fix: enforce OSSF Scorecard publish constraints

[seonghobae]

Summary

• Remove the shell diagnostic run: step from the OSSF Scorecard publishing job so GitHub can publish Scorecard results on the default branch.
• Add supply-chain regression checks that reject run: steps in any OSSF Scorecard job using publish_results.
• Add a BandScope-specific remediation skill for future supply-chain warning and CI failure triage.

Verification

• uv run --project services/analysis-engine pytest services/analysis-engine/tests/test_supply_chain_policy.py -k "ossf_publish or any_workflow"
• python3 scripts/checks/verify_supply_chain.py
• python3 scripts/checks/security_gates.py
• npm run lint --workspaces --if-present
• npm run test --workspaces --if-present
• npm audit --workspaces --audit-level=high
• uv run mypy src from services/analysis-engine
• BANDSCOPE_ENABLE_RUST_CHECK=1 ./scripts/harness/quickcheck.sh

Security Notes

• Trust boundary: GitHub Actions workflow content remains repository-controlled and all actions touched here stay pinned by immutable SHA.
• Untrusted inputs: no new runtime, network, file, subprocess, IPC, or WebView inputs are introduced.
• Gate impact: OSSF Scorecard, SARIF upload, artifact retention, SBOM, dependency review, CodeQL, Trivy, Bandit, secret-scan, Windows build, and macOS build gates are preserved.
• Safe failure: verify_supply_chain.py now fails closed if any workflow contains an OSSF Scorecard publishing job with shell run: steps.
• Privacy/logging: no new logs or telemetry are added.
• Test points: regression tests cover canonical and moved-workflow Scorecard publishing jobs.

Closes #187.
Part of #189.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: ff612f08-4ca7-4b45-9117-ad9dbbcc4300

📥 Commits

Reviewing files that changed from the base of the PR and between c586f82 and 574338a.

📒 Files selected for processing (4)

• .github/workflows/ossf-scorecard.yml
• docs/agents/skills/bandscope-supply-chain-warning-remediation/SKILL.md
• scripts/checks/verify_supply_chain.py
• services/analysis-engine/tests/test_supply_chain_policy.py

💤 Files with no reviewable changes (1)

• .github/workflows/ossf-scorecard.yml

---

📝 Walkthrough

Summary by CodeRabbit

릴리스 노트

• Documentation

  • 공급망 경고 및 실패에 대한 새로운 대응 및 수정 가이드 문서 추가

• Tests

  • OSSF Scorecard 게시 제한에 대한 테스트 케이스 추가 및 공급망 정책 검증 강화

• Chores

  • 워크플로우 최적화 및 공급망 검증 체크 개선

개요

OSSF Scorecard 게시 작업에서 run: 단계를 제거하여 워크플로우 게시 제약을 해결합니다. 회귀를 방지하기 위한 검증 로직, 테스트 및 설명서가 추가됩니다.

변경 사항

변경 항목	요약
워크플로우 수정 .github/workflows/ossf-scorecard.yml	OSSF Scorecard 게시 작업에서 "Skip OSSF Scorecard on non-default branch" 셸 단계를 제거합니다. 게시 작업은 uses 단계만 포함해야 합니다.
검증 함수 추가 scripts/checks/verify_supply_chain.py	OSSF Scorecard 게시 작업의 run: 단계를 감지하는 새로운 검증 함수 ossf_scorecard_publish_restriction_violations()을 추가하고 이를 verify_workflow_coverage()에 통합합니다.
테스트 추가 services/analysis-engine/tests/test_supply_chain_policy.py	Scorecard 게시 작업 제약 조건 검증을 위한 3개의 새로운 테스트 케이스와 실제 저장소에 대한 수용 테스트를 추가합니다.
설명서 추가 docs/agents/skills/bandscope-supply-chain-warning-remediation/SKILL.md	공급망 경고 처리, BandScope 보존 규칙, Scorecard 게시 작업 제약 및 검증 절차를 설명하는 새로운 스킬 문서를 추가합니다.

예상 코드 리뷰 노력

🎯 3 (중간) | ⏱️ ~20분

관련 가능성이 있는 이슈

• [Bug] Fix OSSF Scorecard publish failure after PR #185 merge #187: OSSF Scorecard 게시 작업에서 run: 단계를 제거하고 회귀 방지 검증을 추가하여 PR #185 병합 후 발생한 게시 실패를 직접 해결합니다.

관련 가능성이 있는 PR

• feat: add OSSF Scorecard GitHub Actions workflow #82: 두 PR 모두 OSSF Scorecard 워크플로우와 verify_supply_chain.py 검증을 다루며, 하나는 워크플로우를 추가하고 다른 하나는 게시 작업 제약을 강화합니다.

추천 레이블

codex, aardvark

시

🐰 게시 단계 정리하고
보안 문 다시 닫고
검증 방어막 세우니
공급망 안녕해요
회귀 방지 완료! 🛡️

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix: enforce OSSF Scorecard publish constraints' clearly summarizes the main changes: fixing the OSSF Scorecard publishing issue and adding enforcement checks.
Description check	✅ Passed	The description is well-related to the changeset, clearly explaining the removal of the shell step, addition of regression checks, and the new remediation skill document.
Linked Issues check	✅ Passed	The PR fully addresses issue #187 requirements: removes the non-uses shell step from OSSF Scorecard publishing job [.github/workflows/ossf-scorecard.yml], adds regression checks via ossf_scorecard_publish_restriction_violations [scripts/checks/verify_supply_chain.py], adds comprehensive tests [services/analysis-engine/tests/test_supply_chain_policy.py], and includes remediation skill documentation [docs/agents/skills/bandscope-supply-chain-warning-remediation/SKILL.md].
Out of Scope Changes check	✅ Passed	All changes are directly scoped to the linked issue #187: workflow file modifications, supply-chain verification checks, tests for those checks, and supporting documentation. No unrelated modifications detected.
Docstring Coverage	✅ Passed	Docstring coverage is 88.89% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch stepwise/pr185-postmerge

---

_{Review rate limit: 4/5 reviews remaining, refill in 12 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}