Skip to content

fix(ci): harden GitHub Actions workflows#63

Open
LuisUrrutia wants to merge 1 commit intomainfrom
fix/harden-github-actions-workflows
Open

fix(ci): harden GitHub Actions workflows#63
LuisUrrutia wants to merge 1 commit intomainfrom
fix/harden-github-actions-workflows

Conversation

@LuisUrrutia
Copy link

@LuisUrrutia LuisUrrutia commented Feb 6, 2026

Summary

  • Security: Fix script injection in CLA workflow by replacing direct ${{ }} interpolation in run: blocks with env: blocks
  • Security: Add explicit job-level permissions to the release job for defense-in-depth
  • Maintenance: Update outdated actions (setup-node v4→v6, checkout v6.0.1→v6.0.2, pnpm/action-setup v4.1→v4.2, sbom-action v0.22.1→v0.22.2, codeql-action v4.32.0→v4.32.2)
  • Correctness: Fix incorrect version comment on SLSA secure-attestations-download (was v1.6.0, actually an untagged main commit)
  • Correctness: Add missing version comments on pinned action SHAs across publish.yml
  • CI: Add concurrency control to cancel in-progress CI runs on new pushes
  • Cleanup: Remove unused single-entry matrix strategy, deduplicate PR number extraction in CLA labeling steps, quote all shell variables

Test plan

  • CI workflow passes (build, test, lint, typecheck)
  • CLA workflow triggers correctly on pull_request_target and issue_comment events
  • Release workflow still creates release PRs and publishes to npm
  • Scorecard workflow uploads SARIF results
  • Verify actions/setup-node v6 major upgrade doesn't break node setup/caching

@LuisUrrutia
fix(ci): harden GitHub Actions workflows
38e83fb 
- Add concurrency control to CI workflow
- Remove unused single-entry matrix strategy
- Fix script injection in CLA workflow by using env blocks
- Deduplicate PR number extraction in CLA labeling steps
- Quote all shell variables ($GITHUB_OUTPUT, $GITHUB_WORKSPACE)
- Fix incorrect version comment on SLSA attestations-download
- Add job-level permissions to release job
- Add missing version comments on pinned action SHAs
- Update outdated actions: setup-node v4->v6, checkout v6.0.1->v6.0.2,
  pnpm/action-setup v4.1->v4.2, sbom-action v0.22.1->v0.22.2,
  codeql-action v4.32.0->v4.32.2
@LuisUrrutia LuisUrrutia requested a review from a team as a code owner February 6, 2026 13:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

cla: allowlist

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@LuisUrrutia