Skip to content

chore(ci): harden github actions#4

Merged
SoonIter merged 3 commits into
mainfrom
harden-github-actions
May 21, 2026
Merged

chore(ci): harden github actions#4
SoonIter merged 3 commits into
mainfrom
harden-github-actions

Conversation

@SoonIter
Copy link
Copy Markdown
Owner

@SoonIter SoonIter commented May 21, 2026

Summary

  • Harden GitHub Actions workflows with workflow-level permissions: {} and job-scoped token permissions.
  • Pin all workflow action references to full commit SHAs while keeping version comments for maintainability.
  • Disable implicit package-manager caching in actions/setup-node via package-manager-cache: false.

Validation

  • git diff --check
  • YAML parsed successfully for .github/workflows/test.yml and .github/workflows/release.yml
  • Confirmed no remaining uses: ...@v* action references

No repository preflight script is defined, so targeted workflow checks were used.

@SoonIter
Copy link
Copy Markdown
Owner Author

SoonIter commented May 21, 2026

@copilot resolve the merge conflicts in this pull request

Copy link
Copy Markdown
Contributor

Copilot AI commented May 21, 2026

@copilot resolve the merge conflicts in this pull request

Resolved in 4d33e62. I merged the latest main changes into this branch, kept the workflow hardening, preserved the newer trusted-publishing release workflow behavior, and reran validation successfully. No UI changes were involved, so there isn’t a screenshot to share.

@SoonIter SoonIter marked this pull request as ready for review May 21, 2026 08:51
Copilot AI review requested due to automatic review settings May 21, 2026 08:51
Copilot AI reviewed May 21, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Hardens the repository’s GitHub Actions workflows by minimizing default GITHUB_TOKEN privileges and pinning third-party action references to immutable commit SHAs to reduce supply-chain risk.

Changes:

  • Set workflow-level permissions: {} and add job-scoped token permissions.
  • Pin all uses: action references to full commit SHAs (with version comments).
  • Adjust actions/setup-node configuration to disable package-manager caching.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
.github/workflows/test.yml Restricts token permissions, pins actions to SHAs, and changes Node setup caching configuration for CI tests.
.github/workflows/release.yml Moves token permissions to job scope, pins actions to SHAs, and changes Node setup caching configuration for publishing.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/test.yml
Comment thread .github/workflows/release.yml
@SoonIter SoonIter merged commit 6bfc18a into main May 21, 2026
7 checks passed
@SoonIter SoonIter mentioned this pull request May 22, 2026
Merged
SoonIter added a commit that referenced this pull request May 22, 2026
@SoonIter
fix: harden v18 release workflow (#8)
20bc6b2 
## Summary

- Set the v18 release workflow npm dist-tag to `latest-v18`.
- Pin GitHub Actions in v18 workflows to commit hashes, matching the
hardening style from #4.
- Move release permissions to the job scope and disable implicit
setup-node package manager cache.

## Testing

- `git diff --check`
- `rg -n "uses: .*@v[0-9]" .github/workflows` returns no matches
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@SoonIter