Skip to content

chore: Supply chain hardening #15876

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
elliott-with-the-longest-name-on-github wants to merge 3 commits into
base: main
Choose a base branch
from
Open

chore: Supply chain hardening #15876

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
dcf3420
chore: Supply chain hardening
elliott-with-the-longest-name-on-github May 20, 2026
6e2f779
chore: bump minimumReleaseAge to 2 days and extend bypass list
elliott-with-the-longest-name-on-github May 20, 2026
40a2a17
chore: use full versions
ghostdevv May 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/actions/platform-test/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ runs:

- name: Upload test artifacts
if: failure()
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: platform-test-results-${{ github.job }}
path: ${{ inputs.test-app-dir }}/test-results
Expand Down
4 changes: 2 additions & 2 deletions .github/actions/vercel-deploy/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,9 +24,9 @@ outputs:
runs:
using: 'composite'
steps:
- uses: pnpm/action-setup@v6.0.8
- uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8

- uses: actions/setup-node@v6
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: 24
cache: pnpm
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/audit.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,9 @@ jobs:
if: github.repository == 'sveltejs/kit'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: pnpm/action-setup@v6.0.8
- uses: actions/setup-node@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
Copy link
Copy Markdown
Member

@ghostdevv ghostdevv May 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: '24.x'
cache: pnpm
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/autofix-lint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ jobs:
- name: Get PR ref
if: github.event_name != 'workflow_dispatch'
id: pr
uses: actions/github-script@v9
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
with:
script: |
const { data: pull } = await github.rest.pulls.get({
Expand All @@ -46,12 +46,12 @@ jobs:
core.setFailed('PR is from a fork');
}
core.setOutput('ref', pull.head.ref);
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
if: github.event_name == 'workflow_dispatch' || steps.pr.outcome == 'success'
with:
ref: ${{ github.event_name == 'workflow_dispatch' && github.ref || steps.pr.outputs.ref }}
- uses: pnpm/action-setup@v6.0.8
- uses: actions/setup-node@v6
- uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: 24
cache: pnpm
Expand Down
58 changes: 23 additions & 35 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,24 +36,12 @@ permissions:
contents: read # to fetch code (actions/checkout)
Copy link
Copy Markdown
Member

@ghostdevv ghostdevv May 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we could do persist-credentials: false a bunch in this file, but may be worth doing in a follow up as it's hard to tell if it'll break 🤔


