From 803d54cc2d43064fe5825cc888004978b72f1370 Mon Sep 17 00:00:00 2001 From: Alexey Samoylov Date: Mon, 29 Jun 2026 16:43:56 +0600 Subject: [PATCH 1/3] fix(task): prefer provider failure guidance --- DiffPalReviewDevV1/task.json | 4 ++-- DiffPalReviewV1/task.json | 4 ++-- README.md | 6 +++--- package-lock.json | 4 ++-- package.json | 2 +- scripts/smoke-test.js | 2 +- src/index.ts | 12 +++++++++++- vss-extension.dev.json | 2 +- vss-extension.json | 2 +- 9 files changed, 24 insertions(+), 14 deletions(-) diff --git a/DiffPalReviewDevV1/task.json b/DiffPalReviewDevV1/task.json index c4ff23a..801db12 100644 --- a/DiffPalReviewDevV1/task.json +++ b/DiffPalReviewDevV1/task.json @@ -10,7 +10,7 @@ "version": { "Major": 1, "Minor": 6, - "Patch": 17 + "Patch": 18 }, "minimumAgentVersion": "3.224.0", "instanceNameFormat": "DiffPal Review Dev", @@ -28,7 +28,7 @@ "type": "string", "label": "DiffPal version", "required": false, - "defaultValue": "0.1.39", + "defaultValue": "0.1.40", "helpMarkDown": "npm version or dist-tag for @diffpal/diffpal." }, { diff --git a/DiffPalReviewV1/task.json b/DiffPalReviewV1/task.json index 18ee4d2..26e5404 100644 --- a/DiffPalReviewV1/task.json +++ b/DiffPalReviewV1/task.json @@ -10,7 +10,7 @@ "version": { "Major": 1, "Minor": 6, - "Patch": 17 + "Patch": 18 }, "minimumAgentVersion": "3.224.0", "instanceNameFormat": "DiffPal Review", @@ -28,7 +28,7 @@ "type": "string", "label": "DiffPal version", "required": false, - "defaultValue": "0.1.39", + "defaultValue": "0.1.40", "helpMarkDown": "npm version or dist-tag for @diffpal/diffpal." }, { diff --git a/README.md b/README.md index 8846f5f..15238a3 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,7 @@ VSIX packaging, and Marketplace release flow. The task installs `@diffpal/diffpal` by default and runs `diffpal review ado`. Bring the provider recipe you want to use; the Azure review flow stays the same. -By default it installs `@diffpal/diffpal@0.1.37`, the tested CLI release paired +By default it installs `@diffpal/diffpal@0.1.40`, the tested CLI release paired with this extension. Set `diffpalVersion` only when you need to override that default rollout. @@ -70,7 +70,7 @@ steps: - task: DiffPalReview@1 displayName: DiffPal review inputs: - diffpalVersion: 0.1.37 + diffpalVersion: 0.1.40 profile: ci feedback: review env: @@ -194,7 +194,7 @@ VSIX files are written to `dist/`. Set versions before tagging: ```bash -task release:set-version VERSION=0.1.39 TASK_VERSION=1.6.15 +task release:set-version VERSION=0.1.42 TASK_VERSION=1.6.18 ``` Publish uses the `release.yml` workflow and requires `AZURE_DEVOPS_EXT_PAT` in the `azure-devops-marketplace` GitHub Environment. diff --git a/package-lock.json b/package-lock.json index 7c6a3bc..cfaa60f 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "@diffpal/azure-devops-extension", - "version": "0.1.41", + "version": "0.1.42", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "@diffpal/azure-devops-extension", - "version": "0.1.41", + "version": "0.1.42", "license": "MIT", "dependencies": { "azure-pipelines-task-lib": "5.2.10" diff --git a/package.json b/package.json index c1ce784..a545a5e 100644 --- a/package.json +++ b/package.json @@ -34,5 +34,5 @@ "publish:prod": "npm run build \u0026\u0026 tfx extension publish --manifest-globs vss-extension.json", "smoke": "npm run build \u0026\u0026 node scripts/smoke-test.js" }, - "version": "0.1.41" + "version": "0.1.42" } \ No newline at end of file diff --git a/scripts/smoke-test.js b/scripts/smoke-test.js index 1755244..1ed736a 100644 --- a/scripts/smoke-test.js +++ b/scripts/smoke-test.js @@ -155,7 +155,7 @@ function