Skip to content

Supply-chain hardening: release-age gate, exact pins (syncpack), SHA-pinned actions, CodeQL + Scorecard#3

Open
danfry1 wants to merge 4 commits into
mainfrom
supply-chain-hardening
Open

Supply-chain hardening: release-age gate, exact pins (syncpack), SHA-pinned actions, CodeQL + Scorecard#3
danfry1 wants to merge 4 commits into
mainfrom
supply-chain-hardening

Conversation

@danfry1

@danfry1 danfry1 commented Jun 14, 2026

Copy link
Copy Markdown
Owner

Applies the supply-chain best practices used in danfry1/bonsai-js and danfry1/reflow-ts.

Dependency hygiene

  • Release-age gatebunfig.toml minimumReleaseAge=604800 (7d): installs refuse versions published more recently, so most malicious releases get caught/yanked first.
  • Dependabot cooldown.github/dependabot.yml (bun + github-actions, weekly, 7-day cooldown at every semver level, grouped dev/prod) mirrors the install-time gate.
  • Exact dev pins via syncpack.syncpackrc.json: all devDependencies pinned to exact versions (no ^/~), runtime/peer keep ranges. Enforced in CI via bun run lint:deps. typescript/eslint/@typescript-eslint/utils stay ranged (entangled peer↔dev) — the committed bun.lock pins their resolved versions regardless.
  • Committed lockfile + bugs metadata on publishable packages.

CI / workflow security

  • SHA-pinned actions — every action pinned to a full commit SHA (version comment retained), reusing the same SHAs as your other repos for consistency.
  • Least privilege — workflows default to permissions: read-all; write scopes granted only per-job.
  • lint:deps gate in CI; checkout/setup-node bumped to v6 (also clears the Node 20 deprecation warning).
  • CodeQL (codeql.yml) + OpenSSF Scorecard (scorecard.yml) on push + weekly.
  • CODEOWNERS (* @danfry1).

Docs

SECURITY.md gains a "Supply-chain hardening" section; CONTRIBUTING.md documents the pinning workflow.

Notes

  • No package behavior changes → no changeset (devDeps/CI/infra only; nothing shipped changes).
  • Verified locally: syncpack lint clean, --frozen-lockfile in sync, typecheck + ~216 tests + build all green, all workflow YAML parses.

danfry1 added 2 commits June 14, 2026 16:38
… pins

- bunfig.toml: minimumReleaseAge=604800 (7d) — refuse freshly-published versions
- .github/dependabot.yml: bun + github-actions, weekly, 7-day cooldown, grouped
- syncpack (.syncpackrc.json): devDependencies pinned to exact versions across all
  packages; runtime/peer keep ranges. lint:deps/fix:deps scripts; CI-enforced.
  typescript/eslint/@typescript-eslint/utils kept as ranges (entangled peer/dev).
- add bugs field to publishable packages
- document the posture in SECURITY.md + CONTRIBUTING.md
- pin every GitHub Action to a full commit SHA (with version comment)
- permissions: read-all by default; write scopes only on the jobs that need them
- ci: add lint:deps gate; bump checkout/setup-node to v6 (clears Node20 deprecation)
- add CodeQL (codeql.yml) and OpenSSF Scorecard (scorecard.yml) workflows
- add CODEOWNERS
@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

danfry1 added 2 commits June 14, 2026 16:42
…loor

Exact-pinning tsdown from ^0.9.0 resolved to 0.9.0, which rejects the
`--format esm,cjs` CLI flag and broke the faultline build. 0.9.9 is the
version the lockfile already used and that supports the flag.
- replace standalone codeql.yml/scorecard.yml with calls to the shared
  reusable workflows (single source of truth, DRY across repos)
- SECURITY.md links to the canonical supply-chain guide in danfry1/standards
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants