Skip to content

chore: harden release workflow for supply-chain security#168

Open
thetutlage wants to merge 5 commits into
14.xfrom
chore/harden-release-workflow
Open

chore: harden release workflow for supply-chain security#168
thetutlage wants to merge 5 commits into
14.xfrom
chore/harden-release-workflow

Conversation

@thetutlage
Copy link
Copy Markdown
Member

@thetutlage thetutlage commented May 28, 2026
edited by coderabbitai Bot
Loading

Summary

  • Switches release publishing to npm Trusted Publishing (OIDC) — removes long-lived NPM_TOKEN from the workflow, so transitive postinstall scripts can no longer exfiltrate it from ~/.npmrc.
  • Pins actions/checkout, actions/setup-node, and the adonisjs/.github / adonisjs/core reusable workflows to commit SHAs to defend against tag/branch reflog tampering.
  • Tightens default workflow permissions: to contents: read, elevates per-job (contents: write + id-token: write only on the release job).
  • Switches the release-time install to npm install --ignore-scripts so transitive postinstall scripts cannot run during the release job.
  • Adds an npm audit signatures step before publishing to verify registry signatures.
  • Adds a Dependabot config for the github-actions ecosystem so the pinned SHAs are kept current automatically.
  • Adds a concurrency block to prevent overlapping release runs.

Prerequisites

  • npm Trusted Publishing must already be configured for this package on npmjs.com (workflow file: release.yml, environment: none). Confirmed configured before this PR.
  • The repo secret NPM_TOKEN can be deleted after the first successful tokenless release.

Test plan

  • Trigger the release workflow manually with a patch bump.
  • Confirm publish succeeds without NPM_TOKEN being available.
  • Confirm provenance attestation appears on npmjs.com for the new version.
  • If npm install --ignore-scripts breaks the build for this repo (e.g. a transitive dep relies on postinstall to fetch a native binary), drop the flag in a follow-up.

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Enabled Dependabot to check GitHub Actions updates weekly.
    • Hardened CI workflows with explicit permission controls and pinned reusable workflow references for more stable builds.
    • Improved release pipeline: added concurrency and environment safeguards, tightened permissions, switched to a streamlined auth flow, added audit checks, and adjusted install steps.
    • Restored tracking of the package lockfile (no longer ignored).

thetutlage and others added 4 commits May 28, 2026 12:21
@thetutlage @claude
chore: harden release workflow for supply-chain security
0aaf4ae 
- Use npm Trusted Publishing (OIDC) instead of NPM_TOKEN
- Pin third-party actions and reusable workflows to commit SHAs
- Drop default permissions to read-only, elevate per-job
- Add --ignore-scripts to release-time install
- Add npm audit signatures step
- Add Dependabot for github-actions ecosystem
- Add concurrency guard

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@thetutlage @claude
chore: set top-level permissions on checks workflow
c23200f 
Addresses CodeQL "Workflow does not contain permissions" finding by
declaring contents: read at workflow scope so GITHUB_TOKEN is scoped down
on push/pull_request/workflow_call runs.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@thetutlage @claude
chore: gate release job with npm-publish environment
1b6e69f 
Requires approval from the Core Team before npm publish runs, via the
GitHub Environment created in each repo. Pair with an npm Trusted
Publisher config that pins the environment to fully close the gate.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@thetutlage @claude
chore: add package-lock.json for reproducible installs
0449553 
The hardened release workflow uses npm install --ignore-scripts and
npm audit signatures, both of which require a lockfile to be effective:

- npm audit signatures verifies registry signatures of the exact resolved
  versions in the lockfile; without one, transitive resolution at release
  time would re-resolve from the registry and silently accept any new
  version of a dep, which is the supply-chain hole we are trying to close.
- --ignore-scripts is meaningful only when paired with reproducible
  resolution, otherwise an attacker who controls a future version of a
  transitive dep can still influence build output.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Jun 1, 2026
edited
Loading

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: fde5daf7-42de-4991-aac3-1d0f271703f1

📥 Commits

Reviewing files that changed from the base of the PR and between 0449553 and 4e1e5aa.

📒 Files selected for processing (1)
  • .github/workflows/release.yml
🚧 Files skipped from review as they are similar to previous changes (1)
  • .github/workflows/release.yml
📝 Walkthrough

Walkthrough

Adds Dependabot for GitHub Actions, sets explicit workflow permissions and concurrency, pins action references and checkout/setup-node to commit SHAs, updates the release job to use GITHUB_TOKEN with npm audit signatures and ignore-scripts install, and enables tracking of package-lock.json.

Changes

Workflow Security and Dependency Management

Layer / File(s) Summary
Dependabot Configuration for Automated Updates
.github/dependabot.yml		 Dependabot configuration added to check for updates to github-actions in the repository root on a weekly schedule.
Checks Workflow Security Hardening
.github/workflows/checks.yml		 Adds top-level permissions: contents: read and pins reusable workflow job references for test, lint, and typecheck to specific commit SHAs (keeps # next comments).
Release Workflow Security Hardening and Authentication Update
.github/workflows/release.yml		 Adds workflow-level permissions and concurrency, assigns npm-publish environment, grants contents: write and id-token: write for release, pins actions/checkout and actions/setup-node to commit SHAs, changes npm install to --ignore-scripts, adds npm audit signatures, and removes NPM_TOKEN/NODE_AUTH_TOKEN so release uses only GITHUB_TOKEN.
Package Lock File Tracking
.gitignore		 Removed the package-lock.json ignore rule to enable lockfile tracking in version control.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Poem

🐰 I hop through workflows neat and bright,
Pin actions firm and set permissions right,
Dependabot keeps an eager eye,
Lockfiles tracked beneath the sky,
Release hums safe by GitHub's light.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'chore: harden release workflow for supply-chain security' directly and accurately summarizes the main objective of the PR, which is to strengthen the release workflow's security posture through supply-chain security measures.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/harden-release-workflow

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai Bot reviewed Jun 1, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
.github/workflows/release.yml (1)

25-27: ⚡ Quick win

Consider setting persist-credentials: false if git push is handled via explicit token.

The static analyzer flags that persisted credentials increase attack surface. However, if the release script pushes tags or version commits, it may rely on these credentials.

If npm run release handles git authentication via the GITHUB_TOKEN env var explicitly, add:

       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0
+          persist-credentials: false

If the release tool relies on the checkout action's persisted credentials for git push, keep the current configuration.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 25 - 27, The checkout step
currently uses actions/checkout with fetch-depth: 0 and leaves credentials
persisted; change the checkout step configuration (the actions/checkout
invocation) to set persist-credentials: false if your release script (npm run
release) authenticates pushes explicitly via GITHUB_TOKEN, so the action does
not leak the default token; if instead your release process relies on the
checkout-provided credentials to push tags/commits, leave persist-credentials
as-is and document that behavior in the workflow and release script to avoid the
static analyzer warning.
🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/release.yml:
- Around line 25-27: The checkout step currently uses actions/checkout with
fetch-depth: 0 and leaves credentials persisted; change the checkout step
configuration (the actions/checkout invocation) to set persist-credentials:
false if your release script (npm run release) authenticates pushes explicitly
via GITHUB_TOKEN, so the action does not leak the default token; if instead your
release process relies on the checkout-provided credentials to push
tags/commits, leave persist-credentials as-is and document that behavior in the
workflow and release script to avoid the static analyzer warning.
ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 5adb2c7c-3cec-4733-b5bb-02556a950a53

📥 Commits

Reviewing files that changed from the base of the PR and between 407ddae and 0449553.

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (4)
  • .github/dependabot.yml
  • .github/workflows/checks.yml
  • .github/workflows/release.yml
  • .gitignore
💤 Files with no reviewable changes (1)
  • .gitignore

@thetutlage @claude
chore: pass secrets to checks job in release workflow
4e1e5aa 
Re-adds 'secrets: inherit' to the checks job in release.yml so the
reusable checks workflow continues to receive repository secrets when
invoked by workflow_call from release. Without this, integration tests
in checks that depend on secrets (e.g. RESEND_API_KEY in mail) fail
during release runs.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@thetutlage