testDefaultPinnedVersionIsUsedWhenInputIsUnset() { PATH: `${fakeBin}${path.delimiter}${process.env.PATH || ""}` }); - assert(read(npmArgv).includes("@diffpal/diffpal@0.1.39"), "default install did not request the pinned DiffPal version"); + assert(read(npmArgv).includes("@diffpal/diffpal@0.1.40"), "default install did not request the pinned DiffPal version"); assert(read(diffpalArgv).includes("review\nado"), "default pinned version did not run diffpal review ado"); } diff --git a/src/index.ts b/src/index.ts index e2597c5..b1babad 100644 --- a/src/index.ts +++ b/src/index.ts @@ -25,7 +25,7 @@ type ReviewRange = { pullRequest: PullRequestContext; }; -const DEFAULT_DIFFPAL_VERSION = "0.1.39"; +const DEFAULT_DIFFPAL_VERSION = "0.1.40"; const TRANSIENT_REVIEW_EXIT_CODE = 3; const REVIEW_BLOCKED_EXIT_CODE = 10; @@ -304,12 +304,22 @@ function hasStructuredOutputFailure(output: string): boolean { normalized.includes("no json object"); } +function hasProviderFailure(output: string): boolean { + const normalized = output.toLowerCase(); + return normalized.includes("provider error") || + normalized.includes("provider failed") || + normalized.includes("provider failure"); +} + function diffPalFailureMessage(result: CommandResult, gate: boolean, blockOn: string): string { if (gate && isReviewBlockedFailure(result.code)) { return `DiffPal code review found blocking issues at or above the ${blockOn} threshold.`; } if (isTransientReviewFailure(result.code)) { const output = `${result.stdout}\n${result.stderr}`; + if (hasProviderFailure(output)) { + return "DiffPal review could not complete because the provider failed. Rerun the pipeline or check provider availability, auth, quota, and billing."; + } if (hasStructuredOutputFailure(output)) { return "DiffPal review could not complete because the provider returned an empty or invalid structured response after retries. Rerun the pipeline or check provider availability, auth, and quota."; } diff --git a/vss-extension.dev.json b/vss-extension.dev.json index c400116..bdbe20f 100644 --- a/vss-extension.dev.json +++ b/vss-extension.dev.json @@ -46,5 +46,5 @@ "id": "Microsoft.VisualStudio.Services" } ], - "version": "0.1.41" + "version": "0.1.42" } \ No newline at end of file diff --git a/vss-extension.json b/vss-extension.json index c0ae82c..fcf1552 100644 --- a/vss-extension.json +++ b/vss-extension.json @@ -46,5 +46,5 @@ "id": "Microsoft.VisualStudio.Services" } ], - "version": "0.1.41" + "version": "0.1.42" } \ No newline at end of file From 9b5acfa56c66c8a55894062f28d6954394882f84 Mon Sep 17 00:00:00 2001 From: Alexey Samoylov Date: Fri, 10 Jul 2026 18:24:51 +0600 Subject: [PATCH 2/3] fix(task): align extension with cli v1 Upgrade the Azure task runtime, default to CLI major 1, disable npm lifecycle scripts, wait for marketplace validation, and add a staged CLI contract check.\n\nRefs: dp-zsy.3 --- .github/workflows/ci.yml | 20 ++++++++++++++ .github/workflows/release.yml | 1 - DiffPalReviewDevV1/task.json | 8 +++--- DiffPalReviewV1/task.json | 8 +++--- README.md | 10 +++---- package-lock.json | 50 +++++++++++++++-------------------- package.json | 9 +++---- scripts/cli-contract-test.sh | 27 +++++++++++++++++++ scripts/smoke-test.js | 5 ++-- src/index.ts | 3 ++- vss-extension.dev.json | 4 +-- vss-extension.json | 4 +-- 12 files changed, 93 insertions(+), 56 deletions(-) create mode 100755 scripts/cli-contract-test.sh diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 90733d6..e48f2b5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -27,6 +27,26 @@ jobs: - name: Smoke test task handler run: npm run smoke + - name: Check out DiffPal