PR Metrics

All three GitHub Actions workflow files (build.yml at https://github.com/microsoft/PR-Metrics/blob/main/.github/workflows/build.yml, release-initiate.yml at https://github.com/microsoft/PR-Metrics/blob/main/.github/workflows/release-initiate.yml, release-publish.yml at https://github.com/microsoft/PR-Metrics/blob/main/.github/workflows/release-publish.yml) set permissions: {} at the top level, defaulting all jobs to no permissions. Each job explicitly requests only the specific permissions it requires. For example, the release job in release-publish.yml requests only attestations: write and id-token: write, while the build job in build.yml requests permissions: {} (no permissions). The Azure DevOps pipelines extend the Office.Official.PipelineTemplate and Office.Unofficial.PipelineTemplate templates, which enforce organisational security policies including least-privilege defaults.

Each release is assigned a unique Semantic Versioning (https://semver.org/) identifier (e.g., v1.7.11). The version is maintained consistently across package.json (https://github.com/microsoft/PR-Metrics/blob/main/package.json), task.json (https://github.com/microsoft/PR-Metrics/blob/main/src/task/task.json), and vss-extension.json (https://github.com/microsoft/PR-Metrics/blob/main/src/vss-extension.json). Release assets (the VSIX extension, Sigstore signature bundle, and CycloneDX SBOM) are published as part of the GitHub Release (https://github.com/microsoft/PR-Metrics/releases) tagged with the version identifier. The release-publish.yml workflow (https://github.com/microsoft/PR-Metrics/blob/main/.github/workflows/release-publish.yml) reads the version from release-publish-trigger.txt (https://github.com/microsoft/PR-Metrics/blob/main/.github/workflows/support/release-publish-trigger.txt) and creates the release with that version tag.

The project documents its secrets and credentials management policy in docs/secrets-management.md (https://github.com/microsoft/PR-Metrics/blob/main/docs/secrets-management.md). The policy covers all secrets used by the project (including GITHUB_TOKEN, PR_METRICS_TOKEN, and ESRP service connections), how they are stored (exclusively in GitHub Secrets and Azure DevOps variable groups), how access is controlled (repository-level permissions, fork restrictions, least-privilege workflow permissions), and how secrets are rotated (GITHUB_TOKEN is auto-rotated per workflow run; PATs are reviewed periodically). The policy also describes preventative measures including Gitleaks secret scanning, environment variable usage instead of command-line arguments, and automatic log masking.

The docs/verification.md file (https://github.com/microsoft/PR-Metrics/blob/main/docs/verification.md) provides comprehensive instructions for verifying release integrity and authenticity using two independent methods: Build provenance attestation, verified via GitHub CLI (gh attestation verify), confirming the artefact was built by the official release workflow and hasn't been tampered with. Cosign signature, verified via Sigstore cosign (cosign verify-blob), confirming cryptographic integrity using keyless signing backed by GitHub's OIDC tokens. The documentation includes prerequisites, step-by-step verification commands, expected output, and troubleshooting guidance. This documentation is maintained in the repository's docs/ folder, separate from the build and release pipeline configuration.

The docs/verification.md file (https://github.com/microsoft/PR-Metrics/blob/main/docs/verification.md) includes instructions to verify the expected identity of the process authoring the release. The cosign verification command specifies the expected identity via: --certificate-identity-regexp matching ^https://github.com/microsoft/PR-Metrics/.github/workflows/release-publish.yml@refs/heads/main$ and --certificate-oidc-issuer matching https://token.actions.githubusercontent.com. This confirms that the release was authored by the release-publish.yml workflow running on the main branch of the microsoft/PR-Metrics repository, using GitHub's OIDC identity provider. The build provenance attestation additionally links the artefact to a specific workflow run and commit. This documentation is maintained separately from the build and release pipeline.

The SUPPORT.md file (https://github.com/microsoft/PR-Metrics/blob/main/.github/SUPPORT.md) documents the support lifecycle for the project. It states that PR Metrics follows a rolling release model where only the latest release is actively supported with bug fixes and security updates. Previous releases do not receive patches. The document also describes the end-of-life policy: should the project become inactive, the last published release will remain available but will not receive further updates. Consumers will be notified of any planned end of life through GitHub Discussions.

