Scorecard-fixes - Security hardening, CI cleanup, FDC3 2.2 package consolidation, and example apps workspace (#272)

* OSPS-Baseline (#5)

* Update README.md to enhance badge display and improve alignment

- Replaced HTML paragraph tags with a div for better alignment of badges.
- Updated badge links to reflect the correct project and added a Semgrep badge for CI integration.

* Update README.md to improve badge organization and add new badges

- Corrected the closing tag for the main header.
- Added new badges for GitHub Release, Repo stars, CI, and Node.js CVE scanning.
- Enhanced the layout with divs for better alignment and readability.

* Add OSPS Security Assessment workflow

- Introduced a new GitHub Actions workflow for Open Source Project Security Assessment (OSPS).
- Configured to run weekly on Mondays at 9 AM UTC and allows manual triggering.
- Includes steps for checking out the repository, running the OSPS baseline scanner, and uploading assessment results as artifacts with a retention period of 30 days.

* Update OSPS workflow to use the latest version of the baseline scanner action (v1.3.2) for improved security assessment capabilities.

* Osps baseline (#6)

* Update README.md to enhance badge display and improve alignment

- Replaced HTML paragraph tags with a div for better alignment of badges.
- Updated badge links to reflect the correct project and added a Semgrep badge for CI integration.

* Update README.md to improve badge organization and add new badges

- Corrected the closing tag for the main header.
- Added new badges for GitHub Release, Repo stars, CI, and Node.js CVE scanning.
- Enhanced the layout with divs for better alignment and readability.

* Add OSPS Security Assessment workflow

- Introduced a new GitHub Actions workflow for Open Source Project Security Assessment (OSPS).
- Configured to run weekly on Mondays at 9 AM UTC and allows manual triggering.
- Includes steps for checking out the repository, running the OSPS baseline scanner, and uploading assessment results as artifacts with a retention period of 30 days.

* Update OSPS workflow to use the latest version of the baseline scanner action (v1.3.2) for improved security assessment capabilities.

* Update OSPS workflow to use specific versions of actions for improved stability and compatibility. Changed checkout action to v6.0.0 and upload-artifact action to v7.0.0.

* Change OSPS action to use v1.0.0

Updated OSPS action version from a specific commit to a tagged version.

* Update OSPS action version in workflow

* Update OSPS action version in workflow

* Update OSPS action to use new repository

* Update OSPS action version in workflow

* Update OSPS action to use 'fixes' tag

* Update OSPS action version in workflow

* Update OSPS action version in workflow

* Update OSPS action version in workflow

* Update OSPS.yml

* Update OSPS action version in workflow

* Update OSPS action to use sarif-fix version

* Update OSPS workflow for version changes and formatting

* Update checkout action version to v6

* Update OSPS workflow to use latest action versions

* Update OSPS action version to 1.2.0

* Update OSPS action version to 1.3.2

* Downgrade OSPS action version from v1.3.2 to v1.3.1

* Downgrade OSPS action version to v1.3.0

* Update OSPS.yml

* Downgrade OSPS action version to v1.1.0

* Update OSPS action to use seewhatson version

* Enable building OSPS scanner from source

* Update OSPS scanner source reference to v0.17.0

* Update scanner-source-ref to version 0.20.0

* Update scanner-source-ref to v0.22.1

* Update scanner-source-ref to version 0.22.0

* Update scanner-source-ref to v0.21.0

* Update scanner-source-ref to v0.21.1

* Update scanner-source-ref to version 0.22.1

* Update OSPS workflow catalog and upload settings

* Update OSPS action to use new repository version

* Comment out scanner-build-from-source in OSPS.yml

Comment out the scanner-build-from-source option in OSPS workflow.

* Change upload-sarif value to string in OSPS.yml

* Update catalog name in OSPS workflow

* Update catalog name in OSPS workflow

* Update GitHub Actions to use latest versions

* Refactor OSPS workflow for clarity and consistency

* Update OSPS workflow to use specific action versions and modify catalog name (#7)

- Changed `actions/checkout` to a specific commit version for stability.
- Updated `osps-baseline-action` to a specific commit version for consistency.
- Modified the catalog name from "osps-baseline-2026-02" to "osps-baseline" for clarity.
- Updated `actions/upload-artifact` to a specific commit version for reliability.

