From 6d74c2467319b491ad695fb876c66a755f492892 Mon Sep 17 00:00:00 2001 From: Seongho Bae Date: Thu, 30 Apr 2026 19:55:24 +0900 Subject: [PATCH 1/5] docs: clarify supply-chain warning triage --- .../bandscope-supply-chain-warning-remediation/SKILL.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/docs/agents/skills/bandscope-supply-chain-warning-remediation/SKILL.md b/docs/agents/skills/bandscope-supply-chain-warning-remediation/SKILL.md index cca21a68..bb5a46c3 100644 --- a/docs/agents/skills/bandscope-supply-chain-warning-remediation/SKILL.md +++ b/docs/agents/skills/bandscope-supply-chain-warning-remediation/SKILL.md @@ -1,6 +1,6 @@ --- name: bandscope-supply-chain-warning-remediation -description: Use when BandScope verification, CI, GitHub Actions, Dependabot, OSSF Scorecard, cargo audit, npm audit, CodeQL, security gates, or PR review emits warnings, deprecations, notices, or supply-chain failures. +description: Use when BandScope verification, CI, GitHub Actions, Dependabot, OSSF Scorecard, cargo audit, npm audit, CodeQL, Strix, security gates, or PR review emits warnings, deprecations, notices, or supply-chain failures. --- # BandScope Supply-Chain Warning Remediation @@ -19,8 +19,9 @@ Treat every supply-chain warning as evidence to classify, fix, or track. The goa - Rust/Tauri: `cargo tree -i --manifest-path apps/desktop/src-tauri/Cargo.toml` - npm: `npm explain ` - Python: `uv tree --project services/analysis-engine --package ` + - Strix/security scans: link the finding ID, affected file/path, rule name, run URL, and current-head SHA 4. Add a failing regression guard first when repo code can prevent recurrence. -5. Fix the root cause. Do not use broad log filtering, generic quiet flags, or gate removal. +5. Fix the root cause. For GitHub Actions Node.js runtime deprecation warnings, trace the exact action owner/ref first, then upgrade or pin to a maintained action version when the action is repo-owned or repo-selected. Do not use broad log filtering, generic quiet flags, or gate removal. 6. If no maintained fix exists, document the owner chain and create or link a follow-up issue with acceptance criteria and Security Notes. 7. Re-run the original warning command plus the smallest relevant policy/test command. 8. For PR review warnings, push the fix and re-check robot review/check evidence instead of dismissing the review. @@ -33,6 +34,8 @@ Treat every supply-chain warning as evidence to classify, fix, or track. The goa - Direct dependency changes require lockfile updates and the dependency admission rationale defined in `docs/security/dependency-policy.md`. - For transitive Rust/Tauri vulnerabilities, prefer minimal lockfile updates. If blocked upstream, record the exact crate chain and patched-version status. - Treat `+deprecated` Cargo version metadata as a tracked dependency signal, not automatically as a compiler warning. +- GitHub/platform-owned action warnings, such as `github/dependabot-action@main`, are evidence to track with the run URL, action owner/ref, and follow-up owner; do not treat them as merge blockers when no repo-controlled fix exists. +- Strix findings, including issue #192 context, are actionable remediation signals, not blockers by name alone. Fix the finding, rebut it with file-level evidence, or split a follow-up issue with acceptance criteria and Security Notes. - Every supply-chain PR or issue update must include Security Notes. ## Verification Commands From 1b8ac363087b85d68b341dfa96cf17d495fde9ef Mon Sep 17 00:00:00 2001 From: Seongho Bae Date: Thu, 30 Apr 2026 20:29:37 +0900 Subject: [PATCH 2/5] docs: refine action warning ownership guidance --- .../bandscope-supply-chain-warning-remediation/SKILL.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/agents/skills/bandscope-supply-chain-warning-remediation/SKILL.md b/docs/agents/skills/bandscope-supply-chain-warning-remediation/SKILL.md index bb5a46c3..fb75d9fd 100644 --- a/docs/agents/skills/bandscope-supply-chain-warning-remediation/SKILL.md +++ b/docs/agents/skills/bandscope-supply-chain-warning-remediation/SKILL.md @@ -21,7 +21,7 @@ Treat every supply-chain warning as evidence to classify, fix, or track. The goa - Python: `uv tree --project services/analysis-engine --package ` - Strix/security scans: link the finding ID, affected file/path, rule name, run URL, and current-head SHA 4. Add a failing regression guard first when repo code can prevent recurrence. -5. Fix the root cause. For GitHub Actions Node.js runtime deprecation warnings, trace the exact action owner/ref first, then upgrade or pin to a maintained action version when the action is repo-owned or repo-selected. Do not use broad log filtering, generic quiet flags, or gate removal. +5. Fix the root cause. For GitHub Actions Node.js runtime deprecation warnings, trace the exact action owner/ref first. If the action is repo-owned, update the action runtime or action code. If the action is repo-selected external code, upgrade to a maintained action ref and pin it to a specific commit SHA. Do not use broad log filtering, generic quiet flags, or gate removal. 6. If no maintained fix exists, document the owner chain and create or link a follow-up issue with acceptance criteria and Security Notes. 7. Re-run the original warning command plus the smallest relevant policy/test command. 8. For PR review warnings, push the fix and re-check robot review/check evidence instead of dismissing the review. @@ -34,7 +34,7 @@ Treat every supply-chain warning as evidence to classify, fix, or track. The goa - Direct dependency changes require lockfile updates and the dependency admission rationale defined in `docs/security/dependency-policy.md`. - For transitive Rust/Tauri vulnerabilities, prefer minimal lockfile updates. If blocked upstream, record the exact crate chain and patched-version status. - Treat `+deprecated` Cargo version metadata as a tracked dependency signal, not automatically as a compiler warning. -- GitHub/platform-owned action warnings, such as `github/dependabot-action@main`, are evidence to track with the run URL, action owner/ref, and follow-up owner; do not treat them as merge blockers when no repo-controlled fix exists. +- GitHub/platform-owned action warnings, such as `github/dependabot-action@`, are evidence to track with the run URL, action owner/ref, and follow-up owner; do not treat them as merge blockers when no repo-controlled fix exists. If a platform warning only reports an unpinned ref like `github/dependabot-action@main`, track it as an exception signal rather than an allowed default; repo-selected actions still follow the SHA pinning rule in `docs/security/dependency-policy.md`. - Strix findings, including issue #192 context, are actionable remediation signals, not blockers by name alone. Fix the finding, rebut it with file-level evidence, or split a follow-up issue with acceptance criteria and Security Notes. - Every supply-chain PR or issue update must include Security Notes. From 72e7f622bc940cf131c822a1226251dbb97d3bd0 Mon Sep 17 00:00:00 2001 From: Seongho Bae Date: Thu, 30 Apr 2026 20:41:38 +0900 Subject: [PATCH 3/5] docs: clarify external warning exception handling --- .../bandscope-supply-chain-warning-remediation/SKILL.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/agents/skills/bandscope-supply-chain-warning-remediation/SKILL.md b/docs/agents/skills/bandscope-supply-chain-warning-remediation/SKILL.md index fb75d9fd..d6577917 100644 --- a/docs/agents/skills/bandscope-supply-chain-warning-remediation/SKILL.md +++ b/docs/agents/skills/bandscope-supply-chain-warning-remediation/SKILL.md @@ -21,7 +21,7 @@ Treat every supply-chain warning as evidence to classify, fix, or track. The goa - Python: `uv tree --project services/analysis-engine --package ` - Strix/security scans: link the finding ID, affected file/path, rule name, run URL, and current-head SHA 4. Add a failing regression guard first when repo code can prevent recurrence. -5. Fix the root cause. For GitHub Actions Node.js runtime deprecation warnings, trace the exact action owner/ref first. If the action is repo-owned, update the action runtime or action code. If the action is repo-selected external code, upgrade to a maintained action ref and pin it to a specific commit SHA. Do not use broad log filtering, generic quiet flags, or gate removal. +5. Fix the root cause. For GitHub Actions Node.js runtime deprecation warnings, trace the exact action owner/ref first. If the action is repo-owned, meaning a local `.github/actions/` path or an action maintained in this repository or organization, update the action runtime or action code in the owned source. If the action is repo-selected external code, upgrade to a maintained action ref and pin it to a specific commit SHA. Do not use broad log filtering, generic quiet flags, or gate removal. 6. If no maintained fix exists, document the owner chain and create or link a follow-up issue with acceptance criteria and Security Notes. 7. Re-run the original warning command plus the smallest relevant policy/test command. 8. For PR review warnings, push the fix and re-check robot review/check evidence instead of dismissing the review. @@ -34,8 +34,8 @@ Treat every supply-chain warning as evidence to classify, fix, or track. The goa - Direct dependency changes require lockfile updates and the dependency admission rationale defined in `docs/security/dependency-policy.md`. - For transitive Rust/Tauri vulnerabilities, prefer minimal lockfile updates. If blocked upstream, record the exact crate chain and patched-version status. - Treat `+deprecated` Cargo version metadata as a tracked dependency signal, not automatically as a compiler warning. -- GitHub/platform-owned action warnings, such as `github/dependabot-action@`, are evidence to track with the run URL, action owner/ref, and follow-up owner; do not treat them as merge blockers when no repo-controlled fix exists. If a platform warning only reports an unpinned ref like `github/dependabot-action@main`, track it as an exception signal rather than an allowed default; repo-selected actions still follow the SHA pinning rule in `docs/security/dependency-policy.md`. -- Strix findings, including issue #192 context, are actionable remediation signals, not blockers by name alone. Fix the finding, rebut it with file-level evidence, or split a follow-up issue with acceptance criteria and Security Notes. +- GitHub/platform-owned action warnings, such as `github/dependabot-action@`, are evidence to track with the run URL, action owner/ref, and follow-up owner; do not treat them as merge blockers when no repo-controlled fix exists. If a platform warning only reports an unpinned ref like `github/dependabot-action@main`, track it as an exception signal rather than an allowed default. Repo-selected actions still follow the SHA pinning rule in `docs/security/dependency-policy.md`. +- Strix findings, including issue #192 context, are actionable remediation signals, but do not automatically block merges based only on a Strix label or tool name. Fix the finding, rebut it with file-level evidence, or split a follow-up issue with acceptance criteria and Security Notes. - Every supply-chain PR or issue update must include Security Notes. ## Verification Commands From 36c2080c3f07c99debc6d126fb5cabf61efd847f Mon Sep 17 00:00:00 2001 From: Seongho Bae Date: Thu, 30 Apr 2026 21:01:59 +0900 Subject: [PATCH 4/5] docs: separate local and external action refs --- .../skills/bandscope-supply-chain-warning-remediation/SKILL.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/agents/skills/bandscope-supply-chain-warning-remediation/SKILL.md b/docs/agents/skills/bandscope-supply-chain-warning-remediation/SKILL.md index d6577917..476c037c 100644 --- a/docs/agents/skills/bandscope-supply-chain-warning-remediation/SKILL.md +++ b/docs/agents/skills/bandscope-supply-chain-warning-remediation/SKILL.md @@ -21,7 +21,7 @@ Treat every supply-chain warning as evidence to classify, fix, or track. The goa - Python: `uv tree --project services/analysis-engine --package ` - Strix/security scans: link the finding ID, affected file/path, rule name, run URL, and current-head SHA 4. Add a failing regression guard first when repo code can prevent recurrence. -5. Fix the root cause. For GitHub Actions Node.js runtime deprecation warnings, trace the exact action owner/ref first. If the action is repo-owned, meaning a local `.github/actions/` path or an action maintained in this repository or organization, update the action runtime or action code in the owned source. If the action is repo-selected external code, upgrade to a maintained action ref and pin it to a specific commit SHA. Do not use broad log filtering, generic quiet flags, or gate removal. +5. Fix the root cause. For GitHub Actions Node.js runtime deprecation warnings, trace the exact action owner/ref first. If the workflow uses a local action path such as `./.github/actions/...` or another `./` path, update the local action runtime or action code in place. If the workflow uses any non-local `owner/repo@ref` action, including actions maintained by this organization, upgrade it to a maintained ref and pin it to an immutable commit SHA. Do not use broad log filtering, generic quiet flags, or gate removal. 6. If no maintained fix exists, document the owner chain and create or link a follow-up issue with acceptance criteria and Security Notes. 7. Re-run the original warning command plus the smallest relevant policy/test command. 8. For PR review warnings, push the fix and re-check robot review/check evidence instead of dismissing the review. From a3bff8b110070179f478433bdf97def539c0af60 Mon Sep 17 00:00:00 2001 From: Seongho Bae Date: Thu, 30 Apr 2026 21:15:09 +0900 Subject: [PATCH 5/5] docs: define maintained action refs --- .../skills/bandscope-supply-chain-warning-remediation/SKILL.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/agents/skills/bandscope-supply-chain-warning-remediation/SKILL.md b/docs/agents/skills/bandscope-supply-chain-warning-remediation/SKILL.md index 476c037c..6cd9cefc 100644 --- a/docs/agents/skills/bandscope-supply-chain-warning-remediation/SKILL.md +++ b/docs/agents/skills/bandscope-supply-chain-warning-remediation/SKILL.md @@ -21,7 +21,7 @@ Treat every supply-chain warning as evidence to classify, fix, or track. The goa - Python: `uv tree --project services/analysis-engine --package ` - Strix/security scans: link the finding ID, affected file/path, rule name, run URL, and current-head SHA 4. Add a failing regression guard first when repo code can prevent recurrence. -5. Fix the root cause. For GitHub Actions Node.js runtime deprecation warnings, trace the exact action owner/ref first. If the workflow uses a local action path such as `./.github/actions/...` or another `./` path, update the local action runtime or action code in place. If the workflow uses any non-local `owner/repo@ref` action, including actions maintained by this organization, upgrade it to a maintained ref and pin it to an immutable commit SHA. Do not use broad log filtering, generic quiet flags, or gate removal. +5. Fix the root cause. For GitHub Actions Node.js runtime deprecation warnings, trace the exact action owner/ref first. If the workflow uses a local action path such as `./.github/actions/...` or another `./` path, update the local action runtime or action code in place. If the workflow uses any non-local `owner/repo@ref` action, including actions maintained by this organization, upgrade it to a maintained ref that is actively released, receives security patches, and supports the required Node.js runtime, then pin it to an immutable commit SHA. Do not use broad log filtering, generic quiet flags, or gate removal. 6. If no maintained fix exists, document the owner chain and create or link a follow-up issue with acceptance criteria and Security Notes. 7. Re-run the original warning command plus the smallest relevant policy/test command. 8. For PR review warnings, push the fix and re-check robot review/check evidence instead of dismissing the review.