From b7f406a2a5fd27bde07fcd540b3d00bf53293c9d Mon Sep 17 00:00:00 2001 From: Harminder Virk Date: Thu, 28 May 2026 12:22:03 +0530 Subject: [PATCH 1/3] chore: harden release workflow for supply-chain security - Use npm Trusted Publishing (OIDC) instead of NPM_TOKEN - Pin third-party actions and reusable workflows to commit SHAs - Drop default permissions to read-only, elevate per-job - Add --ignore-scripts to release-time install - Add npm audit signatures step - Add Dependabot for github-actions ecosystem - Add concurrency guard Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/dependabot.yml | 6 ++++++ .github/workflows/checks.yml | 20 ++++++++++---------- .github/workflows/release.yml | 30 +++++++++++++++++++----------- 3 files changed, 35 insertions(+), 21 deletions(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..ca79ca5 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,6 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index ac13283..376d295 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -5,10 +5,10 @@ on: - workflow_call jobs: lint: - uses: adonisjs/.github/.github/workflows/lint.yml@next + uses: adonisjs/.github/.github/workflows/lint.yml@616f1f5863b4a3a73eb49cd0d16e8719bcd34e7a # next typecheck: - uses: adonisjs/.github/.github/workflows/typecheck.yml@next + uses: adonisjs/.github/.github/workflows/typecheck.yml@616f1f5863b4a3a73eb49cd0d16e8719bcd34e7a # next test-postgres: runs-on: ubuntu-latest @@ -27,8 +27,8 @@ jobs: ports: - 5432:5432 steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ matrix.node-version }} - name: Install Playwright Browsers @@ -57,8 +57,8 @@ jobs: ports: - '3306:3306' steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ matrix.node-version }} - name: Install @@ -83,8 +83,8 @@ jobs: ports: - '1433:1433' steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ matrix.node-version }} - name: Install @@ -102,8 +102,8 @@ jobs: lib: ['sqlite'] node-version: [24] steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ matrix.node-version }} - name: Install diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c585c42..eff2df4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,36 +1,44 @@ name: release on: workflow_dispatch + permissions: - contents: write - id-token: write + contents: read + +concurrency: + group: release + cancel-in-progress: false + jobs: checks: + permissions: + contents: read uses: ./.github/workflows/checks.yml + release: needs: checks runs-on: ubuntu-latest + permissions: + contents: write + id-token: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 24 + registry-url: 'https://registry.npmjs.org' - name: git config run: | git config user.name "${GITHUB_ACTOR}" git config user.email "${GITHUB_ACTOR}@users.noreply.github.com" - - name: Init npm config - run: npm config set //registry.npmjs.org/:_authToken $NPM_TOKEN - env: - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - - run: npm install + - run: npm install --ignore-scripts + + - run: npm audit signatures - run: npm run release -- --ci env: - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} From 64a23661d5cf0122bd359bf904ead0097fbba399 Mon Sep 17 00:00:00 2001 From: Harminder Virk Date: Thu, 28 May 2026 12:43:14 +0530 Subject: [PATCH 2/3] chore: set top-level permissions on checks workflow Addresses CodeQL "Workflow does not contain permissions" finding by declaring contents: read at workflow scope so GITHUB_TOKEN is scoped down on push/pull_request/workflow_call runs. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/checks.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 376d295..083703c 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -3,6 +3,9 @@ on: - push - pull_request - workflow_call +permissions: + contents: read + jobs: lint: uses: adonisjs/.github/.github/workflows/lint.yml@616f1f5863b4a3a73eb49cd0d16e8719bcd34e7a # next From 9494a6e09580121742fdbe60217e952e108ab36f Mon Sep 17 00:00:00 2001 From: Harminder Virk Date: Thu, 28 May 2026 13:00:15 +0530 Subject: [PATCH 3/3] chore: gate release job with npm-publish environment Requires approval from the Core Team before npm publish runs, via the GitHub Environment created in each repo. Pair with an npm Trusted Publisher config that pins the environment to fully close the gate. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index eff2df4..4489ef3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -17,6 +17,7 @@ jobs: release: needs: checks runs-on: ubuntu-latest + environment: npm-publish permissions: contents: write id-token: write