fix: address code scanning alerts (#305)

## Summary

- Replace exporter HTML text extraction/entity decoding paths that
triggered CodeQL with shared scanner helpers, preserving literal
comparison text like `2 < 3` while still stripping real tags.
- Add regression tests for Markdown and editable PPTX export text
extraction.
- Pin GitHub Actions to commit SHAs and restrict default workflow token
permissions.
- Harden `pull_request_target` PR review automation so fork PRs require
the `safe-to-review` label before the write-token bot runs.
- Remove unnecessary release friction: Snap remains best-effort and no
longer gates provenance/publish.
- Clarify AGENTS/CLAUDE license policy so shipped/runtime dependencies
stay permissive while workflow-only tools can use copyleft licenses when
not bundled or distributed.
- Restore winget release automation and explicitly allow its
workflow-only action in Dependency Review.

## Why

GitHub code scanning currently reports CodeQL high alerts in exporter
text cleanup and Scorecard alerts around workflow token permissions,
unpinned actions, and `pull_request_target` risk. The exporter issue
came from regex-based tag/entity handling; the workflow issues came from
broad defaults and floating action tags.

The previous blanket AGPL/GPL rule was too broad for CI-only tooling.
This PR keeps the product/distribution boundary strict while allowing
isolated release automation that does not ship in the app.

## Validation

- `pnpm --filter @open-codesign/exporters exec vitest run
src/pptx.test.ts src/markdown.test.ts`
- `pnpm typecheck`
- `pnpm test`
- `pnpm lint`
- `git diff --check`
- Workflow YAML parsed successfully with Ruby YAML loader
- Verified no remaining `uses: ...@(vN|main|master)` references in
`.github/workflows`

## Notes

- Local `codeql` and `actionlint` CLIs are not installed here, so final
CodeQL/Scorecard closure needs GitHub Actions to rescan this PR.
- Created the `safe-to-review` label in the repository for maintainers
to opt external fork PRs into bot review.

Author: hqhq1025

.github/prompts/codex-pr-review.md

@@ -25,7 +25,7 @@ Open CoDesign is an open-source AI design tool — Electron desktop app that tur
 
 **Project constraints:**
 - ≤ 30 prod dependencies
-- MIT-compatible permissive licenses only (reject GPL/AGPL/SSPL/proprietary/unclear copied assets)
+- Shipped app/runtime dependencies and copied/bundled assets must be MIT-compatible permissive. Workflow-only CI/release actions may use copyleft licenses when they are not vendored or distributed and their outputs are ordinary metadata/manifests.
 - All LLM calls via `@mariozechner/pi-ai` (no direct provider SDK imports in app code)
 - No silent fallbacks for user-visible failure, data loss, auth/security decisions,
   or persisted state. Best-effort cleanup, optional discovery, and non-critical

.github/workflows/ci.yml

@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [main, dev/v0.2]
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -17,13 +20,13 @@ jobs:
     name: Lint, typecheck, test
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
 
       - name: Setup Node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version-file: .nvmrc
           cache: pnpm

.github/workflows/codeql.yml

@@ -12,6 +12,9 @@ on:
   schedule:
     - cron: '23 4 * * 1'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
@@ -26,10 +29,10 @@ jobs:
       matrix:
         language: [javascript-typescript]
     steps:
-      - uses: actions/checkout@v4
-      - uses: github/codeql-action/init@v3
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: github/codeql-action/init@0daab03d71ff584ef619d027a3fd9146679c5d84 # v3
         with:
           languages: ${{ matrix.language }}
-      - uses: github/codeql-action/analyze@v3
+      - uses: github/codeql-action/analyze@0daab03d71ff584ef619d027a3fd9146679c5d84 # v3
         with:
           category: "/language:${{ matrix.language }}"

.github/workflows/codex-pr-review.yml

@@ -8,13 +8,22 @@ concurrency:
   group: codex-pr-review-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   pr-review:
+    # Fork PRs can carry adversarial content. Run the write-token bot only
+    # after a maintainer explicitly adds safe-to-review.
     if: |
       github.event.pull_request.draft == false &&
       !endsWith(github.actor, '[bot]') &&
       !contains(github.event.pull_request.labels.*.name, 'bot-skip') &&
-      vars.CODEX_BOT_ENABLED == 'true'
+      vars.CODEX_BOT_ENABLED == 'true' &&
+      (
+        github.event.pull_request.head.repo.full_name == github.repository ||
+        contains(github.event.pull_request.labels.*.name, 'safe-to-review')
+      )
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -25,7 +34,7 @@ jobs:
     steps:
       - name: Check bot review state
         id: check_bot
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
         with:
           script: |
             const marker = "*Open-CoDesign Bot*";
@@ -67,9 +76,9 @@ jobs:
 
       - name: Checkout repository
         if: steps.check_bot.outputs.has_review_for_current_head != 'true'
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
-          ref: ${{ github.event.pull_request.base.ref }}
+          ref: ${{ github.event.pull_request.base.sha }}
           fetch-depth: 0
 
       - name: Pre-fetch base and head refs
@@ -85,7 +94,7 @@ jobs:
           # This workflow runs under pull_request_target so it can post reviews.
           # The checked-out merge ref is untrusted contributor content; never
           # let a PR modify the prompt that receives write-token access.
-          git show "origin/${{ github.event.pull_request.base.ref }}:.github/prompts/codex-pr-review.md" \
+          git show "${{ github.event.pull_request.base.sha }}:.github/prompts/codex-pr-review.md" \
             > .github/prompts/codex-pr-review.md
 
