From 0d6a3848409185388fe282996b872625525f816c Mon Sep 17 00:00:00 2001 From: Mehdi Date: Wed, 11 Feb 2026 14:33:13 +0000 Subject: [PATCH 1/3] ci: normalize setup-node inputs and refresh action pins --- .github/workflows/actions-freshness.yml | 6 ++--- .github/workflows/codeql.yml | 6 ++--- .github/workflows/poutine.yml | 6 ++--- .github/workflows/qa-matrix.yml | 13 ++++----- .github/workflows/release.yml | 35 ++++++++++++++----------- .github/workflows/sbom.yml | 3 ++- .github/workflows/secrets-gate.yml | 4 +-- .github/workflows/sonarcloud.yml | 7 ++--- docs/plan/cicd_security.md | 2 ++ 9 files changed, 45 insertions(+), 37 deletions(-) diff --git a/.github/workflows/actions-freshness.yml b/.github/workflows/actions-freshness.yml index 18a495f..1acab39 100644 --- a/.github/workflows/actions-freshness.yml +++ b/.github/workflows/actions-freshness.yml @@ -22,12 +22,12 @@ jobs: issues: write steps: - name: Checkout repository - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: persist-credentials: false - name: Setup Node.js - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 + uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 with: node-version: '20' @@ -42,7 +42,7 @@ jobs: - name: Upload freshness report artifact if: always() - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f with: name: actions-freshness-report path: | diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index a853306..29f102a 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -26,17 +26,17 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: persist-credentials: false - name: Initialize CodeQL - uses: github/codeql-action/init@b5ebac6f4c00c8ccddb7cdcd45fdb248329f808a + uses: github/codeql-action/init@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 with: languages: ${{ matrix.language }} config-file: ./.github/codeql/codeql-config.yml - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@b5ebac6f4c00c8ccddb7cdcd45fdb248329f808a + uses: github/codeql-action/analyze@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 with: category: /language:${{ matrix.language }} diff --git a/.github/workflows/poutine.yml b/.github/workflows/poutine.yml index cc21a5d..49c7126 100644 --- a/.github/workflows/poutine.yml +++ b/.github/workflows/poutine.yml @@ -22,7 +22,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: persist-credentials: false @@ -38,14 +38,14 @@ jobs: mv results.cleaned.sarif results.sarif - name: Upload poutine SARIF - uses: github/codeql-action/upload-sarif@b5ebac6f4c00c8ccddb7cdcd45fdb248329f808a + uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 with: sarif_file: results.sarif category: /tool:poutine - name: Upload poutine artifact if: always() - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f with: name: poutine-sarif path: results.sarif diff --git a/.github/workflows/qa-matrix.yml b/.github/workflows/qa-matrix.yml index 8e569d1..04b70de 100644 --- a/.github/workflows/qa-matrix.yml +++ b/.github/workflows/qa-matrix.yml @@ -23,15 +23,16 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: persist-credentials: false - name: Setup Node.js - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 + uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 with: node-version: 20 - package-manager-cache: false + cache: npm + cache-dependency-path: package-lock.json - name: Install dependencies run: npm ci @@ -83,7 +84,7 @@ jobs: - name: Upload UI screenshot if: always() && steps.capture_ui_screenshot.outcome == 'success' - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f with: name: ui-screenshot-${{ runner.os }} path: dist/qa/screenshots/*.png @@ -92,7 +93,7 @@ jobs: - name: Upload Playwright E2E artifacts if: runner.os == 'Linux' && always() - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f with: name: playwright-e2e-linux path: | @@ -103,7 +104,7 @@ jobs: - name: Upload stress benchmark artifacts if: runner.os == 'Linux' && always() - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f with: name: stress-benchmarks-linux path: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3438f5f..959a6b7 100755 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -15,15 +15,16 @@ jobs: contents: read steps: - name: Check out Git repository - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: persist-credentials: false - name: Install Node.js - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 + uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 with: node-version: 20 - package-manager-cache: false + cache: npm + cache-dependency-path: package-lock.json - name: Install dependencies run: npm ci @@ -40,7 +41,7 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload Windows Artifacts - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f with: name: windows-artifacts path: | @@ -56,15 +57,16 @@ jobs: contents: read steps: - name: Check out Git repository - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: persist-credentials: false - name: Install Node.js - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 + uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 with: node-version: 20 - package-manager-cache: false + cache: npm + cache-dependency-path: package-lock.json - name: Install dependencies run: npm ci @@ -110,7 +112,7 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload Linux Artifacts - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f