chore!(collections): rename security-planning collection to security#980
Merged
bindsi merged 3 commits intomicrosoft:mainfrom Mar 12, 2026
Merged
Conversation
- Rename collection ID from security-planning to security - Broaden scope from planning-only to full security domain - Set collection maturity to experimental - Move .github/agents/security-planning/ to .github/agents/security/ - Move .github/prompts/security-planning/ to .github/prompts/security/ - Update hve-core-all.collection.yml, .vscode/settings.json, installer skill, prompts README, and 14 documentation files - Regenerate plugins/security/ via plugin:generate BREAKING CHANGE: collection ID changed from security-planning to security Closes microsoft#792 🤖 Generated by Copilot
bindsi
requested changes
Mar 12, 2026
Member
bindsi
left a comment
There was a problem hiding this comment.
@obrocki thanks for your hve-core contribution.
Can you fix the ms.date check https://github.com/microsoft/hve-core/actions/runs/23001292719/job/66786203340?pr=980 by updating the file mentioned in the workflow run?
Then I can approve it
Thanks
bindsi
approved these changes
Mar 12, 2026
Member
bindsi
left a comment
There was a problem hiding this comment.
Looking great, thanks Dawid for your contributions. Highly appreciated
33 tasks
WilliamBerryiii
pushed a commit
that referenced
this pull request
Mar 12, 2026
…980) Rename the `security-planning` collection to `security` to broaden scope from planning-only to the full security domain (review, planning, incident response, risk assessment, vulnerability analysis). **Changes:** - Rename collection ID from `security-planning` to `security` - Broaden scope from planning-only to full security domain - Set collection maturity to `experimental` - Move `.github/agents/security-planning/` to `.github/agents/security/` - Move `.github/prompts/security-planning/` to `.github/prompts/security/` - Update `hve-core-all.collection.yml`, `.vscode/settings.json`, installer skill, prompts README, and 14 documentation files - Regenerate `plugins/security/` via `plugin:generate` **BREAKING CHANGE:** collection ID changed from `security-planning` to `security` ## Related Issue(s) Closes #792 ## Type of Change Select all that apply: **Code & Documentation:** * [ ] Bug fix (non-breaking change fixing an issue) * [ ] New feature (non-breaking change adding functionality) * [x] Breaking change (fix or feature causing existing functionality to change) * [x] Documentation update **Infrastructure & Configuration:** * [ ] GitHub Actions workflow * [ ] Linting configuration (markdown, PowerShell, etc.) * [ ] Security configuration * [ ] DevContainer configuration * [ ] Dependency update **AI Artifacts:** * [ ] Reviewed contribution with `prompt-builder` agent and addressed all feedback * [ ] Copilot instructions (`.github/instructions/*.instructions.md`) * [ ] Copilot prompt (`.github/prompts/*.prompt.md`) * [ ] Copilot agent (`.github/agents/*.agent.md`) * [ ] Copilot skill (`.github/skills/*/SKILL.md`) **Other:** * [ ] Script/automation (`.ps1`, `.sh`, `.py`) * [ ] Other (please describe): ## Testing - `npm run plugin:generate` — produces `plugins/security/` with 4 items - `npm run plugin:validate` — 11 collections validated, 0 errors - `npm run lint:all` — passes (only pre-existing `VersionMismatch` in `codeql-analysis.yml`, confirmed on baseline `main`) - `grep -rl "security-planning"` across source directories — zero matches ## Checklist ### Required Checks * [x] Documentation is updated (if applicable) * [x] Files follow existing naming conventions * [ ] Changes are backwards compatible (if applicable) — **intentional breaking change per #792** * [ ] Tests added for new functionality (if applicable) — rename only, no new functionality ### Required Automated Checks The following validation commands must pass before merging: * [x] Markdown linting: `npm run lint:md` * [x] Spell checking: `npm run spell-check` * [x] Frontmatter validation: `npm run lint:frontmatter` * [x] Skill structure validation: `npm run validate:skills` * [ ] Link validation: `npm run lint:md-links` * [x] PowerShell analysis: `npm run lint:ps` * [x] Plugin freshness: `npm run plugin:generate` ## Security Considerations * [x] This PR does not contain any sensitive or NDA information * [x] Any new dependencies have been reviewed for security issues * [x] Security-related scripts follow the principle of least privilege ## Additional Notes - `extension/package.security-planning.json` and `extension/README.security-planning.md` referenced in the issue do not exist in the repo — those acceptance criteria are N/A. - This is a pre-condition for #793, #794, #795, #796, #797, #798, #799 (MVP security reviewer work). - The `lint:version-consistency` failure in `lint:all` is a pre-existing issue on `main` (confirmed by running against baseline) and is unrelated to this change. 🤖 Generated by Copilot
