From 46094dc827c9be2af9f5d7b9ba83ce0775152b0d Mon Sep 17 00:00:00 2001 From: Akash Jag Date: Wed, 13 May 2026 23:41:52 -0700 Subject: [PATCH 1/4] security: harden ci-cd against supply chain attacks --- .github/CODEOWNERS | 7 ++++- .github/workflows/ci.yml | 47 ++++++++++++++++++++++++++++-- .github/workflows/release.yml | 55 ++++++++++++++++++++++++++--------- .npmrc | 4 +-- package.json | 5 ++++ 5 files changed, 99 insertions(+), 19 deletions(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index b4c8043..f3d5ff8 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1,2 +1,7 @@ # Workflow/CI files specifically -.github/ @ajag408 @Philippoes @petar-omni @jdomingos @raiseerco \ No newline at end of file +.github/ @ajag408 @Philippoes @petar-omni @jdomingos @raiseerco + +# Supply chain critical files -- lockfile, install config, package manifest +.npmrc @ajag408 @Philippoes @petar-omni @jdomingos @raiseerco +package.json @ajag408 @Philippoes @petar-omni @jdomingos @raiseerco +pnpm-lock.yaml @ajag408 @Philippoes @petar-omni @jdomingos @raiseerco \ No newline at end of file diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2481efc..670a640 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -18,8 +18,15 @@ jobs: node-version: [20.17.0, 22.x] steps: + - name: Harden runner + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + with: + egress-policy: audit + - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + with: + persist-credentials: false - name: Setup Node.js uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 @@ -44,8 +51,13 @@ jobs: restore-keys: | ${{ runner.os }}-pnpm-store- + - name: Set up Socket Firewall + uses: socketdev/action@937f824ec476dfd164d4a4d9995751427b0be143 # v1 + with: + mode: firewall + - name: Install dependencies - run: pnpm install --frozen-lockfile + run: sfw pnpm install --frozen-lockfile - name: Run linter run: pnpm run lint @@ -70,8 +82,15 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden runner + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + with: + egress-policy: audit + - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + with: + persist-credentials: false - name: Setup Node.js uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 @@ -83,8 +102,13 @@ jobs: with: version: 10.12.2 + - name: Set up Socket Firewall + uses: socketdev/action@937f824ec476dfd164d4a4d9995751427b0be143 # v1 + with: + mode: firewall + - name: Install dependencies - run: pnpm install --frozen-lockfile + run: sfw pnpm install --frozen-lockfile - name: Run pnpm audit run: pnpm audit --audit-level=critical @@ -92,3 +116,22 @@ jobs: - name: Check for dependency updates run: pnpm outdated continue-on-error: true + + dependency-review: + name: Dependency Review + runs-on: ubuntu-latest + if: github.event_name == 'pull_request' + + steps: + - name: Harden runner + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + with: + egress-policy: audit + + - name: Checkout code + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + with: + persist-credentials: false + + - name: Dependency Review + uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4 \ No newline at end of file diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 28f82ff..a616a77 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -20,10 +20,16 @@ jobs: contents: read steps: + - name: Harden runner + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + with: + egress-policy: audit + - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: fetch-depth: 0 + persist-credentials: false - name: Verify tag is on main shell: bash @@ -44,8 +50,13 @@ jobs: with: version: 10.12.2 + - name: Set up Socket Firewall + uses: socketdev/action@937f824ec476dfd164d4a4d9995751427b0be143 # v1 + with: + mode: firewall + - name: Install dependencies - run: pnpm install --frozen-lockfile + run: sfw pnpm install --frozen-lockfile - name: Security audit run: pnpm audit --audit-level=critical @@ -63,10 +74,16 @@ jobs: id-token: write steps: + - name: Harden runner + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + with: + egress-policy: audit + - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: fetch-depth: 0 + persist-credentials: false - name: Verify tag is on main shell: bash @@ -92,8 +109,13 @@ jobs: - name: Update npm run: npm install -g npm@latest + - name: Set up Socket Firewall + uses: socketdev/action@937f824ec476dfd164d4a4d9995751427b0be143 # v1 + with: + mode: firewall + - name: Install dependencies - run: pnpm install --frozen-lockfile + run: sfw pnpm install --frozen-lockfile - name: Run tests run: pnpm test @@ -103,6 +125,8 @@ jobs: - name: Publish to NPM run: pnpm publish --access public --no-git-checks + env: + NPM_CONFIG_PROVENANCE: "true" # ========================================== # Job 3: Build binaries for all platforms @@ -134,10 +158,16 @@ jobs: arch: x64 steps: + - name: Harden runner + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + with: + egress-policy: audit + - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: fetch-depth: 0 + persist-credentials: false - name: Verify tag is on main shell: bash @@ -166,21 +196,13 @@ jobs: with: version: 10.12.2 - - name: Get pnpm store directory - shell: bash - run: | - echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV - - - name: Setup pnpm cache - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 + - name: Set up Socket Firewall + uses: socketdev/action@937f824ec476dfd164d4a4d9995751427b0be143 # v1 with: - path: ${{ env.STORE_PATH }} - key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }} - restore-keys: | - ${{ runner.os }}-pnpm-store- + mode: firewall - name: Install dependencies - run: pnpm install --frozen-lockfile + run: sfw pnpm install --frozen-lockfile - name: Build TypeScript run: pnpm build @@ -237,6 +259,11 @@ jobs: contents: write steps: + - name: Harden runner + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + with: + egress-policy: audit + - name: Download all artifacts uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 with: diff --git a/.npmrc b/.npmrc index d6bf63f..25efeed 100644 --- a/.npmrc +++ b/.npmrc @@ -1,2 +1,2 @@ -enable-pre-post-scripts=true -strict-peer-dependencies=false \ No newline at end of file +strict-peer-dependencies=false +minimum-release-age=4320 \ No newline at end of file diff --git a/package.json b/package.json index d0ec433..f6d4db4 100644 --- a/package.json +++ b/package.json @@ -71,5 +71,10 @@ "prettier": "^3.2.5", "ts-jest": "^29.4.6", "typescript": "^5.0.0" + }, + "pnpm": { + "onlyBuiltDependencies": [ + "esbuild" + ] } } From 791b5e94d2cc5db0d00eded757fa98d3435e281e Mon Sep 17 00:00:00 2001 From: Akash Jag Date: Thu, 14 May 2026 00:16:40 -0700 Subject: [PATCH 2/4] fix: ci fixes --- .github/workflows/ci.yml | 28 +++++++++------------------- .github/workflows/release.yml | 21 ++++++++++++--------- 2 files changed, 21 insertions(+), 28 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 670a640..f66c69e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -34,22 +34,10 @@ jobs: node-version: ${{ matrix.node-version }} - name: Install pnpm - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 - with: - version: 10.12.2 - - - name: Get pnpm store directory shell: bash run: | - echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV - - - name: Setup pnpm cache - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 - with: - path: ${{ env.STORE_PATH }} - key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }} - restore-keys: | - ${{ runner.os }}-pnpm-store- + corepack enable + corepack prepare pnpm@10.12.2 --activate - name: Set up Socket Firewall uses: socketdev/action@937f824ec476dfd164d4a4d9995751427b0be143 # v1 @@ -72,7 +60,7 @@ jobs: if: matrix.node-version == '20.17.0' uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de with: - file: ./coverage/lcov.info + files: ./coverage/lcov.info flags: unittests name: codecov-umbrella fail_ci_if_error: false @@ -98,9 +86,10 @@ jobs: node-version: 20.17.0 - name: Install pnpm - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 - with: - version: 10.12.2 + shell: bash + run: | + corepack enable + corepack prepare pnpm@10.12.2 --activate - name: Set up Socket Firewall uses: socketdev/action@937f824ec476dfd164d4a4d9995751427b0be143 # v1 @@ -112,6 +101,7 @@ jobs: - name: Run pnpm audit run: pnpm audit --audit-level=critical + continue-on-error: true - name: Check for dependency updates run: pnpm outdated @@ -132,6 +122,6 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: persist-credentials: false - + - name: Dependency Review uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4 \ No newline at end of file diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a616a77..e6272d4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -46,9 +46,10 @@ jobs: node-version: "22" - name: Install pnpm - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 - with: - version: 10.12.2 + shell: bash + run: | + corepack enable + corepack prepare pnpm@10.12.2 --activate - name: Set up Socket Firewall uses: socketdev/action@937f824ec476dfd164d4a4d9995751427b0be143 # v1 @@ -101,9 +102,10 @@ jobs: registry-url: "https://registry.npmjs.org" - name: Install pnpm - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 - with: - version: 10.12.2 + shell: bash + run: | + corepack enable + corepack prepare pnpm@10.12.2 --activate # npm 11.5.1 or later is required for trusted publishing - name: Update npm @@ -192,9 +194,10 @@ jobs: architecture: ${{ matrix.node_arch }} - name: Install pnpm - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 - with: - version: 10.12.2 + shell: bash + run: | + corepack enable + corepack prepare pnpm@10.12.2 --activate - name: Set up Socket Firewall uses: socketdev/action@937f824ec476dfd164d4a4d9995751427b0be143 # v1 From dcb55de3e0b7fb9fafa562f8a1e23f0b12ce9e6f Mon Sep 17 00:00:00 2001 From: Akash Jag Date: Thu, 14 May 2026 00:20:47 -0700 Subject: [PATCH 3/4] fix: corepack --- .github/workflows/ci.yml | 2 ++ .github/workflows/release.yml | 3 +++ 2 files changed, 5 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f66c69e..4546977 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -36,6 +36,7 @@ jobs: - name: Install pnpm shell: bash run: | + npm install -g corepack@latest corepack enable corepack prepare pnpm@10.12.2 --activate @@ -88,6 +89,7 @@ jobs: - name: Install pnpm shell: bash run: | + npm install -g corepack@latest corepack enable corepack prepare pnpm@10.12.2 --activate diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e6272d4..b715a16 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -48,6 +48,7 @@ jobs: - name: Install pnpm shell: bash run: | + npm install -g corepack@latest corepack enable corepack prepare pnpm@10.12.2 --activate @@ -104,6 +105,7 @@ jobs: - name: Install pnpm shell: bash run: | + npm install -g corepack@latest corepack enable corepack prepare pnpm@10.12.2 --activate @@ -196,6 +198,7 @@ jobs: - name: Install pnpm shell: bash run: | + npm install -g corepack@latest corepack enable corepack prepare pnpm@10.12.2 --activate From 48c9fefdd2049cc1544f1df6d6bb0a571eadba79 Mon Sep 17 00:00:00 2001 From: Akash Jag Date: Thu, 14 May 2026 00:35:36 -0700 Subject: [PATCH 4/4] fix: rabbit --- .github/workflows/ci.yml | 4 ++++ .github/workflows/release.yml | 6 ++++++ 2 files changed, 10 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4546977..8306693 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,6 +44,8 @@ jobs: uses: socketdev/action@937f824ec476dfd164d4a4d9995751427b0be143 # v1 with: mode: firewall + env: + SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_SECURITY_API_KEY }} - name: Install dependencies run: sfw pnpm install --frozen-lockfile @@ -97,6 +99,8 @@ jobs: uses: socketdev/action@937f824ec476dfd164d4a4d9995751427b0be143 # v1 with: mode: firewall + env: + SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_SECURITY_API_KEY }} - name: Install dependencies run: sfw pnpm install --frozen-lockfile diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b715a16..d01ee79 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -56,6 +56,8 @@ jobs: uses: socketdev/action@937f824ec476dfd164d4a4d9995751427b0be143 # v1 with: mode: firewall + env: + SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_SECURITY_API_KEY }} - name: Install dependencies run: sfw pnpm install --frozen-lockfile @@ -117,6 +119,8 @@ jobs: uses: socketdev/action@937f824ec476dfd164d4a4d9995751427b0be143 # v1 with: mode: firewall + env: + SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_SECURITY_API_KEY }} - name: Install dependencies run: sfw pnpm install --frozen-lockfile @@ -206,6 +210,8 @@ jobs: uses: socketdev/action@937f824ec476dfd164d4a4d9995751427b0be143 # v1 with: mode: firewall + env: + SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_SECURITY_API_KEY }} - name: Install dependencies run: sfw pnpm install --frozen-lockfile