Skip to content

fix(security): pin Legitify to post-v1.0.11 main SHA, distribute badge (v0.19.3)#473

Merged
nullvariant merged 1 commit into
mainfrom
fix/legitify-post-v1.0.11-main-sha
Apr 16, 2026
Merged

fix(security): pin Legitify to post-v1.0.11 main SHA, distribute badge (v0.19.3)#473
nullvariant merged 1 commit into
mainfrom
fix/legitify-post-v1.0.11-main-sha

Conversation

@nullvariant

Copy link
Copy Markdown
Owner

Summary

  • Fix Legitify workflow failing after merge of feat(security): add Legitify SCM posture audit #472Legit-Labs/legitify@v1.0.11 is incompatible with the current GitHub Actions runtime (deprecated upload-artifact@v3 inside its composite action)
  • Pin to post-v1.0.11 main SHA (038aa49) where the upstream fix has already landed
  • Distribute the Legitify static badge across the root README, the extension README, and all 26 localized READMEs — the badge is intentionally visible at every entry point
  • Bump git-id-switcher to 0.19.3 and update CHANGELOG so the README surface changes ship to the Marketplace

Root cause

Legit-Labs/legitify@v1.0.11 (2024-07-09) pulls github/codeql-action/upload-sarif@v3 which internally depends on actions/upload-artifact@v3. GitHub started auto-failing workflows using that dependency on 2024-04-16. The upstream fix (node 20, newer codeql-action) landed on main via PR #333 on 2024-09-11, but no new release tag has been published since v1.0.11.

What changed

  • .github/workflows/security.yml: bump uses from @002049404ef9… (v1.0.11) to @038aa49473a6… (post-v1.0.11 main, 2024-09-25) with an inline comment explaining the rationale and linking the follow-up tracking
  • README.md (root): add static Legitify — SCM Posture Audit badge next to Harden-Runner
  • extensions/git-id-switcher/README.md + 26 localized READMEs: same static badge added to the existing badge row
  • extensions/git-id-switcher/package.json: 0.19.20.19.3
  • extensions/git-id-switcher/CHANGELOG.md: Added (badge distribution) and Fixed (Legitify pin) entries for 0.19.3

Why a static badge (not a workflow status badge)

GitHub Actions status badges are per-workflow, not per-job. Since Legitify runs as one job inside security.yml, a dynamic badge would reflect the status of every security job, not Legitify specifically. Splitting security.yml just to get a per-job badge was rejected in #472 review for SSOT reasons. A static badge next to the existing "monitored" collection (Snyk / Socket / GitGuardian / Harden-Runner) fits the established aesthetic.

Follow-up tracking

The upstream pattern (fix on main, no release tag) is already tracked. The follow-up item will be updated to reflect that this PR now pins to main HEAD and must be audited manually in sync with the 90-day PAT rotation.

Test plan

  • Merge triggers the auto-tag workflow → git-id-switcher-v0.19.3 tag is pushed
  • publish.yml succeeds and ships 0.19.3 to VS Code Marketplace and Open VSX
  • security.yml Legitify job turns green on the next scheduled run (or manual workflow_dispatch)
  • Legitify findings appear in the GitHub Security → Code Scanning tab

…e (v0.19.3)

- Pin Legit-Labs/legitify@038aa49 (post-v1.0.11 main, 2024-09-25).
  v1.0.11 (2024-07-09) fails because its composite action pulls
  codeql-action internals dependent on actions/upload-artifact@v3,
  which GitHub auto-fails since 2024-04-16. Upstream fix landed on
  main (PR #333, 2024-09-11) but no new tag has been published.
- Add static Legitify badge next to Harden-Runner in the root README,
  the extension README, and all 26 localized READMEs.
- Bump git-id-switcher to 0.19.3 and update CHANGELOG (README surface
  area changes require a release since READMEs ship with the VSIX).

Signed-off-by: Null;Variant <null@nullvariant.com>

🖥️ IDE: [VS Code](https://code.visualstudio.com/)
🔌 Extension: [Claude Code](https://claude.ai/download)

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Model-Raw: claude-opus-4-6
@nullvariant-mimi

Copy link
Copy Markdown
Contributor

🐰 Mimi's Validation Report ✅

All checks are looking good! Great job! 🎉

⏳ Some checks are still running. I will keep watching!


バリデーターを通してくださいね

This report was carefully prepared by nullvariant-mimi[bot]

@nullvariant-blaze

Copy link
Copy Markdown
Contributor

🐗 Blaze's Release Review 🔥

🔥🔥🔥 VERSION BUMP DETECTED! THIS IS IT! 🔥🔥🔥

PATCH VERSION BUMP in extensions/git-id-switcher/package.json

0.19.20.19.3

✨ Quick patch! Nice and clean.


よっしゃ!デプロイしまくるぞ!

This review was ENTHUSIASTICALLY filed by nullvariant-blaze[bot]

@nullvariant-luna

Copy link
Copy Markdown
Contributor

👧 Luna's Exploration Report 📦

No new dependencies added. Just version bumps! Nothing to explore here... 😴


Botに418返そうよ!

This report was curiously compiled by nullvariant-luna[bot]

@github-actions

Copy link
Copy Markdown
Contributor

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
actions/Legit-Labs/legitify 038aa49473a6974a3ef79f6c76b949b689d23282 🟢 4.2
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained⚠️ 00 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Security-Policy🟢 10security policy file detected
Dangerous-Workflow⚠️ 0dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Binary-Artifacts🟢 10no binaries found in the repo
Fuzzing⚠️ 0project is not fuzzed
Packaging⚠️ -1packaging workflow not detected
License🟢 10license file detected
Pinned-Dependencies🟢 7dependency not pinned by hash detected -- score normalized to 7
Branch-Protection🟢 8branch protection is not maximal on development and all release branches
Signed-Releases⚠️ 21 out of the last 5 releases have a total of 1 signed artifacts.
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0

Scanned Files

  • .github/workflows/security.yml

@nullvariant-slow

Copy link
Copy Markdown
Contributor

🦥 Slow's Code Review 😩

...yawn... Do I really have to review this?

⚠️ TOO LONG... I can barely keep my eyes open reading these:

File Lines

| extensions/git-id-switcher/src/ui/documentationInternal.ts | 505 |

Split it up... reading long files is exhausting.


働きたくないでござる

This review was reluctantly filed by nullvariant-slow[bot]

@nullvariant-ciel

nullvariant-ciel Bot commented Apr 16, 2026

Copy link
Copy Markdown
Contributor

🕊️ Ciel's Mediation ☀️

*~~ gliding on a gentle breeze ~~ How serene!*

4 zoo members have reviewed this PR.

Zoo Member Status
🦥 Slow Commented
🐰 Mimi Commented
👧 Luna Commented
🐗 Blaze Commented

☀️ The zoo is in harmony. Everything looks peaceful from up here.


まあまあ、ほどほどに。

This mediation was peacefully delivered by nullvariant-ciel[bot]

@codecov

codecov Bot commented Apr 16, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@sonarqubecloud

Copy link
Copy Markdown

@nullvariant-justice nullvariant-justice Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚖️ Justice grants passage. CI checks passed — this code meets the garden's standards.

@nullvariant nullvariant merged commit 02d6e78 into main Apr 16, 2026
43 of 45 checks passed
@nullvariant nullvariant deleted the fix/legitify-post-v1.0.11-main-sha branch April 16, 2026 06:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant