ci: align SHA pins, add pnpm audit, and add change detection to TypeScript CIs#31
Closed
bryanfawcett wants to merge 1 commit into
Closed
ci: align SHA pins, add pnpm audit, and add change detection to TypeScript CIs#31bryanfawcett wants to merge 1 commit into
bryanfawcett wants to merge 1 commit into
Conversation
…cript CIs - Align actions/checkout SHA to 9c091bb2 (canonical post-#29 Dependabot pin) in reusable-ci-docker.yml, reusable-ci-terraform.yml, and reusable-ci-typescript-lib.yml — all three had the pre-bump de0fac2e SHA. - Align pnpm/action-setup SHA to 0ebf4713 in reusable-ci-typescript-lib.yml (was 71c92474, which diverged when #29 bumped the other workflows). - Align github/codeql-action/upload-sarif SHA to 8aad20d1 in reusable-ci-docker.yml (was 95e58e9a, stale relative to all other callers). - Add pnpm audit job to reusable-ci-typescript.yml and reusable-ci-typescript-lib.yml, closing the gap with reusable-ci-nextjs-monorepo.yml and the ORG_SETTINGS.md required checks. - Add dorny/paths-filter change detection to reusable-ci-typescript.yml, matching the pattern used by the lib, Rust, Python, and Solidity CIs. - Add hashicorp/setup-terraform and terraform-linters/setup-tflint to the ORG_SETTINGS.md Actions allow-list (both used in reusable-ci-terraform.yml but previously omitted from the allow-list source of truth). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_014EVAdrE6agqSNHqvi6JhsR Signed-off-by: Claude <noreply@anthropic.com>
Contributor
Author
|
Closing as superseded — same duplicate-PR pileup as #30. The Generated by Claude Code |
13 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Full audit of all reusable workflows against the org's own supply-chain rules. Four categories of drift found and fixed:
1. SHA pin drift (supply-chain security — NA-03 §7.1.1)
Three workflow files had stale SHA pins that diverged when Dependabot PR #29 bumped the rest of the org:
reusable-ci-docker.ymlactions/checkoutde0fac2e9c091bb2reusable-ci-docker.ymlgithub/codeql-action/upload-sarif95e58e9a8aad20d1reusable-ci-terraform.ymlactions/checkout(×4)de0fac2e9c091bb2reusable-ci-typescript-lib.ymlactions/checkout(×5)de0fac2e9c091bb2reusable-ci-typescript-lib.ymlpnpm/action-setup(×4)71c924740ebf4713All 17 workflow files now use a single consistent SHA for each action.
2. Missing
pnpm audit(security gate — NA-03 §7.1, §10.3)reusable-ci-nextjs-monorepo.ymlhas apnpm audit --audit-level=moderatejob;reusable-ci-typescript.ymlandreusable-ci-typescript-lib.ymldid not.ORG_SETTINGS.mdlistsci / pnpm auditas a required status check. Gap closed: audit job added to both TypeScript workflows.3. Missing change detection in
reusable-ci-typescript.ymlThe non-lib TypeScript CI ran all four jobs (typecheck, lint, test, build) on every PR regardless of what files changed. The lib, Rust, Python, and Solidity CIs all use
dorny/paths-filterto skip jobs when no relevant files change. Added the samechangesjob andif: needs.changes.outputs.typescript == 'true'gates toreusable-ci-typescript.yml.4. Incomplete Actions allow-list in
ORG_SETTINGS.mdhashicorp/setup-terraformandterraform-linters/setup-tflintare used inreusable-ci-terraform.ymlbut were not listed in the ORG_SETTINGS.md allow-list source of truth. Added both.Test plan
actionlint,prettier,markdownlint,yamllint) green on this PRgrep -rh 'uses: actions/checkout@' .github/workflows/ | sort -ushould show exactly one SHAORG_SETTINGS.mdrequired check:ci / pnpm auditreusable-ci-typescript-lib.yml(they are now identical)🤖 Generated with Claude Code
https://claude.ai/code/session_014EVAdrE6agqSNHqvi6JhsR
Generated by Claude Code