Skip to content

Add publish-to-ghazdo verb and finalize the v5.0.3 release#2976

Merged
michaelcfanning merged 4 commits into
devfrom
ai-publish-to-ghazdo
Jun 6, 2026
Merged

Add publish-to-ghazdo verb and finalize the v5.0.3 release#2976
michaelcfanning merged 4 commits into
devfrom
ai-publish-to-ghazdo

Conversation

@michaelcfanning
Copy link
Copy Markdown
Member

@michaelcfanning michaelcfanning commented Jun 6, 2026

Summary

Adds a publish-to-ghazdo verb that uploads a finalized SARIF to GitHub Advanced Security for Azure DevOps, and finalizes the v5.0.3 release (this is the last change for the v5.0.3 cut).

The verb

sarif publish-to-ghazdo <sarif> [--token-env-var GHAZDO_TOKEN] [--api-version 7.2-preview.1] [--dry-run]

  • Target derivation. The dev.azure.com org / project / repo are derived from run.versionControlProvenance through the existing VcpPortableRoot classifier, inheriting its host and credential guards (dev.azure.com only; embedded credentials rejected; org/project/repo segments validated). Publishing to a non-Azure-DevOps repository fails closed.
  • Auth. The bearer secret lives only in the environment variable named by --token-env-var — never on argv. An Entra access token is detected as a JWT and sent as Bearer; an opaque PAT is sent as Basic with an empty user name. Detection fails safe to Basic so an opaque secret is never sent as a raw Bearer token.
  • Wire shape (matches the proven ingestion path): gzip body, application/octet-stream, no Content-Encoding header (the server gunzips manually), POST to advsec.dev.azure.com with fallback to dev.azure.com on a 404.

Security model

  • Fails closed on every refusal path; no network is contacted on any rejection or in --dry-run.
  • Rejects a --token-env-var that is not a valid environment-variable name, so a secret mistakenly passed in its place is caught up front — and the supplied value is never echoed. The variable name itself is never printed.
  • Redacts the secret and its Basic-encoded form from the server's diagnostic body and from any exception text.
  • Treats only a 2xx response as success (a 3xx is no longer reported as published) and disables HTTP auto-redirect on the default handler so the SARIF body is never resent to a redirect target.

A third embedded agent skill — publish-to-ghazdo — is served by get-skill with its links commit-pinned, alongside emit-sarif-findings and validate-sarif-findings.

v5.0.3 finalize

  • src/build.props: VersionPrefix 5.0.2 → 5.0.3, PreviousVersionPrefix 5.0.1 → 5.0.2.
  • ReleaseHistory.md: stamp the v5.0.3 header with NuGet links for Sdk / Driver / Converters / Multitool / Multitool Library (UNRELEASED → shipped).
  • skills/emit-sarif-findings/SKILL.md: raise the recommended Sarif.Multitool minimum to 5.0.3.

Tests

21 publish-to-ghazdo [Fact]s through an injected HttpMessageHandler (no network): scheme detection and fail-safe edges, dev.azure.com-only targeting, gzip/octet-stream/no-Content-Encoding framing, 404 host fallback, 2xx-only success, embedded-credential and missing-VCP rejection, and secret-never-leaks (response-body reflection, exception message, env-var-name echo). Full Multitool.Library suite 373 pass / 1 skip; Release + EnforceCodeStyleInBuild clean (library + app).

@michaelcfanning
Add publish-to-ghazdo verb and finalize the v5.0.3 release
13f4909 
Add a publish-to-ghazdo verb that uploads a finalized SARIF to GitHub
Advanced Security for Azure DevOps. The dev.azure.com target (org / project /
repo) is derived from the run's versionControlProvenance through the existing
VcpPortableRoot host and credential guards; the bearer secret is read only
from the environment variable named by --token-env-var and never appears on
argv. An Entra access token is detected as a JWT and sent as Bearer; an opaque
PAT is sent as Basic with an empty user name. The body is gzip-compressed and
posted as application/octet-stream with no Content-Encoding header; the upload
targets advsec.dev.azure.com and falls back to dev.azure.com on a 404.

Security hardening: the verb fails closed on every refusal path, rejects a
--token-env-var that is not a valid environment-variable name (so a secret
mistakenly passed in its place is never echoed), never prints the variable
name, redacts the secret and its Basic-encoded form from the server's
diagnostic body and from any exception text, treats only a 2xx response as
success, and disables HTTP auto-redirect on the default handler. A third
embedded agent skill, publish-to-ghazdo, is served by get-skill.

Finalize v5.0.3: bump src/build.props VersionPrefix to 5.0.3 (PreviousVersion
to 5.0.2), stamp the ReleaseHistory v5.0.3 header with NuGet links, and raise
the emit-sarif-findings skill's recommended Sarif.Multitool minimum to 5.0.3.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@michaelcfanning michaelcfanning requested a review from cfaucon as a code owner June 6, 2026 20:09
michaelcfanning and others added 3 commits June 6, 2026 13:28
@michaelcfanning
Fix stale source link in publish-to-ghazdo skill
07b65d5 
The skill's Context link pointed at the pre-rename Publish/ directory; the
verb lives under PublishToGhazdo/ (renamed to dodge the .gitignore publish/
pattern), so get-skill would have rewritten it to a 404 permalink.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@michaelcfanning
Rename skills emit-sarif-findings/validate-sarif-findings to emit-sar…
5597b5f 
…if/validate-sarif

"Findings" is not SARIF vocabulary and adds nothing to the skill names. Drop
it for the two existing skills so the get-skill catalog reads cleanly:
emit-sarif and validate-sarif.

This is not a breaking change. The get-skill verb that serves these skills by
name is brand-new in the still-unreleased 5.0.3, so no shipped consumer ever
addressed them under the -findings names; no ReleaseHistory BRK is warranted.

Renames the two skill directories and updates every reference: the get-skill
SkillSourceDirectory catalog, the embedded-resource Include paths and
LogicalNames, GetSkillOptions help text, the SKILL.md frontmatter name fields
and cross-links, the GetSkill unit-test vectors, and the docs links in
generating-sarif.md and multitool-usage.md.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@michaelcfanning
Remove unnecessary System.Linq using in PublishToGhazdoCommandTests
69966dd 
CI builds with EnforceCodeStyleInBuild=true, which promotes IDE0005
(unnecessary using directive) to an error. The test file's ToArray call
binds to an instance method, so the System.Linq import is unused and fails
the build on all three platforms. Drop it.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@michaelcfanning michaelcfanning merged commit 24629b7 into dev Jun 6, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cfaucon cfaucon Awaiting requested review from cfaucon cfaucon is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@michaelcfanning