Skip to content

fix(workflows): add job-level permissions to extension-publish.yml#729

Merged
WilliamBerryiii merged 3 commits intomainfrom
fix/527-add-job-permissions
Feb 23, 2026
Merged

fix(workflows): add job-level permissions to extension-publish.yml#729
WilliamBerryiii merged 3 commits intomainfrom
fix/527-add-job-permissions

Conversation

@WilliamBerryiii
Copy link
Copy Markdown
Member

@WilliamBerryiii WilliamBerryiii commented Feb 22, 2026

Description

Add explicit job-level permissions: contents: read declarations to the prepare-changelog and normalize-version jobs in extension-publish.yml.

The package and publish jobs already declared job-level permissions, but prepare-changelog and normalize-version relied on the workflow-level default. OpenSSF Scorecard Token-Permissions checks flag jobs without explicit job-level permissions even when a workflow-level declaration exists. This change ensures all four jobs in the workflow have consistent, explicit least-privilege permissions.

Changes

  • prepare-changelog — added permissions: contents: read (job checks out code and uploads artifacts)
  • normalize-version — added permissions: contents: read (job uses github.token for gh release view)

Related Issue(s)

Fixes #527

Type of Change

Select all that apply:

Code & Documentation:

  • Bug fix (non-breaking change fixing an issue)
  • New feature (non-breaking change adding functionality)
  • Breaking change (fix or feature causing existing functionality to change)
  • Documentation update

Infrastructure & Configuration:

  • GitHub Actions workflow
  • Linting configuration (markdown, PowerShell, etc.)
  • Security configuration
  • DevContainer configuration
  • Dependency update

AI Artifacts:

  • Reviewed contribution with prompt-builder agent and addressed all feedback
  • Copilot instructions (.github/instructions/*.instructions.md)
  • Copilot prompt (.github/prompts/*.prompt.md)
  • Copilot agent (.github/agents/*.agent.md)
  • Copilot skill (.github/skills/*/SKILL.md)

Note for AI Artifact Contributors:

  • Agents: Research, indexing/referencing other project (using standard VS Code GitHub Copilot/MCP tools), planning, and general implementation agents likely already exist. Review .github/agents/ before creating new ones.
  • Skills: Must include both bash and PowerShell scripts. See Skills.
  • Model Versions: Only contributions targeting the latest Anthropic and OpenAI models will be accepted. Older model versions (e.g., GPT-3.5, Claude 3) will be rejected.
  • See Agents Not Accepted and Model Version Requirements.

Other:

  • Script/automation (.ps1, .sh, .py)
  • Other (please describe):

Sample Prompts (for AI Artifact Contributions)

User Request:

Execution Flow:

Output Artifacts:

Success Indicators:

For detailed contribution requirements, see:

Testing

  • actionlint (npm run lint:yaml): Passed — 0 errors, 0 warnings
  • Diff analysis: Verified both prepare-changelog and normalize-version jobs now have explicit permissions: contents: read, matching the existing pattern in package and publish jobs
  • Manual testing: Not performed — change is declarative workflow metadata only

Checklist

Required Checks

  • Documentation is updated (N/A — no documentation changes needed)
  • Files follow existing naming conventions
  • Changes are backwards compatible (purely additive, no removals)
  • Tests added for new functionality (N/A — declarative workflow metadata, no testable logic)

AI Artifact Contributions

  • Used /prompt-analyze to review contribution
  • Addressed all feedback from prompt-builder review
  • Verified contribution follows common standards and type-specific requirements

Required Automated Checks

The following validation commands must pass before merging:

  • Markdown linting: npm run lint:md
  • Spell checking: npm run spell-check
  • Frontmatter validation: npm run lint:frontmatter
  • Skill structure validation: npm run validate:skills
  • Link validation: npm run lint:md-links
  • PowerShell analysis: npm run lint:ps
  • Plugin freshness: npm run plugin:generate

Security Considerations

  • This PR does not contain any sensitive or NDA information
  • Any new dependencies have been reviewed for security issues (N/A — no dependency changes)
  • Security-related scripts follow the principle of least privilege (N/A — no security scripts modified)

Additional Notes

This change addresses OpenSSF Scorecard Token-Permissions compliance. The workflow-level permissions: contents: read was already present, but Scorecard recommends explicit job-level declarations for defense-in-depth.

