Skip to content

chore: harden CI and supply chain per OpenSSF Scorecard#26

Merged
muralx merged 2 commits into
mainfrom
chore/harden-ci-supply-chain
Jun 16, 2026
Merged

chore: harden CI and supply chain per OpenSSF Scorecard#26
muralx merged 2 commits into
mainfrom
chore/harden-ci-supply-chain

Conversation

@muralx

@muralx muralx commented Jun 16, 2026

Copy link
Copy Markdown
Collaborator

Hardens CI and the supply chain to close several OpenSSF Scorecard gaps.

  • CodeQL (SAST) — new workflow running CodeQL's security-extended suite over the TypeScript/JavaScript sources on PRs, pushes to main, and a weekly schedule, gated to run only when the repository is public.
  • Least-privilege tokenspermissions: contents: read defaults on the ci, release, publish-npm, backport-fixes, cut-release, and dependency-review workflows; jobs opt into the specific writes they need.
  • Pinned actionlint download — the actionlint install script is now fetched by commit SHA and sha256-verified before it runs (it in turn checksum-verifies the binary), closing the "downloadThenRun not pinned by hash" finding.
  • hono dependency — bump the peer/dev dependency to ^4.12.21 and refresh the lockfile.

No library/runtime behavior changes; CI and build are green.

@muralx
chore: harden CI and supply chain per OpenSSF Scorecard
b1730fd 
- Add a CodeQL workflow (SAST) over the TypeScript/JavaScript sources,
  gated to run only when the repository is public.
- Set least-privilege `permissions: contents: read` defaults on the ci,
  release, publish-npm, backport-fixes, cut-release, and dependency-review
  workflows; jobs opt into the writes they need.
- Pin the actionlint download script by commit SHA and sha256-verify it
  before running, closing the "downloadThenRun not pinned by hash" gap.
- Bump the `hono` peer/dev dependency to ^4.12.21 and refresh the lockfile.
@muralx muralx requested a review from a team as a code owner June 16, 2026 22:05
@github-advanced-security

github-advanced-security AI commented Jun 16, 2026

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@muralx
chore(deps): bump form-data to 4.0.6 to clear high-severity audit
d8600f4 
Resolves the high-severity CRLF-injection advisory (GHSA-hmw2-7cc7-3qxx)
in form-data <=4.0.5, pulled transitively via the FastMCP adapter
(axios). Lockfile-only patch bump; no API or behavior change.
RobertoIskandarani
RobertoIskandarani approved these changes Jun 16, 2026
View reviewed changes

@RobertoIskandarani RobertoIskandarani left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@muralx muralx merged commit cbe4cba into main Jun 16, 2026
8 checks passed
@muralx muralx deleted the chore/harden-ci-supply-chain branch June 16, 2026 22:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RobertoIskandarani RobertoIskandarani RobertoIskandarani approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@muralx @github-advanced-security @RobertoIskandarani