revert: remove Legitify integration — upstream rejects fine-grained PATs (v0.19.4)#474
Conversation
…ATs (v0.19.4)
Legitify (both v1.0.11 and post-v1.0.11 main at 038aa49) explicitly
rejects fine-grained PATs:
GitHub fine-grained tokens are not supported at this moment,
please use classic PAT
Switching to a classic PAT would broaden the token's blast radius
beyond this repository's minimum-privilege principle. Legitify
upstream issue #194 was closed without implementing the proposed
fix; the rejection remains in main.
Reverted artifacts:
- .github/workflows/security.yml: legitify-analyze job
- README.md (root): Legitify badge
- extensions/git-id-switcher/README.md + 26 localized READMEs: badge
- SECURITY.md: SCM Posture Audit entry, SCM_TOKEN in Repository
Secrets / Provider Links / Token Details
- GOVERNANCE.md: SCM Posture Audit sekimori-ishi row
Bump to 0.19.4. Owner should revoke the legitify-scm-token PAT and
delete the SCM_TOKEN secret from repository settings after merge.
Signed-off-by: Null;Variant <null@nullvariant.com>
🖥️ IDE: [VS Code](https://code.visualstudio.com/)
🔌 Extension: [Claude Code](https://claude.ai/download)
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Model-Raw: claude-opus-4-6
👧 Luna's Exploration Report 📦No new dependencies added. Just version bumps! Nothing to explore here... 😴
This report was curiously compiled by nullvariant-luna[bot] |
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned Files
|
🐰 Mimi's Validation Report ✅All checks are looking good! Great job! 🎉 ⏳ Some checks are still running. I will keep watching!
This report was carefully prepared by nullvariant-mimi[bot] |
🦥 Slow's Code Review 😩...yawn... Do I really have to review this?
| Split it up... reading long files is exhausting.
This review was reluctantly filed by nullvariant-slow[bot] |
🐗 Blaze's Release Review 🔥🔥🔥🔥 VERSION BUMP DETECTED! THIS IS IT! 🔥🔥🔥 ✨ PATCH VERSION BUMP in
✨ Quick patch! Nice and clean.
This review was ENTHUSIASTICALLY filed by nullvariant-blaze[bot] |
🕊️ Ciel's Mediation ☀️*~~ gliding on a gentle breeze ~~ How serene!* 4 zoo members have reviewed this PR.
☀️ The zoo is in harmony. Everything looks peaceful from up here.
This mediation was peacefully delivered by nullvariant-ciel[bot] |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
|



Summary
Full revert of the Legitify SCM posture audit introduced in #472 and patched in #473. Legitify — in both v1.0.11 and the post-v1.0.11 main branch (
038aa49) — explicitly rejects fine-grained PATs:The only way to run Legitify is with a classic PAT, which broadens the token's blast radius well beyond this repository's minimum-privilege principle. Upstream issue #194 was closed without implementing the fix, and the rejection remains in
maintoday.Root cause (reviewer-visible)
Inspecting
internal/clients/github/client.goon upstreammain:This was missed during the initial tool adoption evaluation — a follow-up will update the internal evaluation criteria to include an authentication-method compatibility check.
What changed
.github/workflows/security.yml: removed thelegitify-analyzejobREADME.md(root) +extensions/git-id-switcher/README.md+ 26 localized READMEs: removed the static Legitify badgeSECURITY.md: removed theSCM Posture Auditentry under CI/CD Security, and theSCM_TOKENrows from Repository Secrets, Provider Links, and Token DetailsGOVERNANCE.md: removed theSCM Posture Auditsekimori-ishi rowextensions/git-id-switcher/package.json:0.19.3→0.19.4extensions/git-id-switcher/CHANGELOG.md:[0.19.4]with aRemovedentry documenting the revertPost-merge owner actions
SCM_TOKENfrom repository secretslegitify-scm-tokenfine-grained PATTest plan
Auto Tag on Version Change→git-id-switcher-v0.19.4tag pushedpublish.ymlships 0.19.4 to VS Code Marketplace and Open VSXsecurity.ymlrun turns green onmainafter merge (Legitify job no longer present)