       - name: Resolve review provider config
@@ -155,7 +164,7 @@ jobs:
       - name: Run Codex for PR Review
         id: run_codex
         if: steps.check_bot.outputs.has_review_for_current_head != 'true' && steps.review_config.outputs.is_deepseek != 'true'
-        uses: openai/codex-action@v1
+        uses: openai/codex-action@e0fdf01220eb9a88167c4898839d273e3f2609d1 # v1
         env:
           GH_TOKEN: ${{ github.token }}
           GITHUB_TOKEN: ${{ github.token }}

.github/workflows/dependency-review.yml

@@ -15,8 +15,12 @@ jobs:
     if: github.event.repository.visibility == 'public'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/dependency-review-action@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4
         with:
           fail-on-severity: moderate
           deny-licenses: GPL-2.0-only, GPL-2.0-or-later, GPL-3.0-only, GPL-3.0-or-later, AGPL-3.0-only, AGPL-3.0-or-later, SSPL-1.0
+          # Workflow-only release tooling is not bundled, linked, vendored, or
+          # distributed with the app. Keep shipped/runtime deps under the deny
+          # list above, but allow this action so winget automation can run.
+          allow-dependencies-licenses: pkg:githubactions/vedantmgoyal9/winget-releaser

.github/workflows/deploy-website.yml

@@ -8,8 +8,6 @@ on:
 
 permissions:
   contents: read
-  pages: write
-  id-token: write
 
 concurrency:
   group: pages
@@ -19,15 +17,15 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0
 
-      - uses: pnpm/action-setup@v4
+      - uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
         with:
           version: 9.15.0
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: 22
           cache: pnpm
@@ -38,9 +36,9 @@ jobs:
       - name: Build website
         run: pnpm --filter open-codesign-website build
 
-      - uses: actions/configure-pages@v4
+      - uses: actions/configure-pages@1f0c5cde4bc74cd7e1254d0cb4de8d49e9068c7d # v4
 
-      - uses: actions/upload-pages-artifact@v3
+      - uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3
         with:
           path: website/.vitepress/dist
 
@@ -54,33 +52,7 @@ jobs:
       contents: read
       pages: write
       id-token: write
-      actions: write
     steps:
-      # Work around actions/upload-pages-artifact@v3 bug where transient
-      # network hiccups during upload can produce >1 artifact named
-      # "github-pages" in a single run, which then makes deploy-pages@v4
-      # fail with "Multiple artifacts named 'github-pages'". Delete all
-      # but the most recent before deploying.
-      - name: Prune duplicate github-pages artifacts
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          RUN_ID: ${{ github.run_id }}
-          REPO: ${{ github.repository }}
-        run: |
-          set -euo pipefail
-          artifacts=$(gh api "/repos/$REPO/actions/runs/$RUN_ID/artifacts" \
-            --jq '[.artifacts[] | select(.name == "github-pages")] | sort_by(.created_at) | reverse')
-          count=$(echo "$artifacts" | jq 'length')
-          echo "Found $count github-pages artifact(s) in this run."
-          if [ "$count" -le 1 ]; then
-            exit 0
-          fi
-          # Keep index 0 (newest); delete the rest.
-          echo "$artifacts" | jq -r '.[1:] | .[].id' | while read -r id; do
-            echo "Deleting duplicate artifact $id"
-            gh api -X DELETE "/repos/$REPO/actions/artifacts/$id"
-          done
-
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4

.github/workflows/issue-auto-response.yml

@@ -8,6 +8,9 @@ concurrency:
   group: issue-auto-response-${{ github.event.issue.number }}
   cancel-in-progress: false
 
+permissions:
+  contents: read
+
 jobs:
   auto-response:
     if: |
@@ -23,7 +26,7 @@ jobs:
     steps:
       - name: Check for existing bot response
         id: check_bot
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
         with:
           script: |
             const marker = "*Open-CoDesign Bot*";
@@ -50,7 +53,7 @@ jobs:
 
       - name: Checkout repository
         if: steps.check_bot.outputs.has_bot != 'true'
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0
 
@@ -105,7 +108,7 @@ jobs:
 
       - name: Run Codex for Issue Auto Response
         if: steps.check_bot.outputs.has_bot != 'true' && steps.issue_config.outputs.is_deepseek != 'true'
-        uses: openai/codex-action@v1
+        uses: openai/codex-action@e0fdf01220eb9a88167c4898839d273e3f2609d1 # v1
         env:
           GH_TOKEN: ${{ github.token }}
           GITHUB_TOKEN: ${{ github.token }}

.github/workflows/labeler.yml

@@ -15,7 +15,7 @@ jobs:
   label:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/labeler@v5
+      - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           sync-labels: true

.github/workflows/packaging-smoke.yml

@@ -34,6 +34,9 @@ on:
       - '.github/workflows/release.yml'
       - '.github/workflows/release-macos-x64-native-check.yml'
 
+permissions:
+  contents: read
+
 # Per-SHA group, no cancellation. Each commit gets an independent smoke
 # that always runs to completion (or fails loudly). Skipping the
 # cancel-in-progress saves us from the ci.yml bug where an unrelated
@@ -52,13 +55,13 @@ jobs:
     # and got killed with no useful diagnostic.
     timeout-minutes: 30
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
 
       - name: Setup Node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version-file: .nvmrc
           cache: pnpm

.github/workflows/release-macos-x64-native-check.yml

@@ -28,7 +28,7 @@ jobs:
     env:
       CHECK_REF: ${{ github.event_name == 'push' && github.ref || inputs.ref }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           ref: ${{ env.CHECK_REF }}
           fetch-depth: 0
@@ -37,7 +37,7 @@ jobs:
         uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
 
       - name: Setup Node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version-file: .nvmrc
           cache: pnpm
@@ -82,7 +82,7 @@ jobs:
           exit 1
 
       - name: Upload native x64 artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: native-check-macos-x64
           path: apps/desktop/release/*.dmg