fix(workflows): prevent zero-diff force-push, fix SBOM attestation, and consolidate security collection#1159
Merged
WilliamBerryiii merged 11 commits intomainfrom Mar 21, 2026
Merged
Conversation
…ase pipeline - replace API force-push with atomic git checkout -B in prerelease-pr and stable workflows - add checkout step, -R flag, and placeholder version bump to reset-prerelease job - add dependency and per-VSIX SBOM generation with attestation to pre-release pipeline - fix SBOM download path and artifact references in stable release pipeline 🔧 - Generated by Copilot
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #1159 +/- ##
==========================================
- Coverage 86.90% 86.89% -0.02%
==========================================
Files 59 59
Lines 8774 8774
==========================================
- Hits 7625 7624 -1
- Misses 1149 1150 +1
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
Contributor
Dependency Review SummaryThe full dependency review summary was too large to display here (1553KB, limit is 1024KB). Please download the artifact named "dependency-review-summary" to view the complete report. |
- move sssc-planner agent from agents/security-planning/ to agents/security/ - move 4 sssc prompts from prompts/security-planning/ to prompts/security/ - move 5 instructions from instructions/security-planning/ to instructions/security/ - move 6 instructions from instructions/sssc-planning/ to instructions/security/ 📦 - Generated by Copilot
…ate into security - update all security-planning and sssc-planning paths to security - remove security-planning entry from marketplace.json - delete security-planning collection manifests and plugin outputs - update agent and doc file references 🔀 - Generated by Copilot
🔀 - Generated by Copilot
WilliamBerryiii
changed the title
auyidi1
approved these changes
Mar 20, 2026
Rename docs/agents/security-planning/ to docs/agents/security/ to align with the collection consolidation from security-planning to security. - Generated by Copilot
Update cross-references from security-planning/ to security/ in agent documentation and change the Docusaurus category label to match. - Generated by Copilot
…ensions - add MIT-0, MIT-CMU, HPND, LicenseRef-scancode-secret-labs-2011 to allow-licenses - exempt lxml (BSD-3-Clause) and typing-extensions (PSF-2.0) via allow-dependencies-licenses 🔐 - Generated by Copilot
chaosdinosaur
approved these changes
Mar 20, 2026
🎨 - Generated by Copilot
…sions - compute PRE_VERSION once via step output in reset-prerelease job - add least-privilege comments to contents: write on SBOM jobs 🔧 - Generated by Copilot
33 tasks
- add sssc-planner agent, SSSC prompts, and SSSC instructions - update collection description with SSSC Planner entry - regenerate plugins 🔧 - Generated by Copilot
- hve-core-all: move SSSC Planner from subagents to new security and planning agents section; add Security Planner and RAI Planner - security: add supporting subagents and skills sections listing security reviewer subagents and OWASP knowledge base skills
This was referenced Mar 21, 2026
WilliamBerryiii
pushed a commit
that referenced
this pull request
Mar 23, 2026
🤖 I have created a release *beep* *boop* --- ## [3.2.1](hve-core-v3.2.0...hve-core-v3.2.1) (2026-03-23) ### 🐛 Bug Fixes * **workflows:** expand dependency-review license allow-list and add docusaurus build step ([#1168](#1168)) ([5458cab](5458cab)) * **workflows:** prevent zero-diff force-push, fix SBOM attestation, and consolidate security collection ([#1159](#1159)) ([0fbd111](0fbd111)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: hve-core-release-please[bot] <254602402+hve-core-release-please[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR addresses five issues discovered after the stable 3.2.0 release: pre-release pipeline failures, SBOM attestation errors, missing pre-release SBOM generation, an incorrectly re-created
security-planningcollection, and dependency review license false positives.Pre-release pipeline zero-diff force-push (#1160)
Both
release-prerelease-pr.ymlandrelease-stable.ymlused the GitHub API to force-pushprerelease/nextto the same SHA asmain. GitHub detected 0-diff and auto-closed the open PR. Thereset-prereleasejob also ran git/gh commands without checkout.Fix: Replaced API-based force-push with atomic
git checkout -B+git push --forceto create a version-bump commit. Addedactions/checkoutwithfetch-depth: 0to thereset-prereleasejob. Added-Rflag toghCLI commands. Split the combined update step into separate reset and create-or-update PR steps.Stable release SBOM attestation failure (#1161)
The dependency SBOM was downloaded to
./distalongside VSIX files, but attestation expected it at./sbom/dependency-sbom.spdx.json.Fix: Isolated dependency SBOM download to
./sbomdirectory. Correctedsbom-pathreferences. Added file-existence verification guards before all attestation steps.Pre-release pipeline missing SBOM (#1162)
The pre-release pipeline had no dependency SBOM generation or attestation, unlike the stable pipeline.
Fix: Added
generate-dependency-sbomjob usinganchore/sbom-actionwith sparse checkout. Added per-VSIX SBOM generation, VSIX filename resolution, and SBOM attestation steps. Addedartifact-metadata: writepermission and expanded release asset uploads.security-planning collection consolidation (#1163)
PR #980 renamed
security-planningtosecurity. PR #979 then incorrectly re-createdsecurity-planningas a separate collection for SSSC artifacts.Fix: Moved all files from
security-planning/andsssc-planning/directories intosecurity/. Updated all path references across collection YAMLs, agent files, marketplace.json, and documentation. Deletedsecurity-planningcollection manifests and plugin outputs. Regenerated all plugins.Dependency review license false positives (#1164)
The
dependency-review.ymlworkflow failed on PRs adding Python skill dependencies becauselxml(BSD-3-Clause) andtyping-extensions(PSF-2.0) were mis-labeled as GPL by the scanner due to compound SPDX expressions in their source distributions.Fix: Added per-package license exemptions via
allow-dependencies-licensesforpkg:pypi/lxmlandpkg:pypi/typing-extensions. Added missing license identifiers (MIT-0,MIT-CMU,HPND,LicenseRef-scancode-secret-labs-2011) to the global allow-list. DeduplicatedPRE_VERSIONcalculation inrelease-stable.ymland added least-privilege comments to SBOM job permissions.Related Issue(s)
Fixes #1160
Fixes #1161
Fixes #1162
Fixes #1163
Fixes #1164
Type of Change
Select all that apply:
Code & Documentation:
Infrastructure & Configuration:
Other:
.ps1,.sh,.py)Testing
security-planning/orsssc-planning/references remain in live filesChecklist
Required Checks
Required Automated Checks
The following validation commands must pass before merging:
npm run lint:mdnpm run spell-checknpm run lint:frontmatternpm run validate:skillsnpm run lint:md-linksnpm run lint:psnpm run plugin:generateSecurity Considerations
All new action references use fully pinned SHA references. Defensive
test -fguards gate SBOM attestation steps. Sparse checkout limits clone surface. SBOM attestation usesactions/attestfor supply chain integrity. Thesecurity-planningmarketplace extension entry has been removed. Dependency review license exemptions use per-packageallow-dependencies-licensesrather than adding GPL to the global allow-list.Additional Notes
Breaking change: The
security-planningcollection and its marketplace extension no longer exist. All artifacts are now in thesecuritycollection. Consumers of thesecurity-planningextension should switch to thesecurityextension.