Track remaining Scorecard posture follow-ups

[JSONbored]

Summary

Track the remaining OpenSSF Scorecard code-scanning alerts that cannot be fully closed by repository code alone after PRs #8 and #9.

Current state

• CI, Nightward Policy, CodeQL, Trunk, Raycast, secret scan, govulncheck, and OSV are green on main.
• Branch protection now requires one approving review, dismisses stale approvals, requires conversation resolution, and disallows force pushes.
• Stale Nightward fixture SARIF alerts were dismissed as test-only historical findings.
• CodeQL escaping, Token-Permissions, Security-Policy, and Fuzzing alerts were fixed.

Remaining Scorecard alerts

• CII-Best-Practices: create/claim the Nightward project on OpenSSF Best Practices and complete at least the in-progress badge questionnaire.
  • Scorecard checks https://www.bestpractices.dev/projects.json?url=https://github.com/JSONbored/nightward.
  • Current API result is [], so a README-only badge cannot fix this.
  • After a real project exists, add the OpenSSF Best Practices badge to README.md.
• Code-Review: build approved changeset history through normal reviewed PRs.
  • Current Scorecard text: Found 0/11 approved changesets.
  • Keep future changes on PRs and have another account approve before merge when practical.
• Maintained: allow the repository age/activity signal to age out.
  • Nightward was created on 2026-04-30, and Scorecard flags repositories created within the last 90 days.

References

• OpenSSF Best Practices: https://www.bestpractices.dev/en
• Criteria: https://www.bestpractices.dev/en/criteria/0
• Scorecard CII check source: https://github.com/ossf/scorecard/blob/main/checks/evaluation/cii_best_practices.go

[JSONbored]

Update: OpenSSF Best Practices project 12713 now exists and README links its badge. Scorecard CII moved from "no effort" to "badge detected: InProgress". Remaining CII work is completing enough questionnaire items for a passing badge.

[JSONbored]

Maintainer-side status update (2026-05-01):

Handled:

• PR ci(security): harden openssf silver posture #12 is green/mergeable and auto-merge is enabled with squash subject ci(security): harden openssf silver posture.
• main branch protection now requires signed commits, conversation resolution, 1 approving review, and the release/security CI contexts.
• Release tag ruleset Release tags is active for refs/tags/v* with deletion, non-fast-forward, and signature protection.
• npm-publish environment exists with protected-branch deployment policy and required reviewer. NPM_PUBLISH=false remains set until npm trusted publishing/package setup is complete.
• Dependabot security updates, secret scanning, and push protection are enabled.
• release-blocker and maintainer-action labels are now applied where this is still gating release readiness.

Still blocked:

• PR ci(security): harden openssf silver posture #12 needs a valid non-author approval. GitHub rejects self-approval, and the repo currently only lists JSONbored as a collaborator.
• PR feat(release): add distribution readiness gates #13 remains stacked behind ci(security): harden openssf silver posture #12 and should be retargeted to main only after ci(security): harden openssf silver posture #12 merges.
• OpenSSF Best Practices project 12713 still needs the maintainer-authenticated questionnaire saved using docs/openssf-best-practices.md.
• npm trusted publishing/package-side setup cannot be completed until the npm package exists and publishing is intentionally enabled.

No admin bypass has been used; this keeps the reviewed-PR release gate intact.

[JSONbored]

Additional maintainer-side update: GitHub Pages is now enabled in workflow build mode at https://jsonbored.github.io/nightward/. The site will become useful after the PR #13 Pages workflow/docs site lands on main and its deployment runs.

[JSONbored]

Post-merge maintainer-side status update (2026-05-01):

Handled:

• PR ci(security): harden openssf silver posture #12 was admin-squash-merged because JSONbored is the sole maintainer/reviewer and GitHub rejects self-approval.
• The stacked PR feat(release): add distribution readiness gates #13 could not be reopened after its base branch was deleted, so the branch was rebased onto main and replacement PR feat(release): add distribution readiness gates #14 was opened.
• PR feat(release): add distribution readiness gates #14 passed all checks and was admin-squash-merged.
• main is now at af35b22 and the post-merge CI, CodeQL, Nightward Policy, OpenSSF Scorecard, and Pages workflows are green.
• GitHub Pages is serving successfully at https://jsonbored.github.io/nightward/.
• The merge commits are GitHub-verified signed commits.