The SUPPORT.md file (https://github.com/microsoft/PR-Metrics/blob/main/.github/SUPPORT.md) provides a clear statement on when releases will no longer receive security updates: "Once a new version is published, the previous version no longer receives security updates." The document further states that critical security issues may result in an expedited patch release, and that consumers should always run the latest version. The end-of-life section clarifies that if the project becomes inactive, the last release will remain available but will not receive security patches.

The GOVERNANCE.md file (https://github.com/microsoft/PR-Metrics/blob/main/GOVERNANCE.md) includes a "Collaborator Review Policy" section that requires contributors to be reviewed and approved before being granted escalated permissions to sensitive resources. The policy requires nomination by an existing maintainer based on sustained quality contributions, identity verification through association with a known trusted organisation, and approval by at least one existing maintainer. Permissions are granted at the minimum level required for the contributor's role. Access to signing infrastructure is restricted to automated CI/CD pipelines and cannot be granted to individual contributors.

The release-publish.yml workflow (https://github.com/microsoft/PR-Metrics/blob/main/.github/workflows/release-publish.yml) generates a CycloneDX (https://cyclonedx.org/) Software Bill of Materials (SBOM) using "npm sbom --sbom-format cyclonedx --sbom-type library". The SBOM (ms-omex.PRMetrics.sbom.cdx.json) is included as a release asset alongside the VSIX extension and Sigstore signature bundle on the GitHub Releases page (https://github.com/microsoft/PR-Metrics/releases). This enables consumers to ingest dependency data in a standardised format alongside other projects in their environment.

The project does not have any subprojects. It is a single codebase that produces artefacts for both GitHub Actions and Azure DevOps Pipelines via shared source code with platform-specific abstraction layers, as described in docs/cross-platform-architecture.md (https://github.com/microsoft/PR-Metrics/blob/main/docs/cross-platform-architecture.md).

The project's testing procedures are documented across multiple files: docs/development.md (https://github.com/microsoft/PR-Metrics/blob/main/docs/development.md) contains a "Testing" section explaining how to run tests locally ("npm test"), the test framework (Mocha at https://mochajs.org/ with ts-mockito at https://github.com/NagRock/ts-mockito), the Arrange-Act-Assert pattern used, code coverage reporting via c8 (https://github.com/bcoe/c8), and manual test case instructions. CONTRIBUTING.md (https://github.com/microsoft/PR-Metrics/blob/main/.github/CONTRIBUTING.md) describes how to run tests locally and in CI/CD, what the tests cover, and how to interpret results (pass/fail status and coverage percentages). It also documents that all automated checks in build.yml (https://github.com/microsoft/PR-Metrics/blob/main/.github/workflows/build.yml) (unit tests, CodeQL, Super-Linter) must pass before a pull request can be merged.

The CONTRIBUTING.md file (https://github.com/microsoft/PR-Metrics/blob/main/.github/CONTRIBUTING.md) includes a "Test Policy for Major Changes" section requiring that all major changes include corresponding test updates. The policy defines specific requirements for new features (unit tests covering new functionality and edge cases), bug fixes (regression tests), and refactoring (existing tests must continue to pass). A "major change" is defined as any modification that alters extension behaviour, adds configuration parameters, changes metric calculations, or modifies API interactions. The pull request template (https://github.com/microsoft/PR-Metrics/blob/main/.github/pull_request_template.md) includes a testing checklist to enforce compliance.

The repository is protected by multiple rulesets (default-ruleset, microsoft-production-ruleset) that prevent direct commits to the main branch and require pull request reviews. At least one non-author approval is required before a pull request can be merged. The CODEOWNERS file (https://github.com/microsoft/PR-Metrics/blob/main/.github/CODEOWNERS) assigns @microsoft/omex as the required reviewer for all files. See repository rulesets at https://github.com/microsoft/PR-Metrics/rules.

The project maintains a comprehensive security assessment in docs/security-assessment.md (https://github.com/microsoft/PR-Metrics/blob/main/docs/security-assessment.md), which includes a Mermaid diagram of trust boundaries, an asset sensitivity table, and detailed threat analysis covering five threat categories: access token exposure, injection via untrusted PR content, supply chain attacks on dependencies, CI/CD permission escalation, and Git command injection. Each threat includes likelihood and impact ratings with specific mitigations. The assessment also identifies residual risks and specifies a review cadence.

The docs/security-scanning-policy.md file (https://github.com/microsoft/PR-Metrics/blob/main/docs/security-scanning-policy.md) documents the project's VEX policy. When a vulnerability is identified in a dependency that does not affect PR Metrics (e.g., the vulnerable code path is not reachable), the finding is assessed and documented as non-exploitable via GitHub Security Advisories (https://github.com/microsoft/PR-Metrics/security/advisories) and Dependabot alert dismissals with documented reasons. As of the last assessment, no known vulnerabilities in project dependencies have been identified as non-exploitable requiring VEX documentation; all known vulnerabilities are either resolved through dependency updates or actively being addressed per the documented remediation thresholds.

The docs/security-scanning-policy.md file (https://github.com/microsoft/PR-Metrics/blob/main/docs/security-scanning-policy.md) defines remediation thresholds for SCA findings. Critical and high severity findings must be resolved by the next patch release. Medium and low severity findings must be addressed by the next scheduled release. The policy includes a severity-to-remediation-target mapping table and describes the process for identifying, prioritising, and remediating findings via Dependabot alerts, CodeQL, and Component Governance.

The docs/security-scanning-policy.md file (https://github.com/microsoft/PR-Metrics/blob/main/docs/security-scanning-policy.md) documents a pre-release policy requiring that: (1) no unresolved Dependabot alerts of critical or high severity exist; (2) all npm dependencies are updated to their latest compatible versions via the release workflow; (3) Component Governance detection in the Azure DevOps pipeline completes without blocking findings; and (4) non-exploitable findings are documented. The release-initiate.yml workflow (https://github.com/microsoft/PR-Metrics/blob/main/.github/workflows/release-initiate.yml) enforces dependency updates as part of the release process, and the Azure DevOps pipeline applies the M365 Guardian policy.

All changes to the codebase are automatically evaluated for malicious dependencies and known vulnerabilities: CodeQL (https://codeql.github.com/) runs on every pull request via the Validate job in build.yml (https://github.com/microsoft/PR-Metrics/blob/main/.github/workflows/build.yml), using security-and-quality, security-experimental, and security-extended query sets. Dependabot alerts (https://docs.github.com/code-security/dependabot/dependabot-alerts/about-dependabot-alerts) are configured at the repository level. Component Governance (https://docs.opensource.microsoft.com/tools/cg/) runs dependency detection in the Azure DevOps PR pipeline. The repository rulesets require that all status checks pass before merging. Non-exploitable findings are documented via Dependabot alert dismissals with justification or in the security scanning policy.

The docs/security-scanning-policy.md file (https://github.com/microsoft/PR-Metrics/blob/main/docs/security-scanning-policy.md) defines remediation thresholds for SAST findings. Critical and high severity findings block pull request merging via required status checks and must be resolved immediately. Medium severity findings must be resolved before the next release. Low severity findings are addressed on a best-effort basis. The policy covers CodeQL, ESLint, CredScan, and PoliCheck findings, and describes how suppressed findings are documented with justification.

All changes to the codebase are automatically evaluated for security weaknesses: CodeQL (https://codeql.github.com/) is a required status check on every pull request, running extended security query sets against the JavaScript/TypeScript codebase. Super-Linter (https://github.com/super-linter/super-linter) runs ESLint and Gitleaks (https://github.com/gitleaks/gitleaks) on every pull request. CredScan (https://secdevtools.azurewebsites.net/helpcredscan.html) and Guardian PostAnalysis run in the Azure DevOps PR pipeline, enforcing the M365 security policy. The repository rulesets require that all status checks pass before merging. Suppressed findings are documented with justification in configuration files such as CredScanSuppressions.json (https://github.com/microsoft/PR-Metrics/blob/main/.github/azure-devops/CredScanSuppressions.json) and gitleaks.toml (https://github.com/microsoft/PR-Metrics/blob/main/.github/linters/gitleaks.toml).