fix(build): resolve scorecard badge and workflow security issues#301
Merged
WilliamBerryiii merged 1 commit intomainfrom Jan 27, 2026
Merged
fix(build): resolve scorecard badge and workflow security issues#301WilliamBerryiii merged 1 commit intomainfrom
WilliamBerryiii merged 1 commit intomainfrom
Conversation
- Remove run step from scorecard.yml violating ossf/scorecard-action restrictions - Add explicit permissions block to pester-tests.yml - Remove redundant security-events: write from security-scan.yml top-level - Pin @vscode/vsce@3.7.1 in extension-publish-prerelease.yml Closes #300 Closes #292 Closes #291 🤖 Generated by Copilot
Contributor
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes the broken OpenSSF Scorecard badge and addresses workflow security configurations identified in issues #300, #292, and #291. The root cause was a run: step in scorecard.yml that violated ossf/scorecard-action workflow restrictions, preventing successful workflow verification and result publication to the Scorecard API.
Changes:
- Removed
run:step from scorecard.yml that violated ossf/scorecard-action workflow restrictions - Added explicit top-level permissions block to pester-tests.yml for token permissions compliance
- Removed redundant top-level
security-events: writepermission from security-scan.yml - Pinned
@vscode/vsce@3.7.1in extension-publish-prerelease.yml to address npm dependency pinning requirements
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
.github/workflows/security-scan.yml |
Removes redundant top-level security-events: write permission (already declared at job level) |
.github/workflows/scorecard.yml |
Removes job summary step with run: commands that violated ossf/scorecard-action workflow restrictions |
.github/workflows/pester-tests.yml |
Adds explicit top-level permissions: contents: read block for OpenSSF Scorecard token permissions compliance |
.github/workflows/extension-publish-prerelease.yml |
Pins @vscode/vsce to version 3.7.1 in two locations to address npm dependency pinning security requirements |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #301 +/- ##
==========================================
- Coverage 37.34% 37.31% -0.04%
==========================================
Files 15 15
Lines 2814 2814
==========================================
- Hits 1051 1050 -1
- Misses 1763 1764 +1
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
katriendg
approved these changes
Jan 27, 2026
WilliamBerryiii
pushed a commit
that referenced
this pull request
Jan 28, 2026
🤖 I have created a release *beep* *boop* --- ## [2.0.0](hve-core-v1.1.0...hve-core-v2.0.0) (2026-01-28) ### ⚠ BREAKING CHANGES * **agents:** add Task Reviewer and expand RPI to 4-phase workflow ([#277](#277)) ### ✨ Features * **agents:** add hve-core-installer agent to extension package ([#297](#297)) ([c0e48c6](c0e48c6)) * **agents:** add Task Reviewer and expand RPI to 4-phase workflow ([#277](#277)) ([ae76cab](ae76cab)) * **build:** add code coverage reporting to Pester workflow ([#230](#230)) ([a34822a](a34822a)) * **docs:** add GOVERNANCE.md for OSSF Silver Badge compliance ([#235](#235)) ([b0e752c](b0e752c)) * **docs:** add ROADMAP.md for OSSF Silver badge compliance ([#238](#238)) ([4a41c16](4a41c16)) * **mcp:** add MCP server configuration guidance and installer enhancements ([#225](#225)) ([0bce418](0bce418)) * **scripts:** add YAML linting with actionlint ([#234](#234)) ([d9301f9](d9301f9)) * **security:** add OpenSSF Scorecard workflow and badge ([#271](#271)) ([7c6d788](7c6d788)) * **skills:** add video-to-gif conversion skill with FFmpeg two-pass optimization ([#247](#247)) ([8d65c42](8d65c42)) * **tests:** add Pester tests for LintingHelpers and Validate-MarkdownFrontmatter ([#197](#197), [#198](#198)) ([#205](#205)) ([51ae563](51ae563)) ### 🐛 Bug Fixes * **build:** detect table formatting changes via git diff ([#261](#261)) ([985eee0](985eee0)) * **build:** disable MD024 lint rule in CHANGELOG for release-please ([#220](#220)) ([971df94](971df94)) * **build:** quote shell variables and group redirects in workflow files ([#299](#299)) ([3372509](3372509)) * **build:** resolve scorecard badge and workflow security issues ([#301](#301)) ([aeaed13](aeaed13)) * **extension:** remove