This was referenced Mar 20, 2026
WilliamBerryiii
added a commit
that referenced
this pull request
Mar 21, 2026
…nd consolidate security collection (#1159) ## Description This PR addresses five issues discovered after the stable 3.2.0 release: pre-release pipeline failures, SBOM attestation errors, missing pre-release SBOM generation, an incorrectly re-created `security-planning` collection, and dependency review license false positives. ### Pre-release pipeline zero-diff force-push (#1160) Both `release-prerelease-pr.yml` and `release-stable.yml` used the GitHub API to force-push `prerelease/next` to the same SHA as `main`. GitHub detected 0-diff and auto-closed the open PR. The `reset-prerelease` job also ran git/gh commands without checkout. **Fix**: Replaced API-based force-push with atomic `git checkout -B` + `git push --force` to create a version-bump commit. Added `actions/checkout` with `fetch-depth: 0` to the `reset-prerelease` job. Added `-R` flag to `gh` CLI commands. Split the combined update step into separate reset and create-or-update PR steps. ### Stable release SBOM attestation failure (#1161) The dependency SBOM was downloaded to `./dist` alongside VSIX files, but attestation expected it at `./sbom/dependency-sbom.spdx.json`. **Fix**: Isolated dependency SBOM download to `./sbom` directory. Corrected `sbom-path` references. Added file-existence verification guards before all attestation steps. ### Pre-release pipeline missing SBOM (#1162) The pre-release pipeline had no dependency SBOM generation or attestation, unlike the stable pipeline. **Fix**: Added `generate-dependency-sbom` job using `anchore/sbom-action` with sparse checkout. Added per-VSIX SBOM generation, VSIX filename resolution, and SBOM attestation steps. Added `artifact-metadata: write` permission and expanded release asset uploads. ### security-planning collection consolidation (#1163) PR #980 renamed `security-planning` to `security`. PR #979 then incorrectly re-created `security-planning` as a separate collection for SSSC artifacts. **Fix**: Moved all files from `security-planning/` and `sssc-planning/` directories into `security/`. Updated all path references across collection YAMLs, agent files, marketplace.json, and documentation. Deleted `security-planning` collection manifests and plugin outputs. Regenerated all plugins. ### Dependency review license false positives (#1164) The `dependency-review.yml` workflow failed on PRs adding Python skill dependencies because `lxml` (BSD-3-Clause) and `typing-extensions` (PSF-2.0) were mis-labeled as GPL by the scanner due to compound SPDX expressions in their source distributions. **Fix**: Added per-package license exemptions via `allow-dependencies-licenses` for `pkg:pypi/lxml` and `pkg:pypi/typing-extensions`. Added missing license identifiers (`MIT-0`, `MIT-CMU`, `HPND`, `LicenseRef-scancode-secret-labs-2011`) to the global allow-list. Deduplicated `PRE_VERSION` calculation in `release-stable.yml` and added least-privilege comments to SBOM job permissions. ## Related Issue(s) Fixes #1160 Fixes #1161 Fixes #1162 Fixes #1163 Fixes #1164 ## Type of Change Select all that apply: **Code & Documentation:** * [x] Bug fix (non-breaking change fixing an issue) * [ ] New feature (non-breaking change adding functionality) * [x] Breaking change (fix or feature causing existing functionality to change) * [x] Documentation update **Infrastructure & Configuration:** * [x] GitHub Actions workflow * [ ] Linting configuration (markdown, PowerShell, etc.) * [x] Security configuration * [ ] DevContainer configuration * [ ] Dependency update **Other:** * [ ] Script/automation (`.ps1`, `.sh`, `.py`) * [ ] Other (please describe): ## Testing - YAML lint passed (43/43 workflow files) - Plugin generation: 12 collections, 0 errors - Plugin validation: 12 collections validated, 0 errors - Manual