Skip to content

ci: align SHA pins, add pnpm audit, and add change detection to TypeScript CIs#31

Closed
bryanfawcett wants to merge 1 commit into
mainfrom
claude/sleepy-albattani-wqozxc
Closed

ci: align SHA pins, add pnpm audit, and add change detection to TypeScript CIs#31
bryanfawcett wants to merge 1 commit into
mainfrom
claude/sleepy-albattani-wqozxc

Conversation

@bryanfawcett

Copy link
Copy Markdown
Contributor

Summary

Full audit of all reusable workflows against the org's own supply-chain rules. Four categories of drift found and fixed:

1. SHA pin drift (supply-chain security — NA-03 §7.1.1)

Three workflow files had stale SHA pins that diverged when Dependabot PR #29 bumped the rest of the org:

File Action Old SHA Canonical SHA
reusable-ci-docker.yml actions/checkout de0fac2e 9c091bb2
reusable-ci-docker.yml github/codeql-action/upload-sarif 95e58e9a 8aad20d1
reusable-ci-terraform.yml actions/checkout (×4) de0fac2e 9c091bb2
reusable-ci-typescript-lib.yml actions/checkout (×5) de0fac2e 9c091bb2
reusable-ci-typescript-lib.yml pnpm/action-setup (×4) 71c92474 0ebf4713

All 17 workflow files now use a single consistent SHA for each action.

2. Missing pnpm audit (security gate — NA-03 §7.1, §10.3)

reusable-ci-nextjs-monorepo.yml has a pnpm audit --audit-level=moderate job; reusable-ci-typescript.yml and reusable-ci-typescript-lib.yml did not. ORG_SETTINGS.md lists ci / pnpm audit as a required status check. Gap closed: audit job added to both TypeScript workflows.

3. Missing change detection in reusable-ci-typescript.yml

The non-lib TypeScript CI ran all four jobs (typecheck, lint, test, build) on every PR regardless of what files changed. The lib, Rust, Python, and Solidity CIs all use dorny/paths-filter to skip jobs when no relevant files change. Added the same changes job and if: needs.changes.outputs.typescript == 'true' gates to reusable-ci-typescript.yml.

4. Incomplete Actions allow-list in ORG_SETTINGS.md

hashicorp/setup-terraform and terraform-linters/setup-tflint are used in reusable-ci-terraform.yml but were not listed in the ORG_SETTINGS.md allow-list source of truth. Added both.

Test plan

  • Lint CI (actionlint, prettier, markdownlint, yamllint) green on this PR
  • Confirm no other stale SHA variants remain: grep -rh 'uses: actions/checkout@' .github/workflows/ | sort -u should show exactly one SHA
  • Verify pnpm audit job name matches ORG_SETTINGS.md required check: ci / pnpm audit
  • Review change detection filter list matches reusable-ci-typescript-lib.yml (they are now identical)

🤖 Generated with Claude Code

https://claude.ai/code/session_014EVAdrE6agqSNHqvi6JhsR


Generated by Claude Code

…cript CIs

- Align actions/checkout SHA to 9c091bb2 (canonical post-#29 Dependabot
  pin) in reusable-ci-docker.yml, reusable-ci-terraform.yml, and
  reusable-ci-typescript-lib.yml — all three had the pre-bump de0fac2e SHA.
- Align pnpm/action-setup SHA to 0ebf4713 in reusable-ci-typescript-lib.yml
  (was 71c92474, which diverged when #29 bumped the other workflows).
- Align github/codeql-action/upload-sarif SHA to 8aad20d1 in
  reusable-ci-docker.yml (was 95e58e9a, stale relative to all other callers).
- Add pnpm audit job to reusable-ci-typescript.yml and
  reusable-ci-typescript-lib.yml, closing the gap with
  reusable-ci-nextjs-monorepo.yml and the ORG_SETTINGS.md required checks.
- Add dorny/paths-filter change detection to reusable-ci-typescript.yml,
  matching the pattern used by the lib, Rust, Python, and Solidity CIs.
- Add hashicorp/setup-terraform and terraform-linters/setup-tflint to the
  ORG_SETTINGS.md Actions allow-list (both used in reusable-ci-terraform.yml
  but previously omitted from the allow-list source of truth).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_014EVAdrE6agqSNHqvi6JhsR
Signed-off-by: Claude <noreply@anthropic.com>
@bryanfawcett

Copy link
Copy Markdown
Contributor Author

Closing as superseded — same duplicate-PR pileup as #30. The actions/checkout SHA drift this PR chased is now fixed correctly via Dependabot's #38 (merged in 1b669fb). No unique content carried forward.


Generated by Claude Code

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants