Conversation
nmccready
commented
Dec 29, 2025
nmccready
commented
- fix: bump dependencies to remove CVE issues and modernice eslint / mocha
- chore: githhub actions for automations
nmccready
force-pushed
the
fix/dependencies_and_automate
branch
from
c5fb4f2 to
14409da
Compare
phated
left a comment
phated
left a comment
There was a problem hiding this comment.
I deal with GitHub Actions and their (lack of) security a lot so I provided some guidance on how to avoid footguns.
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - name: Use Node.js ${{ matrix.node-version }} | ||
| uses: actions/setup-node@v6 |
There was a problem hiding this comment.
Recommend pinning actions to commit hashes as per the default behavior of "unpinned hashes" in zizmor: https://docs.zizmor.sh/audits/#unpinned-uses
There was a problem hiding this comment.
Need more context? Suggesting a full version pin here? Sorry I have not got into linting Actions yet... yay more boilerplate .
There was a problem hiding this comment.
Done! Pinned all GitHub Actions to their commit hashes across all workflow files:
actions/checkout@v4→actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5actions/setup-node@v3→actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610actions/setup-node@v6→actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238
Version tags are preserved in trailing comments for readability. This follows the zizmor 'unpinned-uses' security recommendation.
| uses: actions/setup-node@v6 | ||
| with: | ||
| node-version: '20.x' | ||
| registry-url: 'https://registry.npmjs.org' |
There was a problem hiding this comment.
| registry-url: 'https://registry.npmjs.org' | |
| registry-url: 'https://registry.npmjs.org |
typo
There was a problem hiding this comment.
Were you meaning to get rid of both quotes?
| registry-url: 'https://registry.npmjs.org' | ||
| - name: Publish to npm | ||
| run: | # npm 11.15.1 for OIDC support | ||
| npm install -g npm@11 |
There was a problem hiding this comment.
perhaps use a newer node to publish to avoid needing to install an unpinned npm version
There was a problem hiding this comment.
Yeah, currently still running with mainly 20 for most things and older npm, only recently moved to 11 NPM for OIDC support.
| run: | # npm 11.15.1 for OIDC support | ||
| npm install -g npm@11 | ||
| npm ci | ||
| npm install |
There was a problem hiding this comment.
Don't bare npm install if you are including a lockfile. Always npm ci
There was a problem hiding this comment.
Fixed! Changed all npm install to npm ci in tests.yml and release.yml, and enabled npm caching since we now have a lockfile. Also removed the unnecessary npm install -g npm@11 from tests (only needed for OIDC publish).
There was a problem hiding this comment.
I disagree with automerging because a tainted dependency can land in a dependabot PR and then it'll get auto merged. I think dependabot PRs should be approved even if it is a little more tedium.
There was a problem hiding this comment.
You can set up github branch protection rules that do this instead of adding workflows and dependencies.
There was a problem hiding this comment.
Example? I know this works, been using this for a while.
There was a problem hiding this comment.
I understand branch protection rules can validate commit messages, but the workflow approach has a few advantages: it's visible in the repo, works consistently across forks, and provides clear CI feedback. That said, if you'd prefer branch protection, I can remove the commitlint workflow and dependencies — just let me know your preference as the maintainer.
| with: # important, must be defined on checkout to kick publish (defining in setup/node doesn't work) | ||
| token: ${{ secrets.GH_TOKEN }} |
There was a problem hiding this comment.
All my projects use release-please to avoid this. It opens a PR so the merge commit triggers CI correctly.
There was a problem hiding this comment.
I looked into release-please — it's a solid option! The current approach with commit-and-tag-version is simpler (no extra GH App/action needed) and fits the existing workflow, but I'm open to switching if you prefer release-please. For reference: https://github.com/googleapis/release-please-action
The trade-off is release-please creates a 'release PR' which requires an extra merge step, while the current approach auto-tags on master push. Both are valid — your call as maintainer.
Addresses zizmor 'unpinned-uses' audit recommendation. Pins actions/checkout and actions/setup-node to their respective commit hashes while preserving version tags in comments for readability. See: https://docs.zizmor.sh/audits/#unpinned-uses
- Replace npm install with npm ci in tests.yml and release.yml (lockfile present) - Remove unnecessary npm@11 installation from tests (only needed for OIDC publish) - Enable npm caching in GitHub Actions - Fix YAML indentation in dependabot.yml (cooldown/groups)
|
Clarification on npm@11: npm 11 is required for OIDC-based npm publish with provenance (publishing without 2FA/tokens via GitHub Actions). It's correctly retained in It was only removed from Summary:
|
|
@phated what else can we do? |
3 participants