* Update GitHub workflows to enhance permissions and improve security practices

- Added permissions for `contents`, `actions`, and `security-events` in multiple workflow files to ensure proper access levels.
- Updated `ci.yml`, `cve-scanning.yml`, `OSPS.yml`, `ql.yml`, and `semgrep.yml` to reflect these changes, promoting better security and functionality across workflows.

* Update GitHub workflows to pin specific action versions for stability and consistency

- Changed `actions/checkout` to a specific commit version across multiple workflow files for improved reliability.
- Updated `actions/setup-node`, `actions/setup-python`, and `github/codeql-action` to specific commit versions to ensure compatibility and enhance security practices.
- These updates aim to standardize the workflow configurations and reduce potential issues with action updates.

* Add lint-staged configuration and update pre-commit hook for improved code quality checks

- Introduced a new `lint-staged.config.mjs` file to define formatting and linting rules for various file types.
- Updated `package.json` to include `vitest` as a dependency.
- Modified the pre-commit hook to run `lint-staged` with the `--concurrent false` option for better performance during commits.

* Update package dependencies and enhance CI configuration with fuzzy testing

- Added `vitest` as a dependency in `package.json` and `package-lock.json` for testing purposes.
- Updated CI workflow to include a new job for running property tests on the common package.
- Introduced a `test` script in the common package's `package.json` to facilitate testing with `vitest`.
- Created a new configuration file for `vitest` to define testing environment and include test files.
- Implemented a new utility function `normalizeIdentityUrl` and corresponding tests to ensure proper URL normalization.

* Refactor CI workflow to simplify test execution

- Changed the job name from "Property tests (common)" to "Test" for clarity.
- Updated the test command to run all tests instead of targeting a specific package, streamlining the testing process.

* Update package-lock.json to reflect dependency upgrades and removals

- Upgraded `brace-expansion` to version 2.1.0 across multiple modules.
- Updated `picomatch` to version 4.0.4 in relevant modules.
- Upgraded `minimatch` to version 9.0.9 in the TypeScript ESLint module.
- Updated `axios` to version 1.15.2 and its dependencies for improved functionality.
- Upgraded `basic-ftp` to version 5.3.0.
- Updated `body-parser` to version 1.20.5 and its dependencies for better performance.
- Removed outdated `minimatch` entries from the lock file to streamline dependencies.

These changes enhance the project's dependency management and ensure compatibility with the latest versions.

* Update GitHub workflows for consistency and formatting

- Ensured consistent formatting in the cve-scanning.yml file by removing an unnecessary space in the setup-node action version.
- Added a newline at the end of the OSPS.yml file to adhere to best practices for file formatting.

These changes improve the readability and maintainability of the workflow files.

* Enhance README with meeting details for FDC3 Sail

- Added links for joining and registering for FDC3 Sail meetings to improve accessibility for participants.
- Updated formatting for clarity and consistency in the meeting section.

These changes aim to facilitate community engagement and streamline meeting participation.

Author: SeeWhatsOn

.github/workflows/OSPS.yml

@@ -5,13 +5,20 @@ on:
     - cron: "0 9 * * 1" # Weekly on Mondays at 9 AM UTC
   workflow_dispatch: # Allow manual triggering
 
+# Default: least privilege. This job adds only the write scopes its steps need.
+permissions:
+  contents: read
+
 jobs:
   osps-assessment:
     runs-on: ubuntu-latest
 
     permissions:
       contents: read
-      security-events: write # Required for SARIF upload
+      # code-scanning / Advanced Security SARIF upload (osps-baseline-action upload-sarif)
+      security-events: write
+      # actions/upload-artifact
+      actions: write
 
     steps:
       - name: Checkout repository
@@ -32,4 +39,4 @@ jobs:
         with:
           name: osps-assessment-results-${{ github.run_number }}
           path: evaluation_results/
-          retention-days: 30
+          retention-days: 30

.github/workflows/ci.yml

@@ -16,9 +16,13 @@ defaults:
 jobs:
   lint-format-build:
     runs-on: ubuntu-latest
+    # setup-node cache: npm persists/restores npm cache via the Actions cache API
+    permissions:
+      contents: read
+      actions: write
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-node@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e #v6.4.0
         with:
           node-version: 24
           cache: npm
@@ -34,3 +38,6 @@ jobs:
 
       - name: Build
         run: npm run build
+
+      - name: Test
+        run: npm run test

.github/workflows/cve-scanning.yml

@@ -16,16 +16,23 @@ on:
     # Run every day at 5am and 5pm
     - cron: "0 5,17 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   audit:
     runs-on: ubuntu-latest
+    # setup-node cache: npm needs Actions cache write (and read via the same token scope)
+    permissions:
+      contents: read
+      actions: write
     strategy:
       matrix:
         node-version: [24.x]
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e #v6.4.0
         with:
           node-version: ${{ matrix.node-version }}
           cache: npm

.github/workflows/dependency-review.yml

@@ -19,5 +19,5 @@ jobs:
   dependency-review:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/dependency-review-action@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+      - uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 #4.9.0

.github/workflows/ql.yml

@@ -19,6 +19,9 @@ on:
   schedule:
     - cron: "15 6 * * 6"
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze (${{ matrix.language }})
@@ -57,7 +60,7 @@ jobs:
         # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
 
       # Add any setup steps before running the `github/codeql-action/init` action.
       # This includes steps like installing compilers or runtimes (`actions/setup-node`
@@ -67,7 +70,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 #v4.35.2
         with:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
@@ -79,6 +82,6 @@ jobs:
           queries: security-extended
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 #v4.35.2
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/scorecard.yml

@@ -22,7 +22,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
         with:
           persist-credentials: false
 

.github/workflows/semgrep.yml

@@ -10,22 +10,25 @@ on:
       - main
 
 permissions:
-  security-events: write
   contents: read
   actions: read
 
 jobs:
   semgrep:
     name: semgrep/ci
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: read
+      security-events: write
     # Do not use a job-level container: semgrep/semgrep has no Node.js, so
     # github/codeql-action/upload-sarif runs on the host and cannot see files
     # written only inside the container workspace (semgrep.sarif "missing").
     if: github.actor != 'dependabot[bot]'
 
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-python@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 #v6.2.0
         with:
           python-version: "3.12"
       - name: Install Semgrep
@@ -51,7 +54,7 @@ jobs:
           fi
 
       - name: Upload SARIF file for GitHub Advanced Security Dashboard
-        uses: github/codeql-action/upload-sarif@v4
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 #v4.35.2
         if: |
           steps.sarif.outputs.ok == 'true' &&
           (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository)

.husky/pre-commit

@@ -1 +1,2 @@
-npx lint-staged
+#!/usr/bin/env sh
+npx lint-staged --concurrent false

README.md

@@ -164,9 +164,11 @@ FDC3 is an open standard and there are other desktop agents available. You can f
 FDC3 Sail holds regular project meetings to discuss development progress, roadmap, and community contributions.
 
 **Join Meeting:**
+
 - [Join FDC3 Sail Meeting](https://zoom-lfx.platform.linuxfoundation.org/meeting/95252800112?password=90638454-991c-4ab0-8aed-791fc372623c)
 
 **Register for Meeting Series:**
+
 - [Register for FDC3 Sail Meetings (add to calendar)](https://zoom-lfx.platform.linuxfoundation.org/meeting/95252800112?password=90638454-991c-4ab0-8aed-791fc372623c&invite=true)
 
 Meeting agendas and minutes are tracked through GitHub issues with the `meeting` label.

lint-staged.config.mjs

@@ -0,0 +1,6 @@
+/** @type {import("lint-staged").Configuration} */
+export default {
+  "**/*.{ts,tsx,js,jsx,mjs,cjs,json,md,mdx,yml,yaml,css,scss,html}":
+    "prettier --write",
+  "packages/*/src/**/*.{ts,tsx}": "eslint --fix --max-warnings=0",
+}