@WilliamBerryiii
fix(workflows): add job-level permissions to extension-publish.yml
8f91a95 
- add contents: read to prepare-changelog job
- add contents: read to normalize-version job

🔒 - Generated by Copilot
@WilliamBerryiii WilliamBerryiii requested a review from a team as a code owner February 22, 2026 01:14
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Feb 22, 2026
edited
Loading

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@WilliamBerryiii WilliamBerryiii merged commit 8cb62a7 into main Feb 23, 2026
19 checks passed
This was referenced Feb 23, 2026
Closed
Closed
Closed
Closed
Closed
Merged
WilliamBerryiii pushed a commit that referenced this pull request Feb 28, 2026
@hve-core-release-please @github-actions
chore(main): pre-release 3.1.44 (#819)
8e5028a 
## Pre-Release 3.1.44

### ✨ Features

- add Docusaurus 3 documentation site with GitHub Pages deployment
(#680)
- add workflow permissions validation for OpenSSF Scorecard compliance
(#759)
- add DT coach return path handoff to task-researcher (#591) (#758)
- add DT subagent handoff workflow instructions (#592) (#757)
- create dt-method-06-deep.instructions.md (#602) (#748)
- create dt-method-05-deep.instructions.md (#747)
- add DT-aware task-implementor context instructions (#755)
- extract embedded PowerShell from workflows into testable scripts
(#738)
- add gitleaks binary-based secret scanning as PR gate (#734)
- add SBOM generation, attestation, and diff tooling to release pipeline
(#730)
- add dt-learning-tutor agent for DT education (#662)
- add DT image prompt generation guidance for Method 5 (#726)
- add DT-aware task-reviewer review context (#714)
- add dt-method-next routing prompt (#713)
- create dt-method-04-deep.instructions.md (#709)
- add Implementation Space exit handoff prompt for DT workflows (#708)
- add Write-CIStepSummary markdown table to Test-SHAStaleness github
output (#660)
- add dt-handoff-solution-space prompt for Solution Spac… (#707)

### 🐛 Bug Fixes

- update sidebar link color to meet WCAG AA contrast requirements (#814)
- harden even/odd versioning against regression and syntax errors (#816)
- replace even/odd versioning with SemVer -rc.N suffixes (#811)
- ensure prerelease label exists before PR creation (#806)
- replace Docusaurus favicons with Microsoft logo (#808)
- add missing subagents and shared instructions to collection manifests
(#804)
- standardize file path conventions for copilot-tracking output (#784)
- enforce project-scoped artifact isolation across DT files (#766)
- add top-level permissions to copilot-setup-steps.yml (#760)
- update broken file directives and markdown links after collection
directory reorg (#743)
- add pre-release companion pipeline with even/odd versioning (#735)
- exclude auto-generated CHANGELOG.md from spell check (#756)
- add job-level permissions to extension-publish.yml (#729)
- resolve handoff dependencies using display names (#727)
- add job-level permissions to validate-version in
extension-publish-prerelease (#731)
- replace parent-directory VS Code settings paths with per-subdirectory
enumeration (#732)

### 📚 Documentation

- add Design Thinking documentation and DT-to-RPI handoff (#789)
- add customization guides for HVE Core artifacts (#772)
- reconcile documentation against implementation (#771)
- document accepted Token-Permissions risks and add
lint:dependency-pinning (#763)
- add Design Thinking section to hve-core-all collection description
(#762)

### ♻️ Refactoring

- move collection scripts from plugins to collections (#728)
- remove duplicate git diff logic in frontmatter validator (#473)

