docs(security): document accepted Token-Permissions risks and add lint:dependency-pinning#763
Merged
WilliamBerryiii merged 1 commit intomainfrom Feb 25, 2026
Conversation
Contributor
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
katriendg
approved these changes
Feb 25, 2026
This was referenced Feb 24, 2026
WilliamBerryiii
pushed a commit
that referenced
this pull request
Feb 28, 2026
## Pre-Release 3.1.44 ### ✨ Features - add Docusaurus 3 documentation site with GitHub Pages deployment (#680) - add workflow permissions validation for OpenSSF Scorecard compliance (#759) - add DT coach return path handoff to task-researcher (#591) (#758) - add DT subagent handoff workflow instructions (#592) (#757) - create dt-method-06-deep.instructions.md (#602) (#748) - create dt-method-05-deep.instructions.md (#747) - add DT-aware task-implementor context instructions (#755) - extract embedded PowerShell from workflows into testable scripts (#738) - add gitleaks binary-based secret scanning as PR gate (#734) - add SBOM generation, attestation, and diff tooling to release pipeline (#730) - add dt-learning-tutor agent for DT education (#662) - add DT image prompt generation guidance for Method 5 (#726) - add DT-aware task-reviewer review context (#714) - add dt-method-next routing prompt (#713) - create dt-method-04-deep.instructions.md (#709) - add Implementation Space exit handoff prompt for DT workflows (#708) - add Write-CIStepSummary markdown table to Test-SHAStaleness github output (#660) - add dt-handoff-solution-space prompt for Solution Spac… (#707) ### 🐛 Bug Fixes - update sidebar link color to meet WCAG AA contrast requirements (#814) - harden even/odd versioning against regression and syntax errors (#816) - replace even/odd versioning with SemVer -rc.N suffixes (#811) - ensure prerelease label exists before PR creation (#806) - replace Docusaurus favicons with Microsoft logo (#808) - add missing subagents and shared instructions to collection manifests (#804) - standardize file path conventions for copilot-tracking output (#784) - enforce project-scoped artifact isolation across DT files (#766) - add top-level permissions to copilot-setup-steps.yml (#760) - update broken file directives and markdown links after collection directory reorg (#743) - add pre-release companion pipeline with even/odd versioning (#735) - exclude auto-generated CHANGELOG.md from spell check (#756) - add job-level permissions to extension-publish.yml (#729) - resolve handoff dependencies using display names (#727) - add job-level permissions to validate-version in extension-publish-prerelease (#731) - replace parent-directory VS Code settings paths with per-subdirectory enumeration (#732) ### 📚 Documentation - add Design Thinking documentation and DT-to-RPI handoff (#789) - add customization guides for HVE Core artifacts (#772) - reconcile documentation against implementation (#771) - document accepted Token-Permissions risks and add lint:dependency-pinning (#763) - add Design Thinking section to hve-core-all collection description (#762) ### ♻️ Refactoring - move collection scripts from plugins to collections (#728) - remove duplicate git diff logic in frontmatter validator (#473) ### 🔧 Maintenance - bump basic-ftp from 5.0.5 to 5.2.0 (#780) - standardize script path references in SKILL.md files (#768) - bump the github-actions group across 1 directory with 2 updates (#752) --- *Managed automatically by pre-release workflow.* Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
WilliamBerryiii
pushed a commit
that referenced
this pull request
Feb 28, 2026
## Pre-Release 3.1.46 ### ✨ Features - add Docusaurus 3 documentation site with GitHub Pages deployment (#680) - add workflow permissions validation for OpenSSF Scorecard compliance (#759) - add DT coach return path handoff to task-researcher (#591) (#758) - add DT subagent handoff workflow instructions (#592) (#757) - create dt-method-06-deep.instructions.md (#602) (#748) - create dt-method-05-deep.instructions.md (#747) - add DT-aware task-implementor context instructions (#755) - extract embedded PowerShell from workflows into testable scripts (#738) - add gitleaks binary-based secret scanning as PR gate (#734) - add SBOM generation, attestation, and diff tooling to release pipeline (#730) - add dt-learning-tutor agent for DT education (#662) - add DT image prompt generation guidance for Method 5 (#726) - add DT-aware task-reviewer review context (#714) - add dt-method-next routing prompt (#713) - create dt-method-04-deep.instructions.md (#709) - add Implementation Space exit handoff prompt for DT workflows (#708) - add Write-CIStepSummary markdown table to Test-SHAStaleness github output (#660) - add dt-handoff-solution-space prompt for Solution Spac… (#707) ### 🐛 Bug Fixes - update prerelease publish to use even/odd convention (#822) - update sidebar link color to meet WCAG AA contrast requirements (#814) - harden even/odd versioning against regression and syntax errors (#816) - replace even/odd versioning with SemVer -rc.N suffixes (#811) - ensure prerelease label exists before PR creation (#806) - replace Docusaurus favicons with Microsoft logo (#808) - add missing subagents and shared instructions to collection manifests (#804) - standardize file path conventions for copilot-tracking output (#784) - enforce project-scoped artifact isolation across DT files (#766) - add top-level permissions to copilot-setup-steps.yml (#760) - update broken file directives and markdown links after collection directory reorg (#743) - add pre-release companion pipeline with even/odd versioning (#735) - exclude auto-generated CHANGELOG.md from spell check (#756) - add job-level permissions to extension-publish.yml (#729) - resolve handoff dependencies using display names (#727) - add job-level permissions to validate-version in extension-publish-prerelease (#731) - replace parent-directory VS Code settings paths with per-subdirectory enumeration (#732) ### 📚 Documentation - add Design Thinking documentation and DT-to-RPI handoff (#789) - add customization guides for HVE Core artifacts (#772) - reconcile documentation against implementation (#771) - document accepted Token-Permissions risks and add lint:dependency-pinning (#763) - add Design Thinking section to hve-core-all collection description (#762) ### ♻️ Refactoring - move collection scripts from plugins to collections (#728) - remove duplicate git diff logic in frontmatter validator (#473) ### 🔧 Maintenance - pre-release 3.1.44 (#819) - bump basic-ftp from 5.0.5 to 5.2.0 (#780) - standardize script path references in SKILL.md files (#768) - bump the github-actions group across 1 directory with 2 updates (#752) --- *Managed automatically by pre-release workflow.* Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This was referenced Mar 1, 2026
This was referenced Mar 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request
Description
Addresses two related security documentation and tooling gaps:
Token-Permissions documentation — OpenSSF Scorecard flags
security-events: writeacross nine workflow files as overly broad. This permission is required forgithub/codeql-action/upload-sarifandgithub/codeql-action/analyzeto upload SARIF results to the Security tab. Rather than suppressing the alert, this PR documents the accepted risk directly in the threat model and annotates every elevated permission line with an inline comment explaining its purpose.Dependency-pinning lint script — Adds
lint:dependency-pinningas an npm script wrappingTest-DependencyPinning.ps1 -FailOnUnpinned, and integrates it into thelint:allchain so dependency pinning compliance is validated alongside all other lint checks.Changes
docs/security/threat-model.md— Expand E-1 (Workflow Token Abuse) with an "Accepted Risk: Token-Permissions Alerts" subsection documenting the rationale, affected workflows (9 jobs across 5 workflow files), and defense-in-depth controls. Update E-1 status to "Mitigated with Accepted Risk" and add inline comments to mitigations.security-events: writedeclarations with# Required for SARIF upload to Security tabinline comments for auditability.package.json— Addlint:dependency-pinningnpm script and append it to thelint:allchain.Related Issue(s)
Closes #460
Closes #529
Type of Change
Select all that apply:
Code & Documentation:
Infrastructure & Configuration:
AI Artifacts:
prompt-builderagent and addressed all feedback.github/instructions/*.instructions.md).github/prompts/*.prompt.md).github/agents/*.agent.md).github/skills/*/SKILL.md)Other:
.ps1,.sh,.py)Testing
npm run format:tables— passednpm run lint:md— passednpm run lint:yaml— passednpm run lint:permissions— passednpm run lint:dependency-pinning— passed (100% compliance, 0 violations)npm run lint:all— full chain passed (all lint commands + validate:skills)Checklist
Required Checks
AI Artifact Contributions
/prompt-analyzeto review contribution (N/A — no AI artifacts changed)prompt-builderreview (N/A)Required Automated Checks
The following validation commands must pass before merging:
npm run lint:mdnpm run spell-checknpm run lint:frontmatternpm run validate:skillsnpm run lint:md-linksnpm run lint:ps🔒 - Generated by Copilot