Skip to content

Security hardening Phase 3: env gate, scorecard, seed templates#11

Merged
jeremy merged 4 commits intomainfrom
harden
Mar 8, 2026
Merged

Security hardening Phase 3: env gate, scorecard, seed templates#11
jeremy merged 4 commits intomainfrom
harden

Conversation

@jeremy
Copy link
Copy Markdown
Member

@jeremy jeremy commented Mar 7, 2026

Summary

  • Add environment: release gate to the publish job in the cli release workflow
  • Add concurrency guard to both cli and seed release workflows to prevent parallel releases
  • Add OpenSSF Scorecard workflow for both cli and seed template
  • Pin GoReleaser version in seed template (v2.14.1)
  • Add attestations: write permission and build provenance attestation step to seed release
  • Seed ai-labeler already has all ${{ }} expressions in env: blocks (no changes needed)

Test plan

  • Verify release.yml has environment: release on publish job
  • Verify concurrency blocks on both release workflows
  • Verify scorecard workflows are valid YAML
  • Verify seed release has pinned GoReleaser, attestation step, and attestations permission

Copilot AI review requested due to automatic review settings March 7, 2026 23:36
Copilot AI reviewed Mar 7, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Security-hardening updates to the CLI and seed template GitHub Actions release pipelines by adding release gating, preventing overlapping release runs, and introducing OpenSSF Scorecard scanning.

Changes:

  • Add environment: release gate and workflow-level concurrency to the CLI release workflow.
  • Add workflow-level concurrency, pin GoReleaser version, and add build provenance attestation to the seed release workflow.
  • Add OpenSSF Scorecard workflows for both CLI and seed template.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File Description
seed/.github/workflows/scorecard.yml Adds an OpenSSF Scorecard workflow emitting SARIF to GitHub security tooling.
seed/.github/workflows/release.yml Adds release concurrency, pins GoReleaser, and introduces provenance attestation + permissions.
.github/workflows/scorecard.yml Adds an OpenSSF Scorecard workflow for the main repo.
.github/workflows/release.yml Adds release concurrency and an environment: release gate on the publish job.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/release.yml
Comment thread seed/.github/workflows/release.yml
Comment thread seed/.github/workflows/release.yml
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Mar 7, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e894c18829

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread seed/.github/workflows/release.yml
jeremy added 2 commits March 7, 2026 15:58
@jeremy
Pin reusable AI workflows to latest basecamp/.github SHA
83d6017 
Updates ai-labeler to use the fixed shared workflows that parse JSON
responses correctly and include pull-requests:read for private repos.
@jeremy
Add attestations: write to seed release job permissions
70a3956 
Job-level permissions override workflow-level permissions. The
attestation step runs in the release job which only had contents,
id-token, and models, so the workflow-level attestations: write
was ineffective.
Copilot AI review requested due to automatic review settings March 8, 2026 00:22
@jeremy jeremy requested a review from a team as a code owner March 8, 2026 00:22
Copilot AI reviewed Mar 8, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/scorecard.yml Outdated
Comment thread seed/.github/workflows/scorecard.yml Outdated
Comment thread .github/workflows/scorecard.yml
Comment thread seed/.github/workflows/scorecard.yml
@jeremy
Align scorecard SARIF upload SHA and add continue-on-error
b5d86a8 
Pin codeql-action/upload-sarif to the same SHA used in security.yml
and add continue-on-error for graceful degradation when Advanced
Security isn't available.
@jeremy jeremy merged commit 828cca2 into main Mar 8, 2026
20 checks passed
@jeremy jeremy deleted the harden branch March 8, 2026 01:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

ci seed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jeremy