### 🔧 Maintenance

- bump basic-ftp from 5.0.5 to 5.2.0 (#780)
- standardize script path references in SKILL.md files (#768)
- bump the github-actions group across 1 directory with 2 updates (#752)

---
*Managed automatically by pre-release workflow.*

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@hve-core-release-please hve-core-release-please bot mentioned this pull request Feb 28, 2026
Merged
WilliamBerryiii pushed a commit that referenced this pull request Feb 28, 2026
@hve-core-release-please @github-actions
chore(main): pre-release 3.1.46 (#823)
eb45d69 
## Pre-Release 3.1.46

### ✨ Features

- add Docusaurus 3 documentation site with GitHub Pages deployment
(#680)
- add workflow permissions validation for OpenSSF Scorecard compliance
(#759)
- add DT coach return path handoff to task-researcher (#591) (#758)
- add DT subagent handoff workflow instructions (#592) (#757)
- create dt-method-06-deep.instructions.md (#602) (#748)
- create dt-method-05-deep.instructions.md (#747)
- add DT-aware task-implementor context instructions (#755)
- extract embedded PowerShell from workflows into testable scripts
(#738)
- add gitleaks binary-based secret scanning as PR gate (#734)
- add SBOM generation, attestation, and diff tooling to release pipeline
(#730)
- add dt-learning-tutor agent for DT education (#662)
- add DT image prompt generation guidance for Method 5 (#726)
- add DT-aware task-reviewer review context (#714)
- add dt-method-next routing prompt (#713)
- create dt-method-04-deep.instructions.md (#709)
- add Implementation Space exit handoff prompt for DT workflows (#708)
- add Write-CIStepSummary markdown table to Test-SHAStaleness github
output (#660)
- add dt-handoff-solution-space prompt for Solution Spac… (#707)

### 🐛 Bug Fixes

- update prerelease publish to use even/odd convention (#822)
- update sidebar link color to meet WCAG AA contrast requirements (#814)
- harden even/odd versioning against regression and syntax errors (#816)
- replace even/odd versioning with SemVer -rc.N suffixes (#811)
- ensure prerelease label exists before PR creation (#806)
- replace Docusaurus favicons with Microsoft logo (#808)
- add missing subagents and shared instructions to collection manifests
(#804)
- standardize file path conventions for copilot-tracking output (#784)
- enforce project-scoped artifact isolation across DT files (#766)
- add top-level permissions to copilot-setup-steps.yml (#760)
- update broken file directives and markdown links after collection
directory reorg (#743)
- add pre-release companion pipeline with even/odd versioning (#735)
- exclude auto-generated CHANGELOG.md from spell check (#756)
- add job-level permissions to extension-publish.yml (#729)
- resolve handoff dependencies using display names (#727)
- add job-level permissions to validate-version in
extension-publish-prerelease (#731)
- replace parent-directory VS Code settings paths with per-subdirectory
enumeration (#732)

### 📚 Documentation

- add Design Thinking documentation and DT-to-RPI handoff (#789)
- add customization guides for HVE Core artifacts (#772)
- reconcile documentation against implementation (#771)
- document accepted Token-Permissions risks and add
lint:dependency-pinning (#763)
- add Design Thinking section to hve-core-all collection description
(#762)

### ♻️ Refactoring

- move collection scripts from plugins to collections (#728)
- remove duplicate git diff logic in frontmatter validator (#473)

### 🔧 Maintenance

- pre-release 3.1.44 (#819)
- bump basic-ftp from 5.0.5 to 5.2.0 (#780)
- standardize script path references in SKILL.md files (#768)
- bump the github-actions group across 1 directory with 2 updates (#752)

---
*Managed automatically by pre-release workflow.*

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This was referenced Mar 1, 2026
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
This was referenced Mar 15, 2026
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@agreaves-ms agreaves-ms agreaves-ms approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

fix(build): add job-level permissions to extension-publish.yml for OpenSSF Scorecard compliance

2 participants

@WilliamBerryiii @agreaves-ms