frontmatter from README and exclude from markdown linting ([#223](#223)) ([4272529](4272529)) * **instructions:** quote applyTo glob pattern for YAML compatibility ([#216](#216)) ([085199c](085199c)) * **scripts:** add FooterExcludePaths parameter to frontmatter validation ([#334](#334)) ([64db98d](64db98d)) * **scripts:** add GHSA word and logs/ exclusion to cspell config ([#214](#214)) ([5c99b3f](5c99b3f)) * **scripts:** correct type assertions in Invoke-YamlLint.Tests.ps1 ([#332](#332)) ([af7050d](af7050d)) * **scripts:** eliminate false positives in dependency pinning npm pattern ([#273](#273)) ([ccbdfa3](ccbdfa3)) * **security:** add artifact attestation for signed releases ([#257](#257)) ([c52d6e2](c52d6e2)) * standardize markdown footers and complete frontmatter ([#217](#217)) ([b4e7556](b4e7556)) ### 📚 Documentation * add OpenSSF Best Practices Passing badge to README ([#239](#239)) ([91bc529](91bc529)) * **architecture:** add architecture documentation and value proposition ([#252](#252)) ([0e4b02f](0e4b02f)) * **contributing:** add testing requirements for OSSF compliance ([#254](#254)) ([4db1a18](4db1a18)) * **docs:** add enterprise status badges to README header ([#270](#270)) ([ccb68a4](ccb68a4)) * **security:** add security assurance case and threat model for OSSF Silver ([#259](#259)) ([a390e26](a390e26)) ### ♻️ Refactoring * **application:** wrap execution with try blocks, ensure proper … ([#296](#296)) ([35c4417](35c4417)) * **scripts:** extract frontmatter validation to testable module ([#293](#293)) ([4e8707e](4e8707e)) * **scripts:** extract pure functions for Pester testability ([#221](#221)) ([d40e742](d40e742)) ### 🔧 Maintenance * **deps-dev:** bump cspell from 9.4.0 to 9.6.0 in the npm-dependencies group ([#208](#208)) ([855914b](855914b)) * **deps-dev:** bump cspell from 9.6.0 to 9.6.1 in the npm-dependencies group ([#294](#294)) ([1e45ad6](1e45ad6)) * **deps:** bump actions/setup-node from 6.1.0 to 6.2.0 in the github-actions group ([#209](#209)) ([c4c69e2](c4c69e2)) * **deps:** bump the github-actions group with 4 updates ([#295](#295)) ([d8337b8](d8337b8)) * remove step-security/harden-runner from workflows ([#246](#246)) ([c5708d8](c5708d8)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: hve-core-release-please[bot] <254602402+hve-core-release-please[bot]@users.noreply.github.com>
This was referenced Jan 28, 2026
This was referenced Feb 6, 2026
This was referenced Feb 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR fixes the broken OpenSSF Scorecard badge by removing a
run:step from the scorecard workflow that violated ossf/scorecard-action restrictions. Additionally, it addresses workflow security configurations by adding explicit permission blocks and pinning npm dependencies to specific versions.run:commands, which caused workflow verification failures and prevented the Scorecard API from accepting resultspermissions: contents: readblock to pester-tests.yml to satisfy scorecard token permissions requirementssecurity-events: writefrom security-scan.yml top-level permissions (already declared at job level)@vscode/vsce@3.7.1in extension-publish-prerelease.yml (two locations) to address npm dependency pinning requirementsRelated Issue(s)
Closes #300
Closes #292
Closes #291
Type of Change
Select all that apply:
Code & Documentation:
Infrastructure & Configuration:
AI Artifacts:
prompt-builderagent and addressed all feedback.github/instructions/*.instructions.md).github/prompts/*.prompt.md).github/agents/*.agent.md)Other:
.ps1,.sh,.py)Testing
npm run lint:yamlto validate all 21 workflow files pass YAML/actionlint checksChecklist
Required Checks
AI Artifact Contributions
N/A - No AI artifacts in this PR.
Required Automated Checks
The following validation commands must pass before merging:
npm run lint:mdnpm run spell-checknpm run lint:frontmatternpm run lint:md-linksnpm run lint:psSecurity Considerations
Additional Notes
The root cause of the broken scorecard badge was the
run:step in scorecard.yml. The ossf/scorecard-action explicitly restricts workflows containing arbitrary shell commands to prevent supply chain attacks, which caused all workflow runs to fail verification and return empty results to the Scorecard API.🔧 Generated by Copilot