Skip to content

revert: remove Legitify integration — upstream rejects fine-grained PATs (v0.19.4)#474

Merged
nullvariant merged 1 commit into
mainfrom
revert/legitify-analyze-job
Apr 16, 2026
Merged

revert: remove Legitify integration — upstream rejects fine-grained PATs (v0.19.4)#474
nullvariant merged 1 commit into
mainfrom
revert/legitify-analyze-job

Conversation

@nullvariant

Copy link
Copy Markdown
Owner

Summary

Full revert of the Legitify SCM posture audit introduced in #472 and patched in #473. Legitify — in both v1.0.11 and the post-v1.0.11 main branch (038aa49) — explicitly rejects fine-grained PATs:

GitHub fine-grained tokens are not supported at this moment, please use classic PAT

The only way to run Legitify is with a classic PAT, which broadens the token's blast radius well beyond this repository's minimum-privilege principle. Upstream issue #194 was closed without implementing the fix, and the rejection remains in main today.

Root cause (reviewer-visible)

Inspecting internal/clients/github/client.go on upstream main:

return fmt.Errorf("GitHub fine-grained tokens are not supported at this moment, please use classic PAT")

This was missed during the initial tool adoption evaluation — a follow-up will update the internal evaluation criteria to include an authentication-method compatibility check.

What changed

  • .github/workflows/security.yml: removed the legitify-analyze job
  • README.md (root) + extensions/git-id-switcher/README.md + 26 localized READMEs: removed the static Legitify badge
  • SECURITY.md: removed the SCM Posture Audit entry under CI/CD Security, and the SCM_TOKEN rows from Repository Secrets, Provider Links, and Token Details
  • GOVERNANCE.md: removed the SCM Posture Audit sekimori-ishi row
  • extensions/git-id-switcher/package.json: 0.19.30.19.4
  • extensions/git-id-switcher/CHANGELOG.md: [0.19.4] with a Removed entry documenting the revert

Post-merge owner actions

  • Delete SCM_TOKEN from repository secrets
  • Revoke the legitify-scm-token fine-grained PAT

Test plan

  • Merge triggers Auto Tag on Version Changegit-id-switcher-v0.19.4 tag pushed
  • publish.yml ships 0.19.4 to VS Code Marketplace and Open VSX
  • security.yml run turns green on main after merge (Legitify job no longer present)

…ATs (v0.19.4)

Legitify (both v1.0.11 and post-v1.0.11 main at 038aa49) explicitly
rejects fine-grained PATs:

    GitHub fine-grained tokens are not supported at this moment,
    please use classic PAT

Switching to a classic PAT would broaden the token's blast radius
beyond this repository's minimum-privilege principle. Legitify
upstream issue #194 was closed without implementing the proposed
fix; the rejection remains in main.

Reverted artifacts:
- .github/workflows/security.yml: legitify-analyze job
- README.md (root): Legitify badge
- extensions/git-id-switcher/README.md + 26 localized READMEs: badge
- SECURITY.md: SCM Posture Audit entry, SCM_TOKEN in Repository
  Secrets / Provider Links / Token Details
- GOVERNANCE.md: SCM Posture Audit sekimori-ishi row

Bump to 0.19.4. Owner should revoke the legitify-scm-token PAT and
delete the SCM_TOKEN secret from repository settings after merge.

Signed-off-by: Null;Variant <null@nullvariant.com>

🖥️ IDE: [VS Code](https://code.visualstudio.com/)
🔌 Extension: [Claude Code](https://claude.ai/download)

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Model-Raw: claude-opus-4-6
@nullvariant-luna

Copy link
Copy Markdown
Contributor

👧 Luna's Exploration Report 📦

No new dependencies added. Just version bumps! Nothing to explore here... 😴


Botに418返そうよ!

This report was curiously compiled by nullvariant-luna[bot]

@github-actions

Copy link
Copy Markdown
Contributor

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

  • .github/workflows/security.yml

@nullvariant-mimi

Copy link
Copy Markdown
Contributor

🐰 Mimi's Validation Report ✅

All checks are looking good! Great job! 🎉

⏳ Some checks are still running. I will keep watching!


バリデーターを通してくださいね

This report was carefully prepared by nullvariant-mimi[bot]

@nullvariant-slow

Copy link
Copy Markdown
Contributor

🦥 Slow's Code Review 😩

...yawn... Do I really have to review this?

⚠️ TOO LONG... I can barely keep my eyes open reading these:

File Lines

| extensions/git-id-switcher/src/ui/documentationInternal.ts | 505 |

Split it up... reading long files is exhausting.


働きたくないでござる

This review was reluctantly filed by nullvariant-slow[bot]

@nullvariant-blaze

Copy link
Copy Markdown
Contributor

🐗 Blaze's Release Review 🔥

🔥🔥🔥 VERSION BUMP DETECTED! THIS IS IT! 🔥🔥🔥

PATCH VERSION BUMP in extensions/git-id-switcher/package.json

0.19.30.19.4

✨ Quick patch! Nice and clean.


よっしゃ!デプロイしまくるぞ!

This review was ENTHUSIASTICALLY filed by nullvariant-blaze[bot]

@nullvariant-ciel

nullvariant-ciel Bot commented Apr 16, 2026

Copy link
Copy Markdown
Contributor

🕊️ Ciel's Mediation ☀️

*~~ gliding on a gentle breeze ~~ How serene!*

4 zoo members have reviewed this PR.

Zoo Member Status
🦥 Slow Commented
🐰 Mimi Commented
👧 Luna Commented
🐗 Blaze Commented

☀️ The zoo is in harmony. Everything looks peaceful from up here.


まあまあ、ほどほどに。

This mediation was peacefully delivered by nullvariant-ciel[bot]

@codecov

codecov Bot commented Apr 16, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@sonarqubecloud

Copy link
Copy Markdown

@nullvariant-justice nullvariant-justice Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚖️ Justice grants passage. CI checks passed — this code meets the garden's standards.

@nullvariant nullvariant merged commit 8b88870 into main Apr 16, 2026
42 of 44 checks passed
@nullvariant nullvariant deleted the revert/legitify-analyze-job branch April 16, 2026 06:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant