Skip to content

fix(workflows): add job-level permissions to extension-publish.yml#729

Merged
WilliamBerryiii merged 3 commits intomainfrom
fix/527-add-job-permissions
Feb 23, 2026
Merged

fix(workflows): add job-level permissions to extension-publish.yml#729
WilliamBerryiii merged 3 commits intomainfrom
fix/527-add-job-permissions

Conversation

@WilliamBerryiii
Copy link
Member

@WilliamBerryiii WilliamBerryiii commented Feb 22, 2026

Description

Add explicit job-level permissions: contents: read declarations to the prepare-changelog and normalize-version jobs in extension-publish.yml.

The package and publish jobs already declared job-level permissions, but prepare-changelog and normalize-version relied on the workflow-level default. OpenSSF Scorecard Token-Permissions checks flag jobs without explicit job-level permissions even when a workflow-level declaration exists. This change ensures all four jobs in the workflow have consistent, explicit least-privilege permissions.

Changes

  • prepare-changelog — added permissions: contents: read (job checks out code and uploads artifacts)
  • normalize-version — added permissions: contents: read (job uses github.token for gh release view)

Related Issue(s)

Fixes #527

Type of Change

Select all that apply:

Code & Documentation:

  • Bug fix (non-breaking change fixing an issue)
  • New feature (non-breaking change adding functionality)
  • Breaking change (fix or feature causing existing functionality to change)
  • Documentation update

Infrastructure & Configuration:

  • GitHub Actions workflow
  • Linting configuration (markdown, PowerShell, etc.)
  • Security configuration
  • DevContainer configuration
  • Dependency update

AI Artifacts:

  • Reviewed contribution with prompt-builder agent and addressed all feedback
  • Copilot instructions (.github/instructions/*.instructions.md)
  • Copilot prompt (.github/prompts/*.prompt.md)
  • Copilot agent (.github/agents/*.agent.md)
  • Copilot skill (.github/skills/*/SKILL.md)

Note for AI Artifact Contributors:

  • Agents: Research, indexing/referencing other project (using standard VS Code GitHub Copilot/MCP tools), planning, and general implementation agents likely already exist. Review .github/agents/ before creating new ones.
  • Skills: Must include both bash and PowerShell scripts. See Skills.
  • Model Versions: Only contributions targeting the latest Anthropic and OpenAI models will be accepted. Older model versions (e.g., GPT-3.5, Claude 3) will be rejected.
  • See Agents Not Accepted and Model Version Requirements.

Other:

  • Script/automation (.ps1, .sh, .py)
  • Other (please describe):

Sample Prompts (for AI Artifact Contributions)

User Request:

Execution Flow:

Output Artifacts:

Success Indicators:

For detailed contribution requirements, see:

Testing

  • actionlint (npm run lint:yaml): Passed — 0 errors, 0 warnings
  • Diff analysis: Verified both prepare-changelog and normalize-version jobs now have explicit permissions: contents: read, matching the existing pattern in package and publish jobs
  • Manual testing: Not performed — change is declarative workflow metadata only

Checklist

Required Checks

  • Documentation is updated (N/A — no documentation changes needed)
  • Files follow existing naming conventions
  • Changes are backwards compatible (purely additive, no removals)
  • Tests added for new functionality (N/A — declarative workflow metadata, no testable logic)

AI Artifact Contributions

  • Used /prompt-analyze to review contribution
  • Addressed all feedback from prompt-builder review
  • Verified contribution follows common standards and type-specific requirements

Required Automated Checks

The following validation commands must pass before merging:

  • Markdown linting: npm run lint:md
  • Spell checking: npm run spell-check
  • Frontmatter validation: npm run lint:frontmatter
  • Skill structure validation: npm run validate:skills
  • Link validation: npm run lint:md-links
  • PowerShell analysis: npm run lint:ps
  • Plugin freshness: npm run plugin:generate

