Skip to content

Migrate to GitHub Actions + apply zizmor security hardening#27

Merged
elyobo merged 1 commit into
mainfrom
lo/zizmor-hardening
May 21, 2026
Merged

Migrate to GitHub Actions + apply zizmor security hardening#27
elyobo merged 1 commit into
mainfrom
lo/zizmor-hardening

Conversation

@elyobo

@elyobo elyobo commented May 21, 2026
edited
Loading

Copy link
Copy Markdown
Member

Summary

  • Move async-hofs off the dead CircleCI setup onto GitHub Actions
  • Apply the org-standard zizmor hardening pack (SHA-pinned actions, deny-all permissions, persist-credentials: false, mise + zizmor lint, dependabot grouped updates, root zizmor config)
  • Adopt changesets + (trusted-publishing-capable) release flow

This is a public, MIT-licensed repo — the only one in the hardening sweep with that exposure profile. Two consequences:

  1. Reusable workflows from raywhite/github-workflows (private) are not callable from a public repo — the default GITHUB_TOKEN doesn't grant cross-repo access from public → private. So release.yml and block-fixup.yml are inlined here rather than calling the reusable workflows that every other library uses.
  2. arc-runner-set (self-hosted) is not available to this public repo — initial CI run sat queued indefinitely. All jobs run on ubuntu-latest.

Both of these are async-hofs-only concessions; the rest of the org-wide pattern is preserved.

Notes for review

  • No source changes intended. The eslint stack had to come up off v4 to run on Node 24. I picked eslint@8, @babel/eslint-parser, eslint-config-airbnb-base@15. Several new airbnb rules would force source edits (arrow-parens, no-promise-executor-return, prefer-promise-reject-errors, prefer-exponentiation-operator, import/extensions, no-multiple-empty-lines) — I disabled them in .eslintrc rather than churn source. The stacked TS + style migration PR will re-enable them and migrate the codebase.
  • ava pinned to ^3 (was ^3.5.0). ava v4 removed test.cb, which several tests rely on. Migrating those is also stacked-PR work.
  • ava v3 transitive deps trigger npm-audit moderate warnings; accepted for this pass since the stacked PR will replace the test runner.
  • Root zizmor.yml is minimal here: no self-hosted-runner ignore (none used) and no impostor-commit: disable (no private reusable callout).

Pre-flight ask before first release

@raywhite/async-hofs needs trusted publishing enabled on npmjs before release.yml first runs on main post-merge, otherwise the publish step will fail. The workflow also passes NPM_TOKEN as a fallback secret if trusted publishing isn't configured.

Recommended review order

  1. mise.toml, zizmor.yml, .github/dependabot.yml — config
  2. .github/workflows/*.yml — workflows (inlined release + block-fixup)
  3. package.json, .eslintrc — dep + lint adjustments (note the rule disables)
  4. README.md — drop CircleCI badge, update versioning section
  5. package-lock.json — full regen, big diff, mechanical

Test plan

  • npm install && npm test (lint + ava) passes locally on Node 24
  • mise run lint-actions clean at medium+ severity
  • CI test workflow green on PR
  • CI zizmor workflow green on PR
  • CI block-fixup workflow green on PR

🤖 Generated with Claude Code

@elyobo @claude
Migrate to GitHub Actions + apply zizmor security hardening
eb8b771 
Public MIT-licensed repo. CircleCI is dead, so this PR brings async-hofs
onto GitHub Actions with the same hardening pack the other libraries have:

- SHA-pinned actions with version comments, top-level `permissions: {}`
  deny-all + per-job least privilege, `persist-credentials: false` on
  every checkout, arc-runner-set runners
- mise.toml with `minimum_release_age = "7d"` and pinned zizmor; lockfile
- Changesets + trusted-publishing release flow via
  raywhite/github-workflows@v3.1.1
- Root zizmor.yml config (`unpinned-uses: hash-pin`,
  `impostor-commit: disable`) + zizmor.yml audit workflow at medium+
- dependabot.yml with monthly grouped github-actions updates +
  7-day cooldown

Minimal eslint stack update to make lint runnable on Node 24:
eslint v8, @babel/eslint-parser, airbnb-base v15. New airbnb rules that
would require source edits are temporarily disabled — a stacked TS +
style migration PR will re-enable them and migrate the codebase.

ava pinned to ^3 for the same reason (test.cb removed in v4).

Pre-flight for review: npm trusted publishing must be enabled for
@raywhite/async-hofs before the first release workflow run.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@elyobo elyobo force-pushed the lo/zizmor-hardening branch from d7c96ec to eb8b771 Compare May 21, 2026 03:13
@elyobo elyobo merged commit bd898da into main May 21, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@elyobo