Collate scan results in add-on metadata

[seanbudd]

Fixes #6341
Fixes #3808
Related: nvaccess/addon-datastore-validation#46

Issues:

• Files are not normalized consistently with newlines Normalize json files in the views branch #6341
• When an add-on is submitted codeQL scanning and VirusTotal scanning occurs. This will only report warnings on the issue submission, but the results are not stored anywhere. We want to be able to analyze all the scan results.
• VirusTotal scan URLs are created not committed when add-ons are submitted. They are currently only committed by the action which scans all add-ons
• When an add-on submission fails due to virus scanning, there's no clear way to manually approve it and resubmit it safely Superfluous comment when verifySubmitterjob fails #3808
• CodeQL results are not recorded

Solutions:

• Normalize add-ons with newlines consistently
• Append scan results to each add-ons metadata file. This could potentially be used by consumers including NVDA.
• Commit Virus total scan results consistently
• When scan results fail, require a manual deployment from NV Access using a deploy environment https://docs.github.com/en/actions/how-tos/deploy/configure-and-manage-deployments/manage-environments
• Record codeQL results for submissions

Known issues

• CodeQL results are not scanned in the retrospective batch scanning. This will be done in a future PR

Testing

• Batch scan:
  • https://github.com/nvaccess/addon-datastore-staging/actions/runs/17144475883
  • Add scanning results addon-datastore-staging#99
• Addon submission
  • Flagged:
    • Action: https://github.com/nvaccess/addon-datastore-staging/actions/runs/17116397043
    • PR: https://github.com/nvaccess/addon-datastore-staging/pull/97/files
  • Not flagged:
    • Action: https://github.com/nvaccess/addon-datastore-staging/actions/runs/17116397033
    • PR: https://github.com/nvaccess/addon-datastore-staging/pull/98/files

[Copilot]

Pull Request Overview

This PR refactors the add-on security scanning system to store scan results directly in add-on metadata files instead of using a separate reviewedAddons.json file. The changes improve result persistence and consistency while introducing manual approval requirements for security failures.

• Store VirusTotal and CodeQL scan results directly in add-on metadata files
• Remove the reviewedAddons.json tracking system in favor of metadata-based storage
• Require manual approval through GitHub environments when security scans fail

Reviewed Changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
reviewedAddons.json	Removes the centralized tracking file for reviewed add-ons
.github/workflows/virusTotalAnalysis.js	Refactors to store scan results in metadata and normalize newlines
.github/workflows/virusScanAllAddons.yml	Updates batch processing and commit messages for new result storage
.github/workflows/securityAnalysis.js	Modifies to store CodeQL results in metadata instead of reviewedAddons.json
.github/workflows/codeql-analysis.yml	Adds result committing and removes manual approval artifacts
.github/workflows/checkAndSubmitAddonMetadata.yml	Replaces manual approval PR creation with environment-based approval

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[seanbudd]

temporarily adjusted for testing, we can probably up this to 300 once testing is complete

[seanbudd]

TODO:

• When submitting an add-on, there are conflicts when trying to update the add-on metadata from each job. Instead, a separate job that depends on all the scanners, should take JSON output stored in variable from the scanners, and use those variables to commit to updating the add-on metadata in a single job.
• update the script for scanning all add-ons to also scan with CodeQL: going to split out to a separate PR
• split out python 3.13 changes

[SaschaCowley]

Please also document the change in process

[SaschaCowley]

Thanks, @seanbudd