Security Considerations

  • This PR does not contain any sensitive or NDA information
  • Any new dependencies have been reviewed for security issues (N/A — no dependency changes)
  • Security-related scripts follow the principle of least privilege (N/A — no security scripts modified)

Additional Notes

This change addresses OpenSSF Scorecard Token-Permissions compliance. The workflow-level permissions: contents: read was already present, but Scorecard recommends explicit job-level declarations for defense-in-depth.
@WilliamBerryiii
fix(workflows): add job-level permissions to extension-publish.yml
8f91a95 
- add contents: read to prepare-changelog job
- add contents: read to normalize-version job

🔒 - Generated by Copilot
@WilliamBerryiii WilliamBerryiii requested a review from a team as a code owner February 22, 2026 01:14
@github-actions
Copy link
Contributor

github-actions bot commented Feb 22, 2026
edited
Loading

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None
@WilliamBerryiii WilliamBerryiii merged commit 8cb62a7 into main Feb 23, 2026
19 checks passed
This was referenced Feb 23, 2026
Closed
Closed
Closed
Closed
Open
Merged
WilliamBerryiii pushed a commit that referenced this pull request Feb 28, 2026
@hve-core-release-please @github-actions
chore(main): pre-release 3.1.44 (#819)
8e5028a 
## Pre-Release 3.1.44

### ✨ Features

- add Docusaurus 3 documentation site with GitHub Pages deployment
(#680)
- add workflow permissions validation for OpenSSF Scorecard compliance
(#759)
- add DT coach return path handoff to task-researcher (#591) (#758)
- add DT subagent handoff workflow instructions (#592) (#757)
- create dt-method-06-deep.instructions.md (#602) (#748)
- create dt-method-05-deep.instructions.md (#747)
- add DT-aware task-implementor context instructions (#755)
- extract embedded PowerShell from workflows into testable scripts
(#738)
- add gitleaks binary-based secret scanning as PR gate (#734)
- add SBOM generation, attestation, and diff tooling to release pipeline
(#730)
- add dt-learning-tutor agent for DT education (#662)
- add DT image prompt generation guidance for Method 5 (#726)
- add DT-aware task-reviewer review context (#714)
- add dt-method-next routing prompt (#713)
- create dt-method-04-deep.instructions.md (#709)
- add Implementation Space exit handoff prompt for DT workflows (#708)
- add Write-CIStepSummary markdown table to Test-SHAStaleness github
output (#660)
- add dt-handoff-solution-space prompt for Solution Spac… (#707)

### 🐛 Bug Fixes

- update sidebar link color to meet WCAG AA contrast requirements (#814)
- harden even/odd versioning against regression and syntax errors (#816)
- replace even/odd versioning with SemVer -rc.N suffixes (#811)
- ensure prerelease label exists before PR creation (#806)
- replace Docusaurus favicons with Microsoft logo (#808)
- add missing subagents and shared instructions to collection manifests
(#804)
- standardize file path conventions for copilot-tracking output (#784)
- enforce project-scoped artifact isolation across DT files (#766)
- add top-level permissions to copilot-setup-steps.yml (#760)
- update broken file directives and markdown links after collection
directory reorg (#743)
- add pre-release companion pipeline with even/odd versioning (#735)
- exclude auto-generated CHANGELOG.md from spell check (#756)
- add job-level permissions to extension-publish.yml (#729)
- resolve handoff dependencies using display names (#727)
- add job-level permissions to validate-version in
extension-publish-prerelease (#731)
- replace parent-directory VS Code settings paths with per-subdirectory
enumeration (#732)

### 📚 Documentation

- add Design Thinking documentation and DT-to-RPI handoff (#789)
- add customization guides for HVE Core artifacts (#772)
- reconcile documentation against implementation (#771)
- document accepted Token-Permissions risks and add
lint:dependency-pinning (#763)
- add Design Thinking section to hve-core-all collection description
(#762)