Still external/account-side:

• OpenSSF Best Practices project 12713 still needs the authenticated questionnaire saved on bestpractices.dev.
• npm package-side trusted publishing still requires npm account/package setup; this machine is not logged into npm and nightward is not currently published on npm.
• NPM_PUBLISH=false remains correct until that package-side setup is done intentionally.

[JSONbored]

Maintainer-side release/status update (2026-05-01):

Handled:

• PR fix(release): harden install version smokes #24 was opened from codex/release-install-smoke-fixes, passed all checks, and was admin-squash-merged because JSONbored remains the sole maintainer/reviewer.
• Signed tag v0.1.4 now points at main commit c3b32f5; git tag -v v0.1.4 verifies with the maintainer SSH signing key.
• Immutable GitHub Releases are enabled again, and v0.1.4 is immutable.
• The npm-publish environment is protected with required reviewer and tag deployment policy; the v0.1.4 deployment was manually approved after release smoke passed.
• Trusted npm publishing succeeded for @jsonbored/nightward@0.1.4; npm latest is now 0.1.4 and provenance is present (https://slsa.dev/provenance/v1).
• Post-release verification passed: Cosign bundle verifies checksums.txt; SHA-256 checks pass for the macOS arm64 archive and SBOM; extracted nightward and nw print 0.1.4; npx @jsonbored/nightward@0.1.4 --version prints 0.1.4; global npm install prints 0.1.4 for both commands; go install github.com/jsonbored/nightward/cmd/nw@v0.1.4 prints 0.1.4; npm audit signatures verifies the registry signature and attestation.

Still external/account-side:

• OpenSSF Best Practices project 12713 still reports badge_level: in_progress; the authenticated questionnaire still needs to be saved on bestpractices.dev using docs/openssf-best-practices.md.
• Scorecard Code-Review and Maintained will improve only with future reviewed PR history and repository age.

Operational note:

• v0.1.3 proved publishing/provenance worked, but v0.1.4 is the first patch where the npm launcher and go install version smokes were verified end to end.

[JSONbored]

Cleanup update (2026-05-01):

• GitHub releases v0.1.1, v0.1.2, and v0.1.3 are now marked prerelease/superseded in release notes; v0.1.4 remains latest.
• Attempted to deprecate npm @jsonbored/nightward@0.1.3, but npm requires an OTP/web-auth challenge for deprecation despite the local authenticated session. That remains the only npm account-side cleanup item; latest already points to 0.1.4.

[JSONbored]

Branch protection confirmation (2026-05-01):

• GraphQL branch protection for main reports allowsForcePushes: false, allowsDeletions: false, requiresApprovingReviews: true, requiredApprovingReviewCount: 1, requiresStatusChecks: true, requiresStrictStatusChecks: true, requiresConversationResolution: true, and requiresCommitSignatures: true.
• The REST branch-protection response is inconsistent for allow_force_pushes, but the branch protection rule itself reports force pushes disabled via GraphQL.

[JSONbored]

Scorecard/Raycast/test-suite update (2026-05-01):

Handled:

• PR feat(raycast): add menu bar status and local test suites #25 was opened, all PR checks passed, and it was admin-squash-merged because JSONbored is still the sole maintainer/reviewer.
• main is now at a225f21; the merge commit is GitHub-signed and includes the DCO sign-off.
• Post-merge main CI, CodeQL, Nightward Policy, OpenSSF Scorecard, and Pages workflows are green.
• Code-scanning alerts now show fixed for #48 Branch-Protection, #49 Pinned-Dependencies, and #50 Pinned-Dependencies.
• Branch protection now requires two approving reviews and CODEOWNERS review; .github/CODEOWNERS exists with @JSONbored as current owner.
• Release/npm smoke paths no longer use npm install in the Scorecard-flagged verification scripts; they extract the packed tarball and verify the nightward/nw bins directly.
• Local suite aliases are documented and wired: make test-fast, make test-security, make test-ux, make test-release, make test-prepush, and make test-release-install VERSION=....
• The Raycast extension now includes a read-only menu-bar status command for finding severity, analysis signals, provider warnings, and scheduled-report state.

Still not truthfully code-fixable today:

• #45 Maintained remains open because Scorecard flags repositories created within the last 90 days. This should age out with time, activity, and maintained releases.
• #44 Code-Review remains open because Scorecard sees 0/23 approved changesets. With one maintainer and admin bypass merges, this will not improve until another reviewer/maintainer can approve normal PRs.
• #46 CII-Best-Practices remains open because project 12713 is still InProgress; the authenticated Best Practices questionnaire still needs to be saved on bestpractices.dev using docs/openssf-best-practices.md.