Supply-chain hardening: release-age gate, exact pins (syncpack), SHA-pinned actions, CodeQL + Scorecard#3
Open
danfry1 wants to merge 4 commits into
Open
Supply-chain hardening: release-age gate, exact pins (syncpack), SHA-pinned actions, CodeQL + Scorecard#3danfry1 wants to merge 4 commits into
danfry1 wants to merge 4 commits into
Conversation
… pins - bunfig.toml: minimumReleaseAge=604800 (7d) — refuse freshly-published versions - .github/dependabot.yml: bun + github-actions, weekly, 7-day cooldown, grouped - syncpack (.syncpackrc.json): devDependencies pinned to exact versions across all packages; runtime/peer keep ranges. lint:deps/fix:deps scripts; CI-enforced. typescript/eslint/@typescript-eslint/utils kept as ranges (entangled peer/dev). - add bugs field to publishable packages - document the posture in SECURITY.md + CONTRIBUTING.md
- pin every GitHub Action to a full commit SHA (with version comment) - permissions: read-all by default; write scopes only on the jobs that need them - ci: add lint:deps gate; bump checkout/setup-node to v6 (clears Node20 deprecation) - add CodeQL (codeql.yml) and OpenSSF Scorecard (scorecard.yml) workflows - add CODEOWNERS
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
…loor Exact-pinning tsdown from ^0.9.0 resolved to 0.9.0, which rejects the `--format esm,cjs` CLI flag and broke the faultline build. 0.9.9 is the version the lockfile already used and that supports the flag.
- replace standalone codeql.yml/scorecard.yml with calls to the shared reusable workflows (single source of truth, DRY across repos) - SECURITY.md links to the canonical supply-chain guide in danfry1/standards
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Applies the supply-chain best practices used in
danfry1/bonsai-jsanddanfry1/reflow-ts.Dependency hygiene
bunfig.tomlminimumReleaseAge=604800(7d): installs refuse versions published more recently, so most malicious releases get caught/yanked first..github/dependabot.yml(bun + github-actions, weekly, 7-day cooldown at every semver level, grouped dev/prod) mirrors the install-time gate..syncpackrc.json: alldevDependenciespinned to exact versions (no^/~), runtime/peer keep ranges. Enforced in CI viabun run lint:deps.typescript/eslint/@typescript-eslint/utilsstay ranged (entangled peer↔dev) — the committedbun.lockpins their resolved versions regardless.bugsmetadata on publishable packages.CI / workflow security
permissions: read-all; write scopes granted only per-job.lint:depsgate in CI;checkout/setup-nodebumped to v6 (also clears the Node 20 deprecation warning).codeql.yml) + OpenSSF Scorecard (scorecard.yml) on push + weekly.* @danfry1).Docs
SECURITY.md gains a "Supply-chain hardening" section; CONTRIBUTING.md documents the pinning workflow.
Notes
syncpack lintclean,--frozen-lockfilein sync, typecheck + ~216 tests + build all green, all workflow YAML parses.