### ♻️ Refactoring

- move collection scripts from plugins to collections (#728)
- remove duplicate git diff logic in frontmatter validator (#473)

### 🔧 Maintenance

- bump basic-ftp from 5.0.5 to 5.2.0 (#780)
- standardize script path references in SKILL.md files (#768)
- bump the github-actions group across 1 directory with 2 updates (#752)

---
*Managed automatically by pre-release workflow.*

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@hve-core-release-please hve-core-release-please bot mentioned this pull request Feb 28, 2026
Merged
WilliamBerryiii pushed a commit that referenced this pull request Feb 28, 2026
@hve-core-release-please @github-actions
chore(main): pre-release 3.1.46 (#823)
eb45d69 
## Pre-Release 3.1.46

### ✨ Features

- add Docusaurus 3 documentation site with GitHub Pages deployment
(#680)
- add workflow permissions validation for OpenSSF Scorecard compliance
(#759)
- add DT coach return path handoff to task-researcher (#591) (#758)
- add DT subagent handoff workflow instructions (#592) (#757)
- create dt-method-06-deep.instructions.md (#602) (#748)
- create dt-method-05-deep.instructions.md (#747)
- add DT-aware task-implementor context instructions (#755)
- extract embedded PowerShell from workflows into testable scripts
(#738)
- add gitleaks binary-based secret scanning as PR gate (#734)
- add SBOM generation, attestation, and diff tooling to release pipeline
(#730)
- add dt-learning-tutor agent for DT education (#662)
- add DT image prompt generation guidance for Method 5 (#726)
- add DT-aware task-reviewer review context (#714)
- add dt-method-next routing prompt (#713)
- create dt-method-04-deep.instructions.md (#709)
- add Implementation Space exit handoff prompt for DT workflows (#708)
- add Write-CIStepSummary markdown table to Test-SHAStaleness github
output (#660)
- add dt-handoff-solution-space prompt for Solution Spac… (#707)

### 🐛 Bug Fixes

- update prerelease publish to use even/odd convention (#822)
- update sidebar link color to meet WCAG AA contrast requirements (#814)
- harden even/odd versioning against regression and syntax errors (#816)
- replace even/odd versioning with SemVer -rc.N suffixes (#811)
- ensure prerelease label exists before PR creation (#806)
- replace Docusaurus favicons with Microsoft logo (#808)
- add missing subagents and shared instructions to collection manifests
(#804)
- standardize file path conventions for copilot-tracking output (#784)
- enforce project-scoped artifact isolation across DT files (#766)
- add top-level permissions to copilot-setup-steps.yml (#760)
- update broken file directives and markdown links after collection
directory reorg (#743)
- add pre-release companion pipeline with even/odd versioning (#735)
- exclude auto-generated CHANGELOG.md from spell check (#756)
- add job-level permissions to extension-publish.yml (#729)
- resolve handoff dependencies using display names (#727)
- add job-level permissions to validate-version in
extension-publish-prerelease (#731)
- replace parent-directory VS Code settings paths with per-subdirectory
enumeration (#732)

### 📚 Documentation

- add Design Thinking documentation and DT-to-RPI handoff (#789)
- add customization guides for HVE Core artifacts (#772)
- reconcile documentation against implementation (#771)
- document accepted Token-Permissions risks and add
lint:dependency-pinning (#763)
- add Design Thinking section to hve-core-all collection description
(#762)

### ♻️ Refactoring

- move collection scripts from plugins to collections (#728)
- remove duplicate git diff logic in frontmatter validator (#473)

### 🔧 Maintenance

- pre-release 3.1.44 (#819)
- bump basic-ftp from 5.0.5 to 5.2.0 (#780)
- standardize script path references in SKILL.md files (#768)
- bump the github-actions group across 1 directory with 2 updates (#752)

---
*Managed automatically by pre-release workflow.*

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

2 participants

@WilliamBerryiii @agreaves-ms