-related scripts follow the principle of least privilege ## Additional Notes This is a minimal, single-line change that satisfies the OpenSSF Scorecard Token-Permissions requirement by adding an explicit `permissions: {}` block to the only job in *extension-publish-prerelease.yml* that lacked one. The empty permissions declaration correctly reflects that the job needs no elevated token permissions beyond what is inherited. Co-authored-by: Bill Berry <wbery@microsoft.com> Co-authored-by: Katrien De Graeve <katriendg@users.noreply.github.com>
diff --git a/.github/workflows/extension-publish-prerelease.yml b/.github/workflows/extension-publish-prerelease.yml
@@ -21,6 +21,7 @@ jobs:
   validate-version:
     name: Validate Pre-Release Version
     runs-on: ubuntu-latest
+    permissions: {}
     outputs:
       version: ${{ steps.validate.outputs.version }}
     steps:
