microsoft · WilliamBerryiii · Nov 14, 2025 · Nov 6, 2025 · Nov 6, 2025 · Nov 13, 2025
@@ -1,12 +1,9 @@
 name: CodeQL Security Analysis
 
 on:
-  push:
-    branches: [ main, develop, feature/* ]
-  pull_request:
-    branches: [ main, develop ]
   schedule:
-    - cron: '0 4 * * 0'  # Sundays at 4 AM UTC
+    # Weekly scan: Sundays at 4 AM UTC
+    - cron: '0 4 * * 0'
   workflow_call:
 
 permissions:

@@ -12,7 +12,7 @@ on:
         description: 'Comma-separated list of dependency types to check'
-        description: 'Comma-separated list of dependency types to check'
+        description: 'Comma-separated list of dependency types to check. Valid values: github-actions, npm, pip, containers. Default is github-actions. (Parameter is passed as IncludeTypes to the script.)'
-        description: 'Comma-separated list of dependency types to check'
+        description: 'Comma-separated list of dependency types to check. Valid values: github-actions, npm, pip, containers. Default is github-actions. (Parameter is passed as IncludeTypes to the script.)'
         required: false
         type: string
-        default: 'actions,containers'
+        default: 'github-actions'
       soft-fail:
         description: 'Whether to continue on compliance violations'
         required: false
@@ -71,45 +71,74 @@ jobs:
         run: |
           Write-Host "Validating dependency SHA pinning compliance..."
 
-          # Build parameter list
+          # Ensure logs directory exists
+          New-Item -ItemType Directory -Force -Path logs | Out-Null
+
+          # Build parameter list for JSON output (always generate)
           $params = @{
             Path = '.'
+            Recursive = $true
             Format = 'json'
             OutputPath = 'logs/dependency-pinning-results.json'
           }
 
+          # Enable failure on threshold violations unless soft-fail is requested
+          if ('${{ inputs.soft-fail }}' -ne 'true') {
+            $params['FailOnUnpinned'] = $true
+          }
+
+          # Pass dependency types filter to script
           if ('${{ inputs.dependency-types }}') {
-            $params['DependencyTypes'] = '${{ inputs.dependency-types }}'
+            $params['IncludeTypes'] = '${{ inputs.dependency-types }}'
           }
 
+          # Pass compliance threshold to script (script handles enforcement)
           if ('${{ inputs.threshold }}') {
             $params['Threshold'] = [int]'${{ inputs.threshold }}'
           }
 
-          # Run validation script
+          # Run validation script (JSON format)
           & scripts/security/Test-DependencyPinning.ps1 @params
+          $jsonExitCode = $LASTEXITCODE
-          $jsonExitCode = $LASTEXITCODE
+          $jsonExitCode = $LASTEXITCODE
+          if ($jsonExitCode -ne 0) {
+            Write-Host "JSON validation failed with exit code $jsonExitCode"
+            exit $jsonExitCode
+          }
-          $jsonExitCode = $LASTEXITCODE
+          $jsonExitCode = $LASTEXITCODE
+          if ($jsonExitCode -ne 0) {
+            Write-Host "JSON validation failed with exit code $jsonExitCode"
+            exit $jsonExitCode
+          }
+
+          # Generate SARIF format if requested
+          if ('${{ inputs.upload-sarif }}' -eq 'true') {
+            Write-Host "Generating SARIF format for Security tab..."
+            $params['Format'] = 'sarif'
+            $params['OutputPath'] = 'logs/dependency-pinning-results.sarif'
+
+            & scripts/security/Test-DependencyPinning.ps1 @params
+          }
 
-          # Extract metrics from report
-          $report = Get-Content logs/dependency-pinning-results.json | ConvertFrom-Json
-          $complianceScore = $report.ComplianceScore
-          $unpinnedCount = $report.UnpinnedDependencies
-          $threshold = [int]'${{ inputs.threshold }}'
-          $isCompliant = $complianceScore -ge $threshold
-
-          "compliance-score=$complianceScore" >> $env:GITHUB_OUTPUT
-          "unpinned-count=$unpinnedCount" >> $env:GITHUB_OUTPUT
-          "is-compliant=$($isCompliant.ToString().ToLower())" >> $env:GITHUB_OUTPUT
-
-          Write-Host "Compliance Score: $complianceScore%"
-          Write-Host "Unpinned Dependencies: $unpinnedCount"
-          Write-Host "Is Compliant (>=$threshold%): $isCompliant"
-
-          # Fire GitHub Actions warnings for each violation
-          if ($unpinnedCount -gt 0) {
-            foreach ($violation in $report.Violations) {
-              Write-Output "::warning file=$($violation.File),line=$($violation.Line)::Unpinned $($violation.Type) dependency: $($violation.Name)@$($violation.Version) (Severity: $($violation.Severity))"
+          # Extract metrics from JSON report
+          if (Test-Path logs/dependency-pinning-results.json) {
+            $report = Get-Content logs/dependency-pinning-results.json | ConvertFrom-Json
+            $complianceScore = $report.ComplianceScore
+            $unpinnedCount = $report.UnpinnedDependencies
+
+            # Extract threshold from report metadata (script calculated compliance)
+            $threshold = $report.Metadata.ComplianceThreshold
+            $isCompliant = $complianceScore -ge $threshold
+
+            "compliance-score=$complianceScore" >> $env:GITHUB_OUTPUT
+            "unpinned-count=$unpinnedCount" >> $env:GITHUB_OUTPUT
+            "is-compliant=$($isCompliant.ToString().ToLower())" >> $env:GITHUB_OUTPUT
+
+            Write-Host "Compliance Score: $complianceScore%"
+            Write-Host "Unpinned Dependencies: $unpinnedCount"
+            Write-Host "Is Compliant (>=$threshold%): $isCompliant"
+
+            # Fire GitHub Actions warnings for each violation
+            if ($unpinnedCount -gt 0) {
+              foreach ($violation in $report.Violations) {
+                Write-Output "::warning file=$($violation.File),line=$($violation.Line)::Unpinned $($violation.Type) dependency: $($violation.Name)@$($violation.Version) (Severity: $($violation.Severity))"
+              }
             }
           }
+          else {
+            Write-Error "Failed to generate dependency pinning report"
+            exit 1
+          }
 
       - name: Upload SARIF to Security tab
         if: inputs.upload-sarif && always()
@@ -164,9 +193,3 @@ jobs:
           "@
           })
           "@ | Out-File -FilePath $env:GITHUB_STEP_SUMMARY -Encoding UTF8
-
-      - name: Fail job if non-compliant
-        if: steps.pinning.outputs.is-compliant == 'false' && !inputs.soft-fail
-        run: |
-          echo "Dependency pinning scan failed - compliance threshold not met"
-          exit 1
@@ -0,0 +1,47 @@
+name: Main Branch CI
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+# Minimal permissions for security
+permissions:
+  contents: read
+
+jobs:
+  spell-check:
+    name: Spell Check
+    uses: ./.github/workflows/spell-check.yml
+    permissions:
+      contents: read
+    with:
+      soft-fail: false
+
+  markdown-lint:
+    name: Markdown Lint
+    uses: ./.github/workflows/markdown-lint.yml
+    permissions:
+      contents: read
+    with:
+      soft-fail: false
+
+  table-format:
+    name: Table Format Check
+    uses: ./.github/workflows/table-format.yml
+    permissions:
+      contents: read
+    with:
+      soft-fail: false
+
+  dependency-pinning-scan:
+    name: Dependency Pinning Scan
+    uses: ./.github/workflows/dependency-pinning-scan.yml
+    permissions:
+      contents: read
+      security-events: write
+    with:
+      soft-fail: false
+      upload-sarif: true
+      upload-artifact: true
@@ -44,10 +44,11 @@ jobs:
           New-Item -ItemType Directory -Force -Path logs | Out-Null
 
       - name: Run markdown link check
+        id: link-check
         shell: pwsh
         run: |
           & scripts/linting/Markdown-Link-Check.ps1
-        continue-on-error: true
+        continue-on-error: ${{ inputs.soft-fail }}
 
       - name: Upload markdown link check results
         if: always()
@@ -58,10 +59,8 @@ jobs:
           retention-days: 30
 
