feat(security): add checksum validation infrastructure#106
Merged
WilliamBerryiii merged 4 commits intomainfrom Jan 5, 2026
Merged
feat(security): add checksum validation infrastructure#106WilliamBerryiii merged 4 commits intomainfrom
WilliamBerryiii merged 4 commits intomainfrom
Conversation
…oads - remove harden-runner from 9 workflows (audit-only, no security value) - add tool-checksums.json manifest for SHA256 tracking - add Get-ToolStaleness and Test-ShellDownloadSecurity functions - add Get-VerifiedDownload.ps1 helper for verified downloads - add npm-audit job to pr-validation.yml 🔒 - Generated by Copilot
Contributor
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned Files
|
Contributor
There was a problem hiding this comment.
Pull request overview
This PR introduces checksum validation infrastructure for tool downloads and removes the audit-only harden-runner action from workflows. While the direction is sound, several implementation issues prevent the new infrastructure from being functional.
Key concerns:
Get-ToolStalenessfunction is defined but never calledTest-ShellDownloadSecurityfunction is defined but not integrated into the scanning logicGet-VerifiedDownload.ps1has compatibility issues (tar.gz extraction not supported)
Reviewed changes
Copilot reviewed 16 out of 16 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
| scripts/security/tool-checksums.json | New manifest for tracking tool versions with SHA256 checksums; schema reference is generic rather than project-specific |
| scripts/security/Test-SHAStaleness.ps1 | Adds Get-ToolStaleness function for querying GitHub Releases API, but function is never invoked; version comparison uses string equality instead of semantic versioning |
| scripts/security/Test-DependencyPinning.ps1 | Adds shell-downloads ecosystem and Test-ShellDownloadSecurity function, but not integrated into main scanning flow; regex pattern has potential false positive issues |
| scripts/lib/Get-VerifiedDownload.ps1 | New helper for verified downloads; has critical issues with tar.gz extraction support, exit handling, and ExtractPath parameter documentation |
| scripts/security/Update-ActionSHAPinning.ps1 | Removes harden-runner SHA mapping, consistent with workflow removals |
| .github/workflows/*.yml (9 files) | Cleanly removes harden-runner steps from all validation workflows |
| .github/workflows/pr-validation.yml | Adds npm-audit job following established patterns |
| .github/workflows/README.md | Updates documentation to remove harden-runner references |
Member
Author
|
The issues (PR comments) in this will be resolved after PR #100 merges. |
- resolve pr-validation.yml conflict keeping both npm-audit and codeql jobs 🔀 - Generated by Copilot
…tibility - update .markdownlint.json MD060 from 'aligned' to 'leading_and_trailing' - reformat tables in getting-started docs with consistent structure - resolve CI lint failures caused by emoji byte-width alignment issues ✅ - Generated by Copilot
katriendg
approved these changes
Dec 22, 2025
Contributor
katriendg
left a comment
There was a problem hiding this comment.
Given some of the copilot comments will be addressed, approving
…ture - add tar.gz/tgz/tar extraction support with format-aware switch logic - convert exit 1 to throw for proper PowerShell error handling - invoke Get-ToolStaleness in main execution with stale tool logging - add Compare-ToolVersion for semantic version comparison - include shell-downloads in default IncludeTypes parameter 🔧 - Generated by Copilot
33 tasks
This was referenced Jan 13, 2026
WilliamBerryiii
pushed a commit
that referenced
this pull request
Jan 19, 2026
🤖 I have created a release *beep* *boop* --- ## [1.1.0](hve-core-v1.0.0...hve-core-v1.1.0) (2026-01-19) ### ✨ Features * **.devcontainer:** add development container configuration ([#24](#24)) ([45debf5](45debf5)) * **.github:** add github metadata and mcp configuration ([#23](#23)) ([1cb898d](1cb898d)) * **agent:** Add automated installation via hve-core-installer agent ([#82](#82)) ([a2716d5](a2716d5)) * **agents:** add brd-builder.agent.md for building BRDs ([#122](#122)) ([bfdc9f3](bfdc9f3)) * **agents:** redesign installer with Codespaces support and method documentation ([#123](#123)) ([6329fc0](6329fc0)) * **ai:** Establish AI-Assisted Development Framework ([#48](#48)) ([f5199a4](f5199a4)) * **build:** implement automated release management with release-please ([#86](#86)) ([90150e2](90150e2)) * **chatmodes:** add architecture diagram builder agent ([#145](#145)) ([db24637](db24637)) * **config:** add development tools configuration