CLI contract + uses: actions/checkout@v6 + with: + repository: diffpal/diffpal + ref: develop + path: .tmp/diffpal + + - uses: actions/setup-go@v6 + with: + go-version-file: .tmp/diffpal/go.mod + + - name: Build staged DiffPal CLI + working-directory: .tmp/diffpal + run: go build -o "$RUNNER_TEMP/diffpal" ./cmd/diffpal + + - name: Verify CLI v1 contract + env: + DIFFPAL_BIN: ${{ runner.temp }}/diffpal + run: bash scripts/cli-contract-test.sh + - name: Package production extension run: npm run package:prod diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c2ab8d3..f8ff1fe 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -130,7 +130,6 @@ jobs: --vsix "$path" \ --auth-type pat \ --token "$AZURE_DEVOPS_EXT_PAT" \ - --no-wait-validation \ --no-prompt } diff --git a/DiffPalReviewDevV1/task.json b/DiffPalReviewDevV1/task.json index 801db12..91d9b50 100644 --- a/DiffPalReviewDevV1/task.json +++ b/DiffPalReviewDevV1/task.json @@ -9,8 +9,8 @@ "author": "DiffPal", "version": { "Major": 1, - "Minor": 6, - "Patch": 18 + "Minor": 7, + "Patch": 0 }, "minimumAgentVersion": "3.224.0", "instanceNameFormat": "DiffPal Review Dev", @@ -28,8 +28,8 @@ "type": "string", "label": "DiffPal version", "required": false, - "defaultValue": "0.1.40", - "helpMarkDown": "npm version or dist-tag for @diffpal/diffpal." + "defaultValue": "1", + "helpMarkDown": "npm version or dist-tag for @diffpal/diffpal. Use an exact v1 release for reproducible CI." }, { "name": "diffpalPath", diff --git a/DiffPalReviewV1/task.json b/DiffPalReviewV1/task.json index 26e5404..a20ebcc 100644 --- a/DiffPalReviewV1/task.json +++ b/DiffPalReviewV1/task.json @@ -9,8 +9,8 @@ "author": "DiffPal", "version": { "Major": 1, - "Minor": 6, - "Patch": 18 + "Minor": 7, + "Patch": 0 }, "minimumAgentVersion": "3.224.0", "instanceNameFormat": "DiffPal Review", @@ -28,8 +28,8 @@ "type": "string", "label": "DiffPal version", "required": false, - "defaultValue": "0.1.40", - "helpMarkDown": "npm version or dist-tag for @diffpal/diffpal." + "defaultValue": "1", + "helpMarkDown": "npm version or dist-tag for @diffpal/diffpal. Use an exact v1 release for reproducible CI." }, { "name": "diffpalPath", diff --git a/README.md b/README.md index 15238a3..33f51ca 100644 --- a/README.md +++ b/README.md @@ -20,9 +20,9 @@ VSIX packaging, and Marketplace release flow. The task installs `@diffpal/diffpal` by default and runs `diffpal review ado`. Bring the provider recipe you want to use; the Azure review flow stays the same. -By default it installs `@diffpal/diffpal@0.1.40`, the tested CLI release paired -with this extension. Set `diffpalVersion` only when you need to override that -default rollout. +By default it installs `@diffpal/diffpal@1`, keeping the task on the compatible +CLI v1 line. Set `diffpalVersion` to an exact v1 release when you need fully +reproducible CI. ## Behavior @@ -70,7 +70,7 @@ steps: - task: DiffPalReview@1 displayName: DiffPal review inputs: - diffpalVersion: 0.1.40 + diffpalVersion: 1.0.0 profile: ci feedback: review env: @@ -194,7 +194,7 @@ VSIX files are written to `dist/`. Set versions before tagging: ```bash -task release:set-version VERSION=0.1.42 TASK_VERSION=1.6.18 +task release:set-version VERSION=1.0.0 TASK_VERSION=1.7.0 ``` Publish uses the `release.yml` workflow and requires `AZURE_DEVOPS_EXT_PAT` in the `azure-devops-marketplace` GitHub Environment. diff --git a/package-lock.json b/package-lock.json index cfaa60f..787e6a8 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,15 +1,15 @@ { "name": "@diffpal/azure-devops-extension", - "version": "0.1.42", + "version": "1.0.0", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "@diffpal/azure-devops-extension", - "version": "0.1.42", + "version": "1.0.0", "license": "MIT", "dependencies": { - "azure-pipelines-task-lib": "5.2.10" + "azure-pipelines-task-lib": "5.277.0" }, "devDependencies": { "@types/node": "^20.17.10", @@ -523,9 +523,9 @@ } }, "node_modules/azure-pipelines-task-lib": { - "version": "5.2.10", - "resolved": "https://registry.npmjs.org/azure-pipelines-task-lib/-/azure-pipelines-task-lib-5.2.10.tgz", - "integrity": "sha512-6Wak5UB+Bs693LkPoE4gZTDNkNL5DDn2buQKMtvqIWh2ZCIJk+tc1nSzroGWntJa7USs8X3cYvdl0RiSsp4/5A==", + "version": "5.277.0", + "resolved": "https://registry.npmjs.org/azure-pipelines-task-lib/-/azure-pipelines-task-lib-5.277.0.tgz", + "integrity": "sha512-QS9mHHBgNyX/Vfcdsz8IPlTOudLnPCrundLjm4b9Kq5oRvuCsHxcdLGwNf8yLTAgX7nzf0P4c+P0+H05RLT1qw==", "license": "MIT", "dependencies": { "adm-zip": "^0.5.10", @@ -533,18 +533,7 @@ "nodejs-file-downloader": "^4.11.1", "q": "^1.5.1", "semver": "^5.7.2", - "shelljs": "^0.10.0", - "uuid": "^3.0.1" - } - }, - "node_modules/azure-pipelines-task-lib/node_modules/uuid": { - "version": "3.4.0", - "resolved": "https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz", - "integrity": "sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==", - "deprecated": "uuid@10 and below is no longer supported. For ESM codebases, update to uuid@latest. For CommonJS codebases, use uuid@11 (but be aware this version will likely be deprecated in 2028).", - "license": "MIT", - "bin": { - "uuid": "bin/uuid" + "shelljs": "^0.10.0" } }, "node_modules/b4a": { @@ -3799,17 +3788,6 @@ "node": ">=20.0.0" } }, - "node_modules/tfx-cli/node_modules/uuid": { - "version": "3.4.0", - "resolved": "https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz", - "integrity": "sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==", - "deprecated": "uuid@10 and below is no longer supported. For ESM codebases, update to uuid@latest. For CommonJS codebases, use uuid@11 (but be aware this version will likely be deprecated in 2028).", - "dev": true, - "license": "MIT", - "bin": { - "uuid": "bin/uuid" - } - }, "node_modules/tinytim": { "version": "0.1.1", "resolved": "https://registry.npmjs.org/tinytim/-/tinytim-0.1.1.tgz", @@ -4068,6 +4046,20 @@ "url": "https://github.com/sponsors/ljharb" } }, + "node_modules/uuid": { + "version": "13.0.2", + "resolved": "https://registry.npmjs.org/uuid/-/uuid-13.0.2.tgz", + "integrity": "sha512-vzi9uRZ926x4XV73S/4qQaTwPXM2JBj6/6lI/byHH1jOpCzb0zDbfytgA9LcN/hzb2l7WQSQnxITOVx5un/wGw==", + "dev": true, + "funding": [ + "https://github.com/sponsors/broofa", + "https://github.com/sponsors/ctavan" + ], + "license": "MIT", + "bin": { + "uuid": "dist-node/bin/uuid" + } + }, "node_modules/validator": { "version": "13.15.35", "resolved": "https://registry.npmjs.org/validator/-/validator-13.15.35.tgz", diff --git a/package.json b/package.json index a545a5e..0078335 100644 --- a/package.json +++ b/package.json @@ -4,7 +4,7 @@ "url": "https://github.com/diffpal/azure-devops/issues" }, "dependencies": { - "azure-pipelines-task-lib": "5.2.10" + "azure-pipelines-task-lib": "5.277.0" }, "description": "Azure DevOps extension and pipeline task for DiffPal review", "devDependencies": { @@ -18,9 +18,6 @@ "homepage": "https://github.com/diffpal/azure-devops#readme", "license": "MIT", "name": "@diffpal/azure-devops-extension", - "overrides": { - "uuid": "3.4.0" - }, "private": true, "repository": { "type": "git", @@ -34,5 +31,5 @@ "publish:prod": "npm run build \u0026\u0026 tfx extension publish --manifest-globs vss-extension.json", "smoke": "npm run build \u0026\u0026 node scripts/smoke-test.js" }, - "version": "0.1.42" -} \ No newline at end of file + "version": "1.0.0" +} diff --git a/scripts/cli-contract-test.sh b/scripts/cli-contract-test.sh new file mode 100755 index 0000000..aa96c42 --- /dev/null +++ b/scripts/cli-contract-test.sh @@ -0,0 +1,27 @@ +#!