From 91ef1e094774c48ca0c8f0d0fbe14efa6601b41c Mon Sep 17 00:00:00 2001 From: Harminder Virk Date: Thu, 28 May 2026 12:27:06 +0530 Subject: [PATCH 1/3] chore: harden release workflow for supply-chain security - Use npm Trusted Publishing (OIDC) instead of NPM_TOKEN - Pin third-party actions and reusable workflows to commit SHAs - Drop default permissions to read-only, elevate per-job - Add --ignore-scripts to release-time install - Add npm audit signatures step - Add Dependabot for github-actions ecosystem - Add concurrency guard Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/dependabot.yml | 6 ++++++ .github/workflows/checks.yml | 12 ++++++------ .github/workflows/release.yml | 29 ++++++++++++++++++----------- 3 files changed, 30 insertions(+), 17 deletions(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..ca79ca5 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,6 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index a200e4a..cea185a 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -5,10 +5,10 @@ on: - workflow_call jobs: lint: - uses: adonisjs/.github/.github/workflows/lint.yml@next + uses: adonisjs/.github/.github/workflows/lint.yml@616f1f5863b4a3a73eb49cd0d16e8719bcd34e7a # next typecheck: - uses: adonisjs/.github/.github/workflows/typecheck.yml@next + uses: adonisjs/.github/.github/workflows/typecheck.yml@616f1f5863b4a3a73eb49cd0d16e8719bcd34e7a # next test_linux: runs-on: ubuntu-latest @@ -56,7 +56,7 @@ jobs: ports: - 8000:8000 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Create DynamoDB Table env: AWS_ACCESS_KEY_ID: accessKeyId @@ -75,7 +75,7 @@ jobs: --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ matrix.node-version }} - name: Install @@ -105,9 +105,9 @@ jobs: matrix: node-version: [latest] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ matrix.node-version }} - name: Install diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c6b637c..eff2df4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,37 +1,44 @@ name: release on: workflow_dispatch + permissions: - contents: write - id-token: write + contents: read + +concurrency: + group: release + cancel-in-progress: false + jobs: checks: + permissions: + contents: read uses: ./.github/workflows/checks.yml + release: needs: checks runs-on: ubuntu-latest + permissions: + contents: write + id-token: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 24 + registry-url: 'https://registry.npmjs.org' - name: git config run: | git config user.name "${GITHUB_ACTOR}" git config user.email "${GITHUB_ACTOR}@users.noreply.github.com" - - name: Init npm config - run: npm config set //registry.npmjs.org/:_authToken $NPM_TOKEN - env: - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} + - run: npm install --ignore-scripts - - run: npm install + - run: npm audit signatures - run: npm run release -- --ci env: - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} From dccf147d534ef0ff9e5c18e93551d988c53ad665 Mon Sep 17 00:00:00 2001 From: Harminder Virk Date: Thu, 28 May 2026 12:48:35 +0530 Subject: [PATCH 2/3] chore: set top-level permissions on checks workflow Addresses CodeQL "Workflow does not contain permissions" finding by declaring contents: read at workflow scope so GITHUB_TOKEN is scoped down on push/pull_request/workflow_call runs. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/checks.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index cea185a..a0d2ea8 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -3,6 +3,9 @@ on: - push - pull_request - workflow_call +permissions: + contents: read + jobs: lint: uses: adonisjs/.github/.github/workflows/lint.yml@616f1f5863b4a3a73eb49cd0d16e8719bcd34e7a # next From 300c67a0f6ff77aa8a1a3c12bc1c421cb67a65d7 Mon Sep 17 00:00:00 2001 From: Harminder Virk Date: Thu, 28 May 2026 13:05:20 +0530 Subject: [PATCH 3/3] chore: gate release job with npm-publish environment Requires approval from the Core Team before npm publish runs, via the GitHub Environment created in each repo. Pair with an npm Trusted Publisher config that pins the environment to fully close the gate. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index eff2df4..4489ef3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -17,6 +17,7 @@ jobs: release: needs: checks runs-on: ubuntu-latest + environment: npm-publish permissions: contents: write id-token: write