with: name: linux-artifacts path: | @@ -126,15 +128,16 @@ jobs: contents: read steps: - name: Check out Git repository - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: persist-credentials: false - name: Install Node.js - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 + uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 with: node-version: 20 - package-manager-cache: false + cache: npm + cache-dependency-path: package-lock.json - name: Install dependencies run: npm ci @@ -151,7 +154,7 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload macOS Artifacts - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f with: name: macos-artifacts path: | @@ -168,7 +171,7 @@ jobs: contents: write steps: - name: Check out Git repository - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: fetch-depth: 0 persist-credentials: false @@ -198,19 +201,19 @@ jobs: continue-on-error: true - name: Download Windows artifacts - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 with: name: windows-artifacts path: artifacts/windows - name: Download Linux artifacts - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 with: name: linux-artifacts path: artifacts/linux - name: Download macOS artifacts - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 with: name: macos-artifacts path: artifacts/macos diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index f3f4bce..9632063 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -27,7 +27,8 @@ jobs: uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 with: node-version: 20 - package-manager-cache: false + cache: npm + cache-dependency-path: package-lock.json - name: Install dependencies run: npm ci --ignore-scripts diff --git a/.github/workflows/secrets-gate.yml b/.github/workflows/secrets-gate.yml index c26b7c1..2ad96bc 100644 --- a/.github/workflows/secrets-gate.yml +++ b/.github/workflows/secrets-gate.yml @@ -19,7 +19,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: fetch-depth: 0 persist-credentials: false @@ -60,7 +60,7 @@ jobs: - name: Upload gitleaks report if: always() - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f with: name: gitleaks-report path: gitleaks-report.json diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml index b26e41d..b697d44 100644 --- a/.github/workflows/sonarcloud.yml +++ b/.github/workflows/sonarcloud.yml @@ -17,15 +17,16 @@ jobs: contents: read steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: fetch-depth: 0 persist-credentials: false - - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 + - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 with: node-version: 20 - package-manager-cache: false + cache: npm + cache-dependency-path: package-lock.json - name: Install dependencies run: npm ci diff --git a/docs/plan/cicd_security.md b/docs/plan/cicd_security.md index e19c254..d70ad36 100644 --- a/docs/plan/cicd_security.md +++ b/docs/plan/cicd_security.md @@ -65,6 +65,8 @@ This document defines the CI/CD security and quality baseline for `ai-code-fusio - CI workflows now declare job-level `permissions` explicitly, even when matching workflow defaults. - Dependency Review keeps PR summary behavior while disabling OpenSSF scorecard output to reduce third-party token-permission noise unrelated to repository workflow scopes. +- `actions/setup-node` usage is normalized to supported cache inputs (`cache`, `cache-dependency-path`) to avoid unsupported-input warnings. +- Core GitHub Action pins are refreshed to current maintained release SHAs on a recurring basis. ## Example Workflow Pattern From 6e4423554bd37c1244ba3fcebdac504e8496c371 Mon Sep 17 00:00:00 2001 From: Mehdi Date: Wed, 11 Feb 2026 14:36:13 +0000 Subject: [PATCH 2/3] fix: disable npm cache in release publish workflow --- .github/workflows/release.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 959a6b7..7ae34d2 100755 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -23,8 +23,6 @@ jobs: uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 with: node-version: 20 - cache: npm - cache-dependency-path: package-lock.json - name: Install dependencies run: npm ci @@ -65,8 +63,6 @@ jobs: uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 with: node-version: 20 - cache: npm - cache-dependency-path: package-lock.json - name: Install dependencies run: npm ci @@ -136,8 +132,6 @@ jobs: uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 with: node-version: 20 - cache: npm - cache-dependency-path: package-lock.json - name: Install dependencies run: npm ci From cc68ecb1cdc9409bcea10aff21a6825aec3e0e16 Mon Sep 17 00:00:00 2001 From: Mehdi Date: Wed, 11 Feb 2026 14:37:55 +0000 Subject: [PATCH 3/3] fix: disable implicit setup-node cache in release jobs --- .github/workflows/release.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7ae34d2..bdbd3b5 100755 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -23,6 +23,7 @@ jobs: uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 with: node-version: 20 + package-manager-cache: false - name: Install dependencies run: npm ci @@ -63,6 +64,7 @@ jobs: uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 with: node-version: 20 + package-manager-cache: false - name: Install dependencies run: npm ci @@ -132,6 +134,7 @@ jobs: uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 with: node-version: 20 + package-manager-cache: false - name: Install dependencies run: npm ci