review of all workflow files for consistent atomic branch reset pattern - Verified all added action references use pinned 40-character commit SHAs with version comments - Grep validation: zero stale `security-planning/` or `sssc-planning/` references remain in live files ## Checklist ### Required Checks * [x] Documentation is updated (if applicable) * [x] Files follow existing naming conventions * [x] Changes are backwards compatible (if applicable) * [ ] Tests added for new functionality (if applicable) ### Required Automated Checks The following validation commands must pass before merging: * [x] Markdown linting: `npm run lint:md` * [x] Spell checking: `npm run spell-check` * [x] Frontmatter validation: `npm run lint:frontmatter` * [x] Skill structure validation: `npm run validate:skills` * [ ] Link validation: `npm run lint:md-links` * [x] PowerShell analysis: `npm run lint:ps` * [x] Plugin freshness: `npm run plugin:generate` ## Security Considerations * [x] This PR does not contain any sensitive or NDA information * [x] Any new dependencies have been reviewed for security issues * [x] Security-related scripts follow the principle of least privilege All new action references use fully pinned SHA references. Defensive `test -f` guards gate SBOM attestation steps. Sparse checkout limits clone surface. SBOM attestation uses `actions/attest` for supply chain integrity. The `security-planning` marketplace extension entry has been removed. Dependency review license exemptions use per-package `allow-dependencies-licenses` rather than adding GPL to the global allow-list. ## Additional Notes **Breaking change**: The `security-planning` collection and its marketplace extension no longer exist. All artifacts are now in the `security` collection. Consumers of the `security-planning` extension should switch to the `security` extension.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Rename the
security-planningcollection tosecurityto broaden scope from planning-only to the full security domain (review, planning, incident response, risk assessment, vulnerability analysis).Changes:
security-planningtosecurityexperimental.github/agents/security-planning/to.github/agents/security/.github/prompts/security-planning/to.github/prompts/security/hve-core-all.collection.yml,.vscode/settings.json, installer skill, prompts README, and 14 documentation filesplugins/security/viaplugin:generateBREAKING CHANGE: collection ID changed from
security-planningtosecurityRelated Issue(s)
Closes #792
Type of Change
Select all that apply:
Code & Documentation:
Infrastructure & Configuration:
AI Artifacts:
prompt-builderagent and addressed all feedback.github/instructions/*.instructions.md).github/prompts/*.prompt.md).github/agents/*.agent.md).github/skills/*/SKILL.md)Other:
.ps1,.sh,.py)Testing
npm run plugin:generate— producesplugins/security/with 4 itemsnpm run plugin:validate— 11 collections validated, 0 errorsnpm run lint:all— passes (only pre-existingVersionMismatchincodeql-analysis.yml, confirmed on baselinemain)grep -rl "security-planning"across source directories — zero matchesChecklist
Required Checks
security-planningcollection tosecurity#792Required Automated Checks
The following validation commands must pass before merging:
npm run lint:mdnpm run spell-checknpm run lint:frontmatternpm run validate:skillsnpm run lint:md-linksnpm run lint:psnpm run plugin:generateSecurity Considerations
Additional Notes
extension/package.security-planning.jsonandextension/README.security-planning.mdreferenced in the issue do not exist in the repo — those acceptance criteria are N/A.owasp-agenticskill for OWASP Agentic Top 10 vulnerability assessment #793, feat(agents): addsecurity-revieweragent with OWASP-aligned skill delegation #794, feat(skills): addowasp-top-10skill for OWASP Top 10 web vulnerability assessment #795, feat(skills): addowasp-llmskill for OWASP LLM Top 10 vulnerability assessment #796, feat(prompts): add security review prompts (security-review,security-review-web,security-review-llm) #797, chore(security): end-to-end validation of security collection MVP #798, chore(collections): add MVP security artifacts to collection manifests #799 (MVP security reviewer work).lint:version-consistencyfailure inlint:allis a pre-existing issue onmain(confirmed by running against baseline) and is unrelated to this change.🤖 Generated by Copilot