       - name: Check results and fail if needed
-        if: ${{ !inputs.soft-fail }}
+        if: ${{ !inputs.soft-fail && steps.link-check.outcome == 'failure' }}
         shell: pwsh
         run: |
-          if ($env:MARKDOWN_LINK_CHECK_FAILED -eq 'true') {
-            Write-Host "Markdown link check failed and soft-fail is false. Failing the job."
-            exit 1
-          }
+          Write-Host "Markdown link check failed and soft-fail is false. Failing the job."
+          exit 1
@@ -0,0 +1,85 @@
+name: PR Validation
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+    branches:
+      - main
+      - develop
+  workflow_dispatch:
+
+# Minimal permissions for security
+permissions:
+  contents: read
+
+jobs:
+  spell-check:
+    name: Spell Check
+    uses: ./.github/workflows/spell-check.yml
+    permissions:
+      contents: read
+    with:
+      soft-fail: false
+
+  markdown-lint:
+    name: Markdown Lint
+    uses: ./.github/workflows/markdown-lint.yml
+    permissions:
+      contents: read
+    with:
+      soft-fail: false
+
+  table-format:
+    name: Table Format Check
+    uses: ./.github/workflows/table-format.yml
+    permissions:
+      contents: read
+    with:
+      soft-fail: false
+
+  psscriptanalyzer:
+    name: PowerShell Lint
+    uses: ./.github/workflows/ps-script-analyzer.yml
+    permissions:
+      contents: read
+    with:
+      soft-fail: false
+      changed-files-only: true
+
+  frontmatter-validation:
+    name: Frontmatter Validation
+    uses: ./.github/workflows/frontmatter-validation.yml
+    permissions:
+      contents: read
+    with:
+      soft-fail: false
+      changed-files-only: true
+      skip-footer-validation: false
+      warnings-as-errors: true
+
+  link-lang-check:
+    name: Link Language Check
+    uses: ./.github/workflows/link-lang-check.yml
+    permissions:
+      contents: read
+    with:
+      soft-fail: false
+
+  markdown-link-check:
+    name: Markdown Link Check
+    uses: ./.github/workflows/markdown-link-check.yml
+    permissions:
+      contents: read
+    with:
+      soft-fail: true
+
+  dependency-pinning-check:
+    name: Validate Dependency Pinning
+    uses: ./.github/workflows/dependency-pinning-scan.yml
+    permissions:
+      contents: read
+      security-events: write
+    with:
+      soft-fail: false
+      upload-sarif: true
+      upload-artifact: false
@@ -60,6 +60,7 @@ jobs:
             logs/psscriptanalyzer-results.json
             logs/psscriptanalyzer-summary.json
           retention-days: 30
+          if-no-files-found: ignore
 
       - name: Check results
         if: "!inputs.soft-fail"

@@ -3,8 +3,6 @@ name: Security Scan
 on:
   push:
     branches: [ main, develop ]
-  pull_request:
-    branches: [ main, develop ]
 
 permissions:
   contents: read
@@ -18,12 +16,4 @@ jobs:
     permissions:
       contents: read
       security-events: write
-      actions: read
-
-  dependency-review:
-    name: Dependency Review
-    if: github.event_name == 'pull_request'
-    uses: ./.github/workflows/dependency-review.yml
-    permissions:
-      contents: read
-      pull-requests: write
+      actions: read
@@ -38,7 +38,7 @@ jobs:
       max-age-days: ${{ inputs.max-age-days || 30 }}
 
   # Job 3: Run CodeQL security analysis
-  codeql-scan:
+  codeql-analysis:
     name: CodeQL Security Analysis
     uses: ./.github/workflows/codeql-analysis.yml
     permissions:
@@ -49,7 +49,7 @@ jobs:
   # Job 4: Generate consolidated summary
   summary:
     name: Security Maintenance Summary
-    needs: [validate-pinning, check-staleness, codeql-scan]
+    needs: [validate-pinning, check-staleness, codeql-analysis]
     if: always()
     runs-on: ubuntu-latest
     permissions:
@@ -61,7 +61,7 @@ jobs:
           $pinningScore = '${{ needs.validate-pinning.outputs.compliance-score }}'
           $unpinnedCount = '${{ needs.validate-pinning.outputs.unpinned-count }}'
           $staleCount = '${{ needs.check-staleness.outputs.stale-count }}'
-          $codeqlResult = '${{ needs.codeql-scan.result }}'
+          $codeqlResult = '${{ needs.codeql-analysis.result }}'
 
           # Determine overall status
           $hasIssues = $false