/usr/bin/env bash +set -euo pipefail + +diffpal_bin="${DIFFPAL_BIN:?DIFFPAL_BIN is required}" +help="$($diffpal_bin review ado --help)" + +for flag in \ + --base \ + --head \ + --profile \ + --block-on \ + --gate \ + --feedback \ + --summary-overview \ + --out \ + --repo \ + --review-id \ + --language \ + --instructions \ + --instructions-file; do + if ! grep -Fq -- "$flag" <<<"$help"; then + echo "DiffPal CLI contract is missing $flag" >&2 + exit 1 + fi +done + +echo "DiffPal CLI v1 contract passed" diff --git a/scripts/smoke-test.js b/scripts/smoke-test.js index 1ed736a..7cfbd3c 100644 --- a/scripts/smoke-test.js +++ b/scripts/smoke-test.js @@ -155,8 +155,9 @@ function testDefaultPinnedVersionIsUsedWhenInputIsUnset() { PATH: `${fakeBin}${path.delimiter}${process.env.PATH || ""}` }); - assert(read(npmArgv).includes("@diffpal/diffpal@0.1.40"), "default install did not request the pinned DiffPal version"); - assert(read(diffpalArgv).includes("review\nado"), "default pinned version did not run diffpal review ado"); + assert(read(npmArgv).includes("@diffpal/diffpal@1"), "default install did not request CLI major 1"); + assert(read(npmArgv).includes("--ignore-scripts"), "default install did not disable npm lifecycle scripts"); + assert(read(diffpalArgv).includes("review\nado"), "default CLI v1 did not run diffpal review ado"); } function testDebugInputForwardsDebugFlag() { diff --git a/src/index.ts b/src/index.ts index b1babad..a8a85ad 100644 --- a/src/index.ts +++ b/src/index.ts @@ -25,7 +25,7 @@ type ReviewRange = { pullRequest: PullRequestContext; }; -const DEFAULT_DIFFPAL_VERSION = "0.1.40"; +const DEFAULT_DIFFPAL_VERSION = "1"; const TRANSIENT_REVIEW_EXIT_CODE = 3; const REVIEW_BLOCKED_EXIT_CODE = 10; @@ -429,6 +429,7 @@ async function installDiffPal(version: string): Promise { installRoot, packageSpec, "--omit=dev", + "--ignore-scripts", "--no-audit", "--no-fund" ]); diff --git a/vss-extension.dev.json b/vss-extension.dev.json index bdbe20f..be98a58 100644 --- a/vss-extension.dev.json +++ b/vss-extension.dev.json @@ -46,5 +46,5 @@ "id": "Microsoft.VisualStudio.Services" } ], - "version": "0.1.42" -} \ No newline at end of file + "version": "1.0.0" +} diff --git a/vss-extension.json b/vss-extension.json index fcf1552..76abb05 100644 --- a/vss-extension.json +++ b/vss-extension.json @@ -46,5 +46,5 @@ "id": "Microsoft.VisualStudio.Services" } ], - "version": "0.1.42" -} \ No newline at end of file + "version": "1.0.0" +} From e0c86719c6b541c16cc7927bda18f09df28e044c Mon Sep 17 00:00:00 2001 From: Alexey Samoylov Date: Fri, 10 Jul 2026 18:47:04 +0600 Subject: [PATCH 3/3] chore(security): harden extension supply chain Refs: dp-zsy.2 --- .github/CODEOWNERS | 5 +++++ .github/ISSUE_TEMPLATE/bug.yml | 24 ++++++++++++++++++++++++ .github/ISSUE_TEMPLATE/config.yml | 5 +++++ .github/PULL_REQUEST_TEMPLATE.md | 9 +++++++++ .github/workflows/ci.yml | 8 ++++---- .github/workflows/release.yml | 12 ++++++------ SECURITY.md | 11 +++++++++++ 7 files changed, 64 insertions(+), 10 deletions(-) create mode 100644 .github/CODEOWNERS create mode 100644 .github/ISSUE_TEMPLATE/bug.yml create mode 100644 .github/ISSUE_TEMPLATE/config.yml create mode 100644 .github/PULL_REQUEST_TEMPLATE.md create mode 100644 SECURITY.md diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..90fb8f5 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,5 @@ +* @metalagman + +/.github/ @metalagman +/tasks/ @metalagman +/vss-extension.json @metalagman diff --git a/.github/ISSUE_TEMPLATE/bug.yml b/.github/ISSUE_TEMPLATE/bug.yml new file mode 100644 index 0000000..20402e7 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug.yml @@ -0,0 +1,24 @@ +name: Bug report +description: Report a reproducible Azure DevOps extension defect +title: "bug: " +labels: [bug] +body: + - type: textarea + id: behavior + attributes: + label: Observed behavior + validations: + required: true + - type: textarea + id: reproduce + attributes: + label: Minimal pipeline and logs + description: Remove credentials and private source before posting. + validations: + required: true + - type: input + id: version + attributes: + label: Extension and task version + validations: + required: true diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml new file mode 100644 index 0000000..e1d85f3 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -0,0 +1,5 @@ +blank_issues_enabled: true +contact_links: + - name: Security report + url: https://github.com/diffpal/azure-devops/security/advisories/new + about: Report vulnerabilities privately. diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000..a428e2b --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,9 @@ +## Summary + + + +## Validation + +- [ ] Task tests, packaging, and the staged CLI contract pass. +- [ ] Input, output, and compatibility changes are documented. +- [ ] Security and secret-handling impact has been considered. diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e48f2b5..49f028e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -11,9 +11,9 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - - uses: actions/setup-node@v6 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 20 cache: npm @@ -28,13 +28,13 @@ jobs: run: npm run smoke - name: Check out DiffPal CLI contract - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: repository: diffpal/diffpal ref: develop path: .tmp/diffpal - - uses: actions/setup-go@v6 + - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6 with: go-version-file: .tmp/diffpal/go.mod diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f8ff1fe..6de1f09 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -31,9 +31,9 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - - uses: actions/setup-node@v6 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 20 cache: npm @@ -78,7 +78,7 @@ jobs: npm run package:dev - name: Upload Azure DevOps extension artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: azure-devops-vsix path: | @@ -94,9 +94,9 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - - uses: actions/setup-node@v6 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 20 cache: npm @@ -105,7 +105,7 @@ jobs: run: npm ci - name: Download Azure DevOps extension artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: azure-devops-vsix path: dist diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..da8ba0e --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,11 @@ +# Security Policy + +Security fixes are provided for the latest released major version. + +Do not open a public issue for a suspected vulnerability. Report it through +[GitHub private vulnerability reporting](https://github.com/diffpal/azure-devops/security/advisories/new) +with reproduction steps and impact. We aim to acknowledge reports within three +business days and coordinate remediation and disclosure with the reporter. + +Issues in the DiffPal CLI itself should be reported to the +[core repository](https://github.com/diffpal/diffpal/security/advisories/new).