You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Legitify (both v1.0.11 and post-v1.0.11 main at 038aa49) explicitly
rejects fine-grained PATs:
GitHub fine-grained tokens are not supported at this moment,
please use classic PAT
Switching to a classic PAT would broaden the token's blast radius
beyond this repository's minimum-privilege principle. Legitify
upstream issue #194 was closed without implementing the proposed
fix; the rejection remains in main.
Reverted artifacts:
- .github/workflows/security.yml: legitify-analyze job
- README.md (root): Legitify badge
- extensions/git-id-switcher/README.md + 26 localized READMEs: badge
- SECURITY.md: SCM Posture Audit entry, SCM_TOKEN in Repository
Secrets / Provider Links / Token Details
- GOVERNANCE.md: SCM Posture Audit sekimori-ishi row
Bump to 0.19.4. Owner should revoke the legitify-scm-token PAT and
delete the SCM_TOKEN secret from repository settings after merge.
🖥️ IDE: [VS Code](https://code.visualstudio.com/)
🔌 Extension: [Claude Code](https://claude.ai/download)
Model-Raw: claude-opus-4-6
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Copy file name to clipboardExpand all lines: SECURITY.md
-4Lines changed: 0 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -68,7 +68,6 @@ This repository contains VS Code extensions with the following security measures
68
68
-**SAST (Snyk Code)**: [Snyk](https://snyk.io/) runs static analysis; test fixtures are excluded via `.snyk` policy
69
69
-**License & Vulnerability Scanning**: [FOSSA](https://app.fossa.com/) runs license compliance, dependency quality, and security analysis on every commit (GitHub App integration)
70
70
-**Runtime Security Monitoring**: [StepSecurity Harden-Runner](https://github.com/step-security/harden-runner) monitors all workflow runs for suspicious network egress, file access, and process execution
71
-
-**SCM Posture Audit**: [Legitify](https://github.com/Legit-Labs/legitify) audits GitHub repository configuration weekly against built-in OPA/Rego policies. Findings are published to the GitHub Security tab via SARIF upload. Scope is limited to this repository (`analyze_self_only: true`)
72
71
-**Branch Protection**: Main branch requires PR approval (1 reviewer minimum). All PRs are automatically approved by nullvariant-justice[bot] after CI passes (solo-developer workflow for [OpenSSF Scorecard](https://securityscorecards.dev/) compliance). Dependency bot PRs receive additional safety review before approval. Enforced by [Allstar](https://github.com/ossf/allstar/)
73
72
74
73
## Security Testing
@@ -101,7 +100,6 @@ This section documents all secrets used in CI/CD workflows.
| SLACK_WEBHOOK | Slack |[Slack Apps](https://api.slack.com/apps)| No expiration |
153
150
154
151
**Token Details**:
155
152
156
153
-**CLOUDFLARE_API_TOKEN**: Named `nullvariant-vscode-extensions-github-actions-deploy`, permissions: Workers R2 Storage:Edit
157
154
-**RELEASE_PAT**: Named `RELEASE_PAT`. Fine-grained PAT scoped to this repository only. Repository permissions: Contents (Write). Used by auto-tag.yml to push release tags that trigger the publish workflow (built-in GITHUB_TOKEN pushes do not re-trigger workflows, so a PAT is required)
158
-
-**SCM_TOKEN**: Named `legitify-scm-token`. Fine-grained PAT scoped to this repository only. Repository permissions: Metadata (Read), Contents (Read), Administration (Read). Used by Legitify to audit SCM posture — read-only, no write access to any resource
Copy file name to clipboardExpand all lines: extensions/git-id-switcher/CHANGELOG.md
+6Lines changed: 6 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
7
7
8
8
## [Unreleased]
9
9
10
+
## [0.19.4] - 2026-04-16
11
+
12
+
### Removed
13
+
14
+
-**Legitify integration (full revert)**: Removed the Legitify SCM posture audit introduced in 0.19.3. Legitify (both v1.0.11 and the post-v1.0.11 main branch at `038aa49`) explicitly rejects fine-grained PATs (`GitHub fine-grained tokens are not supported at this moment, please use classic PAT`). Switching to a classic PAT would broaden the token's blast radius beyond the minimum-privilege principle this repository follows. All Legitify references have been removed: the `legitify-analyze` job in `security.yml`, the Legitify badge across the root README, the extension README, and all 26 localized READMEs, as well as the SCM_TOKEN entries in SECURITY.md and the sekimori-ishi entry in GOVERNANCE.md
0 commit comments