Skip to content

ci: supply-chain hardening to raise OSSF Scorecard / HVTrust#684

Merged
blove merged 13 commits into
mainfrom
blove/infallible-moser-8f116e
Jun 18, 2026
Merged

ci: supply-chain hardening to raise OSSF Scorecard / HVTrust#684
blove merged 13 commits into
mainfrom
blove/infallible-moser-8f116e

Conversation

@blove

@blove blove commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

Summary

Closes the supply-chain evidence gaps that suppress threadplane's HVTracker HVTrust score. The dominant lever is the OSSF Scorecard (feeds both Safety ×0.5 and Transparency ×0.5 of HVTrust); commit/release signing and provenance feed the rest. All changes are genuine hardening — no score gaming.

  • OSSF Scorecard workflow with publish_results: true (public OpenSSF API + README badge)
  • SECURITY.md disclosure policy (Security-Policy check)
  • CodeQL SAST for javascript-typescript + python (SAST check)
  • Renovate config with GitHub Action digest pinning; all Actions pinned by commit SHA (Dependency-Update-Tool + Pinned-Dependencies)
  • Least-privilege top-level permissions: on the 3 publish workflows (Token-Permissions)
  • SLSA provenance for GitHub Release artifacts + PyPI attestations (Signed-Releases)
  • CONTRIBUTING.md documents required SSH commit signing

Spec: docs/superpowers/specs/2026-06-18-hvtrust-supply-chain-hardening-design.md
Plan: docs/superpowers/plans/2026-06-18-hvtrust-supply-chain-hardening.md

Activation steps (not in this PR — maintainer/account actions)

  • Repo settings: enable secret scanning + push protection + Dependabot security updates; enable private vulnerability reporting
  • Set up local SSH commit/tag signing, then enable required_signatures on main (do signing first)
  • Install the Renovate GitHub App to activate renovate.json
  • Optional: SCORECARD_TOKEN secret to unlock the Branch-Protection check

Test Plan

  • CI (lint/test/build) green
  • CodeQL analysis completes on this PR
  • actionlint clean (only pre-existing shellcheck info)
  • After merge: Scorecard workflow publishes; badge populates; re-check score (plan Task 14)

🤖 Generated with Claude Code

blove and others added 12 commits June 18, 2026 10:13
@blove @claude
docs(spec): HVTrust supply-chain hardening design
ed52bc1 
Maps OSSF Scorecard + provenance/signing changes to HVTracker's HVTrust
scoring model. Covers Scorecard publishing, hardening files, Renovate
with SHA pinning, enforced commit signing, and SLSA release artifacts.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@blove @claude
docs(plan): HVTrust supply-chain hardening implementation plan
ab044bf 
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@blove
docs(security): add SECURITY.md vulnerability disclosure policy
36099c3
@blove
ci: set least-privilege top-level token permissions on publish workflows
1557777
@blove
ci: add CodeQL SAST for javascript-typescript and python
6686c0b
@blove
ci: add OSSF Scorecard workflow with public results + README badge
3ca7e3b
@blove
ci: add Renovate config with GitHub Action digest pinning
5afe2b1
@blove
ci: pin all GitHub Actions to commit SHAs
3f93da0
@blove
docs(contributing): document required SSH commit signing
d78e0fd
@blove
ci: generate SLSA provenance for GitHub Release artifacts
2966e74
@blove
ci: enable PyPI build provenance attestations on middleware publish
98f7432
@blove @claude
fix(ci): grant release-provenance build job write perms; pin pypa pub…
965cc93 
…lish action

- build-artifacts needs contents: write for 'gh release upload'
- pin pypa/gh-action-pypi-publish to release/v1 SHA (Pinned-Dependencies)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@vercel

vercel Bot commented Jun 18, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
threadplane Ready Ready Preview, Comment Jun 18, 2026 6:49pm

Request Review

@blove blove enabled auto-merge (squash) June 18, 2026 18:44
@github-advanced-security

github-advanced-security AI commented Jun 18, 2026

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@blove blove merged commit e973a11 into main Jun 18, 2026
23 of 27 checks passed
@blove blove mentioned this pull request Jun 18, 2026
Merged
blove added a commit that referenced this pull request Jun 18, 2026
@blove @claude
ci(release-provenance): set top-level DO_NOT_TRACK=1 to satisfy workf…
a09a06c 
…low guard (#687)

The supply-chain-hardening guard (scripts/ci-workflow.spec.mjs) added in #684
asserts every workflow sets a top-level DO_NOT_TRACK=1, but release-provenance.yml
was missed — so the 'Validate CI workflow guards' check fails on every PR. Add
the env block; guard test now passes 11/11.

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@blove @github-advanced-security