fix(security): pin Legitify to post-v1.0.11 main SHA, distribute badge (v0.19.3)#473
Conversation
…e (v0.19.3) - Pin Legit-Labs/legitify@038aa49 (post-v1.0.11 main, 2024-09-25). v1.0.11 (2024-07-09) fails because its composite action pulls codeql-action internals dependent on actions/upload-artifact@v3, which GitHub auto-fails since 2024-04-16. Upstream fix landed on main (PR #333, 2024-09-11) but no new tag has been published. - Add static Legitify badge next to Harden-Runner in the root README, the extension README, and all 26 localized READMEs. - Bump git-id-switcher to 0.19.3 and update CHANGELOG (README surface area changes require a release since READMEs ship with the VSIX). Signed-off-by: Null;Variant <null@nullvariant.com> 🖥️ IDE: [VS Code](https://code.visualstudio.com/) 🔌 Extension: [Claude Code](https://claude.ai/download) Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Model-Raw: claude-opus-4-6
🐰 Mimi's Validation Report ✅All checks are looking good! Great job! 🎉 ⏳ Some checks are still running. I will keep watching!
This report was carefully prepared by nullvariant-mimi[bot] |
🐗 Blaze's Release Review 🔥🔥🔥🔥 VERSION BUMP DETECTED! THIS IS IT! 🔥🔥🔥 ✨ PATCH VERSION BUMP in
✨ Quick patch! Nice and clean.
This review was ENTHUSIASTICALLY filed by nullvariant-blaze[bot] |
👧 Luna's Exploration Report 📦No new dependencies added. Just version bumps! Nothing to explore here... 😴
This report was curiously compiled by nullvariant-luna[bot] |
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.OpenSSF Scorecard
Scanned Files
|
🦥 Slow's Code Review 😩...yawn... Do I really have to review this?
| Split it up... reading long files is exhausting.
This review was reluctantly filed by nullvariant-slow[bot] |
🕊️ Ciel's Mediation ☀️*~~ gliding on a gentle breeze ~~ How serene!* 4 zoo members have reviewed this PR.
☀️ The zoo is in harmony. Everything looks peaceful from up here.
This mediation was peacefully delivered by nullvariant-ciel[bot] |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
|



Summary
Legit-Labs/legitify@v1.0.11is incompatible with the current GitHub Actions runtime (deprecatedupload-artifact@v3inside its composite action)mainSHA (038aa49) where the upstream fix has already landedgit-id-switcherto0.19.3and update CHANGELOG so the README surface changes ship to the MarketplaceRoot cause
Legit-Labs/legitify@v1.0.11(2024-07-09) pullsgithub/codeql-action/upload-sarif@v3which internally depends onactions/upload-artifact@v3. GitHub started auto-failing workflows using that dependency on 2024-04-16. The upstream fix (node 20, newer codeql-action) landed onmainvia PR #333 on 2024-09-11, but no new release tag has been published since v1.0.11.What changed
.github/workflows/security.yml: bumpusesfrom@002049404ef9…(v1.0.11) to@038aa49473a6…(post-v1.0.11main, 2024-09-25) with an inline comment explaining the rationale and linking the follow-up trackingREADME.md(root): add staticLegitify — SCM Posture Auditbadge next to Harden-Runnerextensions/git-id-switcher/README.md+ 26 localized READMEs: same static badge added to the existing badge rowextensions/git-id-switcher/package.json:0.19.2→0.19.3extensions/git-id-switcher/CHANGELOG.md:Added(badge distribution) andFixed(Legitify pin) entries for 0.19.3Why a static badge (not a workflow status badge)
GitHub Actions status badges are per-workflow, not per-job. Since Legitify runs as one job inside
security.yml, a dynamic badge would reflect the status of every security job, not Legitify specifically. Splittingsecurity.ymljust to get a per-job badge was rejected in #472 review for SSOT reasons. A static badge next to the existing "monitored" collection (Snyk / Socket / GitGuardian / Harden-Runner) fits the established aesthetic.Follow-up tracking
The upstream pattern (fix on
main, no release tag) is already tracked. The follow-up item will be updated to reflect that this PR now pins tomainHEAD and must be audited manually in sync with the 90-day PAT rotation.Test plan
git-id-switcher-v0.19.3tag is pushedpublish.ymlsucceeds and ships 0.19.3 to VS Code Marketplace and Open VSXsecurity.ymlLegitify job turns green on the next scheduled run (or manualworkflow_dispatch)