fix(security): codeql v4, SLSA provenance attestation, remove admin bypass

[docdyhr]

Summary

Three Scorecard issues fixed in one pass:

• CodeQL deprecation warning — scorecard.yml was the only workflow still on codeql-action v3 SHA. Updated to the v4 SHA already used everywhere else in security.yml.

• Signed-Releases (0/10) — release-consolidated.yml build-release job now calls actions/attest-build-provenance@v4.1.0 immediately after packaging each platform binary, generating SLSA provenance attestations stored in the GitHub Attestations API. Scorecard will detect these on the next release.

• Branch-Protection "apply to administrators" (8→9/10) — merge-own-pr.sh extended to also relax/restore the Protect main ruleset (id 15969824) alongside the legacy branch-protection API. The strict-restore payload sets bypass_actors: [], so after this PR is merged the admin bypass actor is permanently removed from the ruleset, and Scorecard will no longer see 'branch protection settings apply to administrators' is disabled.

What won't change

• Code-Review (0/10) — solo project; will naturally improve as Dependabot PRs accumulate approved changesets.
• CII-Best-Practices (2/10) — badge registration is a manual step on bestpractices.coreinfrastructure.org.
• Branch-Protection required_approving_review_count — stays at 1; a solo project cannot require 2 reviewers without locking itself out.

🤖 Generated with Claude Code

Summary by Sourcery

Tighten repository security and supply-chain protections by updating security workflows, adding build provenance attestations, and ensuring branch protection rules fully apply to administrators.

New Features:

• Generate SLSA build provenance attestations for release artifacts using GitHub's attest-build-provenance action.

Enhancements:

• Update Scorecard workflow to use the latest v4 CodeQL SARIF upload action for code scanning.
• Extend the merge-own-pr helper script to relax and then strictly restore both legacy branch protection and the main branch ruleset with no admin bypass.

[sourcery-ai]

Reviewer's Guide

Updates security-related automation: aligns Scorecard CodeQL upload to v4, adds SLSA build-provenance attestations to release builds, and extends the merge helper script to temporarily relax and then strictly restore both legacy branch protection and the main-branch ruleset (removing admin bypass).

Sequence diagram for updated merge-own-pr.sh branch protection handling

sequenceDiagram
  actor Owner
  participant merge_own_pr_sh as merge-own-pr.sh
  participant GitHub_API

  Owner->>merge_own_pr_sh: ./merge-own-pr.sh PR_NUMBER
  activate merge_own_pr_sh

  merge_own_pr_sh->>GitHub_API: PUT repos/docdyhr/batless/branches/main/protection (RELAXED_BP)
  merge_own_pr_sh->>GitHub_API: PUT repos/docdyhr/batless/rulesets/15969824 (RELAXED_RULESET)

  merge_own_pr_sh->>GitHub_API: PUT repos/docdyhr/batless/pulls/PR_NUMBER/merge (merge_method=squash)

  merge_own_pr_sh->>GitHub_API: PUT repos/docdyhr/batless/branches/main/protection (STRICT_BP)
  merge_own_pr_sh->>GitHub_API: PUT repos/docdyhr/batless/rulesets/15969824 (STRICT_RULESET, bypass_actors=[])

  deactivate merge_own_pr_sh

Loading

File-Level Changes

Change	Details	Files
Extend merge helper script to manage both legacy branch protection and the main-branch ruleset with no admin bypass after restore.	Add RULESET_ID constant and new STRICT_RULESET/RELAXED_RULESET JSON payloads describing the "Protect main" repository ruleset. Update restore() to PUT both the legacy branch-protection settings and the strict ruleset (with bypass_actors empty) via gh api. Update the relax phase to also PUT the relaxed ruleset via gh api before merging, and adjust script documentation/comments accordingly.	.github/scripts/merge-own-pr.sh
Emit SLSA provenance attestations for release artifacts in the consolidated release workflow.	Grant attestations: write, id-token: write, and contents: read permissions on the Build job. After packaging the binary, call actions/attest-build-provenance@v4.1.0 with subject-path matching the built artifact. Keep the existing upload-artifact step to publish the built archives as before.	.github/workflows/release-consolidated.yml
Align Scorecard CodeQL upload step to codeql-action v4 to remove deprecation warnings.	Update github/codeql-action/upload-sarif reference from a v3 commit SHA to the v4 commit SHA already used elsewhere. Retain existing inputs (sarif_file, category) so behavior stays the same aside from the version bump.	.github/workflows/scorecard.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• The ruleset payloads in merge-own-pr.sh duplicate most fields between STRICT_RULESET and RELAXED_RULESET; consider factoring out shared structure or generating them from a single template to reduce drift when the ruleset needs to change.
• Both REPO and RULESET_ID are hard-coded in merge-own-pr.sh; adding a short comment on how to obtain/update the ruleset ID (or parameterizing these via environment variables) would make the script easier to maintain if the repo or ruleset changes.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The ruleset payloads in `merge-own-pr.sh` duplicate most fields between `STRICT_RULESET` and `RELAXED_RULESET`; consider factoring out shared structure or generating them from a single template to reduce drift when the ruleset needs to change.
- Both `REPO` and `RULESET_ID` are hard-coded in `merge-own-pr.sh`; adding a short comment on how to obtain/update the ruleset ID (or parameterizing these via environment variables) would make the script easier to maintain if the repo or ruleset changes.

## Individual Comments

### Comment 1
<location path=".github/scripts/merge-own-pr.sh" line_range="101" />
<code_context>
     echo "Restoring branch protection..."
     echo "$STRICT_BP" | gh api --method PUT "repos/$REPO/branches/main/protection" --input - > /dev/null
-    echo "Branch protection restored (1 required review)."
+    echo "$STRICT_RULESET" | gh api --method PUT "repos/$REPO/rulesets/$RULESET_ID" --input - > /dev/null
+    echo "Branch protection restored (1 required review, no admin bypass)."
 }
</code_context>
<issue_to_address>
**issue (bug_risk):** Restoring strict settings overwrites the entire ruleset JSON, which may drop unrelated future changes

Because this uses `PUT` with the full JSON body, it will overwrite the entire ruleset. Any future changes made in the GitHub UI or via other tools (new rules, conditions, `bypass_actors`, etc.) would be removed when this script runs. To avoid that, either fetch the current ruleset and apply a minimal patch (only toggling the needed settings) or treat this script as the sole owner of that ruleset and document that it shouldn’t be edited elsewhere.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

issue (bug_risk): Restoring strict settings overwrites the entire ruleset JSON, which may drop unrelated future changes

Because this uses PUT with the full JSON body, it will overwrite the entire ruleset. Any future changes made in the GitHub UI or via other tools (new rules, conditions, bypass_actors, etc.) would be removed when this script runs. To avoid that, either fetch the current ruleset and apply a minimal patch (only toggling the needed settings) or treat this script as the sole owner of that ruleset and document that it shouldn’t be edited elsewhere.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[Copilot]

Pull request overview

This PR strengthens repository security and supply-chain posture by updating CodeQL SARIF upload to CodeQL Action v4, adding SLSA provenance attestations for release artifacts, and tightening branch protection by removing admin bypass from the main branch ruleset restore flow.

Changes:

• Update Scorecard workflow to use github/codeql-action/upload-sarif v4 (pinned SHA) to address CodeQL deprecation warnings.
• Add actions/attest-build-provenance to the release build matrix to generate SLSA provenance attestations for packaged binaries.
• Extend merge-own-pr.sh to relax/restore both legacy branch protection and the “Protect main” ruleset, restoring with bypass_actors: [] to remove admin bypass.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
.github/workflows/scorecard.yml	Bumps SARIF upload action to CodeQL Action v4 (pinned SHA).
.github/workflows/release-consolidated.yml	Adds job permissions and build provenance attestation for release artifacts.
.github/scripts/merge-own-pr.sh	Adds ruleset relax/restore alongside legacy protection; aims to eliminate admin bypass on restore.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 293afed12a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Publish provenance as a release asset

If the goal is to fix the Scorecard Signed-Releases result, this only uploads the provenance to GitHub's Attestations API and never attaches a signature/provenance file to the GitHub release. Scorecard's Signed-Releases check looks for signature/provenance filenames in the release assets (for example *.intoto.jsonl, *.sigstore.json, *.asc), while the later release step still uploads only batless-*/batless-*, so the next release will still have no asset that the check can count.

Useful? React with 👍 / 👎.