chore: Supply chain hardening#15876
chore: Supply chain hardening#15876elliott-with-the-longest-name-on-github wants to merge 3 commits into
Conversation
|
| @@ -1,3 +1,13 @@ | |||
| minimumReleaseAge: 1440 | |||
| minimumReleaseAgeExclude: | |||
There was a problem hiding this comment.
There was a lot more that needed to be excluded in vps https://github.com/sveltejs/vite-plugin-svelte/blob/71f93de833a48f1f7134b56d9a38d0e2d1255d1c/pnpm-workspace.yaml#L9
There was a problem hiding this comment.
Hmm. zimmerframe and esm-env seem legit but it's weird to exclude the other ones. They're legitimately outside our sphere of influence / direct trust
There was a problem hiding this comment.
While true that we don't control them, I have a lot of trust in Vite and we have to bump it a lot for testing new beta releases, addressing CVEs, etc. and it gets annoying if we can't do that
- Increase minimumReleaseAge from 1440 (1 day) to 2880 (2 days) - Add zimmerframe, prettier-plugin-svelte, svelte-check, and esm-env to minimumReleaseAgeExclude
|
@elliott-with-the-longest-name-on-github I hope you don't mind I pushed 40a2a17 to use the full action version in the comments for clarity and prevent tooling issues - I started creating review comments and there were so many... 😄 |
| - uses: actions/checkout@v6 | ||
| - uses: pnpm/action-setup@v6.0.8 | ||
| - uses: actions/setup-node@v6 | ||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
There was a problem hiding this comment.
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false |
| @@ -36,24 +36,12 @@ permissions: | |||
| contents: read # to fetch code (actions/checkout) | |||
There was a problem hiding this comment.
we could do persist-credentials: false a bunch in this file, but may be worth doing in a follow up as it's hard to tell if it'll break 🤔
| - uses: actions/checkout@v6 | ||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: | ||
| ref: ${{ inputs.sha || github.sha }} |
There was a problem hiding this comment.
| ref: ${{ inputs.sha || github.sha }} | |
| ref: ${{ inputs.sha || github.sha }} | |
| persist-credentials: false |
| uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | ||
| with: | ||
| node-version: 24.x | ||
| cache: pnpm |
There was a problem hiding this comment.
| cache: pnpm | |
| cache: '' | |
| package-manager-cache: false |
Disabling cache in the release workflow can help reduce risk of cache poisoning attacks being able to get code published - this seems to be the way to do it with actions/setup-node, however verbose
3 participants
kitSupply-chain hardening pass.
Changes
pnpm-workspace.yaml:minimumReleaseAge: 1440minimumReleaseAgeExclude: ['@sveltejs/*', svelte, esrap, devalue]blockExoticSubdeps: truelinkWorkspacePackages: true(migrated from.npmrc)shellEmulator: true(migrated from.npmrc).npmrc(all settings migrated topnpm-workspace.yaml).pkg-pr-newjob fromci.yml.# vX.Y.Zcomments acrossci.yml,audit.yml,autofix-lint.yml,release.yml,platform-tests-vercel.yml, and the local composite actions in.github/actions/platform-test/action.ymland.github/actions/vercel-deploy/action.yml:actions/checkout@v6actions/setup-node@v6actions/upload-artifact@v7actions/github-script@v9pnpm/action-setup@v6.0.8denoland/setup-deno@v2changesets/action@v1