files ([#19](#19)) ([9f97522](9f97522)) * **config:** add npm package configuration and dependencies ([#20](#20)) ([fcba198](fcba198)) * **copilot:** add GitHub Copilot instruction files ([#22](#22)) ([4927284](4927284)) * **copilot:** add specialized chat modes for development workflows ([#21](#21)) ([ae8495f](ae8495f)) * **docs:** add comprehensive AI artifact contribution documentation ([#76](#76)) ([d81cf96](d81cf96)) * **docs:** add getting started guide for project configuration ([#57](#57)) ([3b864fa](3b864fa)) * **docs:** add repository foundation and documentation files ([#18](#18)) ([ad7efb6](ad7efb6)), closes [#2](#2) * **docs:** add RPI workflow documentation and restructure docs folder ([#102](#102)) ([c3af708](c3af708)) * **extension:** hve core vs code extension ([#149](#149)) ([041a1fd](041a1fd)) * **extension:** implement pre-release versioning with agent maturity filtering ([#179](#179)) ([fb38233](fb38233)) * **instructions:** add authoring standards for prompt engineering artifacts ([#177](#177)) ([5de3af9](5de3af9)) * **instructions:** add extension quick install and enhance installer agent ([#176](#176)) ([48e3d58](48e3d58)) * **instructions:** add VS Code variant prompt and gitignore recommendation to installer ([#185](#185)) ([b400493](b400493)) * **instructions:** add writing style guide for markdown content ([#151](#151)) ([02df6a8](02df6a8)) * **instructions:** consolidate C# guidelines and update prompt agent fields ([#158](#158)) ([65342d4](65342d4)) * **instructions:** provide guidance on using safe commands to reduce interactive prompting ([#117](#117)) ([1268580](1268580)) * **linting:** add linting and validation scripts ([#26](#26)) ([66be136](66be136)) * **prompt-builder:** enhance prompt engineering instructions and validation protocols ([#155](#155)) ([bc5004f](bc5004f)) * **prompts:** add ADR placement planning and update template paths ([#69](#69)) ([380885f](380885f)) * **prompts:** add git workflow prompts from edge-ai ([#84](#84)) ([56d66b6](56d66b6)) * **prompts:** add github-add-issue prompt and github-issue-manager chatmode with delegation pattern ([#55](#55)) ([d0e1789](d0e1789)) * **prompts:** add PR template discovery and integration to pull-request prompt ([#141](#141)) ([b8a4c7a](b8a4c7a)) * **prompts:** add task research initiation prompt and rpi agent([#124](#124)) ([5113e3b](5113e3b)) * **release:** implement release management strategy ([#161](#161)) ([6164c3b](6164c3b)) * Risk Register Prompt ([#146](#146)) ([843982c](843982c)) * **scripts:** enhanced JSON Schema validation for markdown frontmatter ([#59](#59)) ([aba152c](aba152c)) * **security:** add checksum validation infrastructure ([#106](#106)) ([07528fb](07528fb)) * **security:** add security scanning scripts ([#25](#25)) ([82de5a1](82de5a1)) * **workflows:** add CodeQL security analysis to PR validation ([#132](#132)) ([e5b6e8f](e5b6e8f)) * **workflows:** add orchestration workflows and documentation ([#29](#29)) ([de442e0](de442e0)) * **workflows:** add security reusable workflows ([#28](#28)) ([2c74399](2c74399)) * **workflows:** add validation reusable workflows ([#27](#27)) ([f52352d](f52352d)) ### 🐛 Bug Fixes * **build:** add token parameter to release-please action ([#166](#166)) ([c9189ec](c9189ec)) * **build:** disable MD012 lint rule in CHANGELOG for release-please compatibility ([#173](#173)) ([54502d8](54502d8)), closes [#172](#172) * **build:** pin npm commands for OpenSSF Scorecard compliance ([#181](#181)) ([c29db54](c29db54)) * **build:** remediate GHSA-g9mf-h72j-4rw9 undici vulnerability ([#188](#188)) ([634bf36](634bf36)) * **build:** seed CHANGELOG.md with version entry for release-please frontmatter preservation ([#170](#170)) ([2b299ac](2b299ac)) * **build:** use GitHub App token for release-please ([#167](#167)) ([070e042](070e042)) * **build:** use hashtable splatting for named parameters ([#164](#164)) ([02a965f](02a965f)) * **devcontainer:** remove unused Python requirements check ([#78](#78)) ([f17a872](f17a872)), closes [#77](#77) * **docs:** fix broken links and update validation for .vscode/README.md ([#118](#118)) ([160ae7a](160ae7a)) * **docs:** improve language consistency in Automated Installation section ([#139](#139)) ([a932918](a932918)) * **docs:** replace install button anchor with VS Code protocol handler ([#111](#111)) ([41a265e](41a265e)) * **docs:** update install badges to use aka.ms redirect URLs ([#114](#114)) ([868f655](868f655)) * **linting:** use cross-platform path separators in gitignore pattern matching ([#121](#121)) ([3f0aa1b](3f0aa1b)) * **scripts:** accepts the token (YYYY-MM-dd) in frontmatter validation ([#133](#133)) ([2648215](2648215)) * **tools:** correct Method 5 path resolution in hve-core-installer ([#129](#129)) ([57ef20d](57ef20d)) ### 📚 Documentation * add comprehensive RPI workflow documentation ([#153](#153)) ([cbaa4a9](cbaa4a9)) * enhance README with contributing, responsible AI, and legal sections ([#52](#52)) ([a424adc](a424adc)) ### ♻️ Refactoring * **instructions:** consolidate and enhance AI artifact guidelines ([#206](#206)) ([54dd959](54dd959)) * migrate chatmodes to agents architecture ([#210](#210)) ([712b0b7](712b0b7)) ### 🔧 Maintenance * **build:** clean up workflow permissions for Scorecard compliance ([#183](#183)) ([64686e7](64686e7)) * **deps-dev:** bump cspell in the npm-dependencies group ([#61](#61)) ([38650eb](38650eb)) * **deps-dev:** bump glob from 10.4.5 to 10.5.0 ([#74](#74)) ([b3ca9fd](b3ca9fd)) * **deps-dev:** bump markdownlint-cli2 from 0.19.1 to 0.20.0 in the npm-dependencies group ([#134](#134)) ([ebfbe84](ebfbe84)) * **deps-dev:** bump the npm-dependencies group across 1 directory with 2 updates ([#109](#109)) ([936ab84](936ab84)) * **deps-dev:** bump the npm-dependencies group with 2 updates ([#30](#30)) ([cf99cbf](cf99cbf)) * **deps:** bump actions/upload-artifact from 5.0.0 to 6.0.0 in the github-actions group ([#142](#142)) ([91eac8a](91eac8a)) * **deps:** bump js-yaml, markdown-link-check and markdownlint-cli2 ([#75](#75)) ([af03d0e](af03d0e)) * **deps:** bump the github-actions group with 2 updates ([#108](#108)) ([3e56313](3e56313)) * **deps:** bump the github-actions group with 2 updates ([#135](#135)) ([4538a03](4538a03)) * **deps:** bump the github-actions group with 2 updates ([#62](#62)) ([d1e0c09](d1e0c09)) * **deps:** bump the github-actions group with 3 updates ([#87](#87)) ([ed550f4](ed550f4)) * **deps:** bump the github-actions group with 6 updates ([#162](#162)) ([ec5bb12](ec5bb12)) * **devcontainer:** enhance gitleaks installation with checksum verification ([#100](#100)) ([5a8507d](5a8507d)) * **devcontainer:** refactor setup scripts for improved dependency management ([#94](#94)) ([f5f50d1](f5f50d1)), closes [#98](#98) * **security:** configure GitHub branch protection for OpenSSF compliance ([#191](#191)) ([90aab1a](90aab1a)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: hve-core-release-please[bot] <254602402+hve-core-release-please[bot]@users.noreply.github.com>
This was referenced Jan 28, 2026
This was referenced Feb 6, 2026
This was referenced Feb 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request
Description
Introduces comprehensive checksum validation infrastructure for tool downloads and removes the audit-only harden-runner action from all workflows. This establishes a foundation for verifying the integrity of external binary downloads in CI/CD pipelines and development containers.
feat(security): Added
tool-checksums.jsonmanifest for tracking tool versions with SHA256 checksumsfeat(security): Added
Get-ToolStalenessfunction toTest-SHAStaleness.ps1feat(security): Added
shell-downloadsecosystem toTest-DependencyPinning.ps1Test-ShellDownloadSecurityfunction scans shell scripts for curl/wget downloadsfeat(lib): Added
Get-VerifiedDownload.ps1helper scriptfeat(ci): Added npm-audit job to
pr-validation.ymlnpm audit --audit-level=moderateon pull requestsrefactor(workflows): Removed harden-runner from 9 workflow files
dependency-pinning-scan.yml,frontmatter-validation.yml,link-lang-check.ymlmarkdown-link-check.yml,markdown-lint.yml,ps-script-analyzer.ymlsha-staleness-check.yml,spell-check.yml,table-format.ymldocs(workflows): Updated
README.mdto remove harden-runner referenceschore(security): Removed harden-runner SHA mapping from
Update-ActionSHAPinning.ps1Related Issue(s)
Fixes #105
Type of Change
Select all that apply:
Code & Documentation:
Infrastructure & Configuration:
Other:
.ps1,.sh,.py)Testing
npm run lint:ps(PSScriptAnalyzer) - all scripts passnpm run lint:md- all markdown passesTest-ShellDownloadSecuritycorrectly detects downloads with and without checksum verificationChecklist
Required Checks
Required Automated Checks
The following validation commands must pass before merging:
npm run lint:mdnpm run spell-checknpm run lint:frontmatternpm run lint:md-linksnpm run lint:psSecurity Considerations
Additional Notes
Test-ShellDownloadSecurityfunction validates that curl/wget downloads have checksum verification, which PR chore(devcontainer): enhance gitleaks installation with checksum verification #100'son-create.shalready implements correctly🔒 - Generated by Copilot