jobs:
pkg-pr-new:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: pnpm/action-setup@v6.0.8
- uses: actions/setup-node@v6
with:
node-version: 24
cache: pnpm
- run: pnpm install --frozen-lockfile
- run: pnpm build
- run: pnpx pkg-pr-new publish --comment=off ./packages/*
lint-all:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: pnpm/action-setup@v6.0.8
- uses: actions/setup-node@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: 24
cache: pnpm
Expand Down Expand Up @@ -93,9 +81,9 @@ jobs:
MATRIX_VITE: ${{matrix.vite}}
steps:
- run: git config --global core.autocrlf false
- uses: actions/checkout@v6
- uses: pnpm/action-setup@v6.0.8
- uses: actions/setup-node@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: ${{ matrix.node-version }}
cache: pnpm
Expand All @@ -121,7 +109,7 @@ jobs:
run: find packages -type d -name test-results -not -empty | tar -czf test-results.tar.gz --files-from=-
- name: Upload test results
if: failure()
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
retention-days: 3
name: test-failure-${{ github.run_id }}-${{ matrix.os }}-${{ matrix.node-version }}-${{ matrix.e2e-browser }}-vite-${{matrix.vite}}
Expand Down Expand Up @@ -161,9 +149,9 @@ jobs:
KIT_E2E_BROWSER: ${{matrix.e2e-browser}}
steps:
- run: git config --global core.autocrlf false
- uses: actions/checkout@v6
- uses: pnpm/action-setup@v6.0.8
- uses: actions/setup-node@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: ${{ matrix.node-version }}
cache: pnpm
Expand All @@ -179,7 +167,7 @@ jobs:
run: find packages -type d -name test-results -not -empty | tar -czf test-results-cross-platform-${{ matrix.mode }}.tar.gz --files-from=-
- name: Upload test results
if: failure()
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
retention-days: 3
name: test-failure-cross-platform-${{ matrix.mode }}-${{ github.run_id }}-${{ matrix.os }}-${{ matrix.node-version }}-${{ matrix.e2e-browser }}
Expand All @@ -195,9 +183,9 @@ jobs:
- mode: 'build'
steps:
- run: git config --global core.autocrlf false
- uses: actions/checkout@v6
- uses: pnpm/action-setup@v6.0.8
- uses: actions/setup-node@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: 24
cache: pnpm
Expand All @@ -213,7 +201,7 @@ jobs:
run: find packages -type d -name test-results -not -empty | tar -czf test-results-server-side-route-resolution-${{ matrix.mode }}.tar.gz --files-from=-
- name: Upload test results
if: failure()
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
retention-days: 3
name: test-failure-server-side-route-resolution-${{ matrix.mode }}-${{ github.run_id }}
Expand All @@ -229,9 +217,9 @@ jobs:
- mode: 'build'
steps:
- run: git config --global core.autocrlf false
- uses: actions/checkout@v6
- uses: pnpm/action-setup@v6.0.8
- uses: actions/setup-node@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: 24
cache: pnpm
Expand All @@ -247,7 +235,7 @@ jobs:
run: find packages -type d -name test-results -not -empty | tar -czf test-results-svelte-async-${{ matrix.mode }}.tar.gz --files-from=-
- name: Upload test results
if: failure()
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
retention-days: 3
name: test-failure-svelte-async-${{ matrix.mode }}-${{ github.run_id }}
Expand All @@ -258,14 +246,14 @@ jobs:
matrix:
node-version: [18, 20, 22, 24]
steps:
- uses: actions/checkout@v6
- uses: pnpm/action-setup@v6.0.8
- uses: actions/setup-node@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: ${{matrix.node-version}}
cache: pnpm
# required for testing netlify edge functions
- uses: denoland/setup-deno@v2
- uses: denoland/setup-deno@667a34cdef165d8d2b2e98dde39547c9daac7282 # v2.0.4
with:
deno-version: ^2.2.4
- run: pnpm install --frozen-lockfile
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/platform-tests-vercel.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ jobs:
timeout-minutes: 15
environment: '@sveltejs/adapter-vercel platform tests'
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ inputs.sha || github.sha }}
Copy link
Copy Markdown
Member

@ghostdevv ghostdevv May 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
ref: ${{ inputs.sha || github.sha }}
ref: ${{ inputs.sha || github.sha }}
persist-credentials: false


Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,13 +23,13 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout Repo
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
# This makes Actions fetch all Git history so that Changesets can generate changelogs with the correct commits
fetch-depth: 0
- uses: pnpm/action-setup@v6.0.8
- uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
- name: Setup Node.js
uses: actions/setup-node@v6
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: 24.x
cache: pnpm
Copy link
Copy Markdown
Member

@ghostdevv ghostdevv May 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
cache: pnpm
cache: ''
package-manager-cache: false

Disabling cache in the release workflow can help reduce risk of cache poisoning attacks being able to get code published - this seems to be the way to do it with actions/setup-node, however verbose

Expand All @@ -38,7 +38,7 @@ jobs:

- name: Create Release Pull Request or Publish to npm
id: changesets
uses: changesets/action@v1
uses: changesets/action@63a615b9cd06ba9a3e6d13796c7fbcb080a60a0b # v1.8.0
with:
# This expects you to have a script called release which does a build for your packages and calls changeset publish
publish: pnpm changeset:release
Expand Down
2 changes: 0 additions & 2 deletions .npmrc
View file
Open in desktop

This file was deleted.

14 changes: 14 additions & 0 deletions pnpm-workspace.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,17 @@
minimumReleaseAge: 2880
minimumReleaseAgeExclude:
Copy link
Copy Markdown
Member

@benmccann benmccann May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There was a lot more that needed to be excluded in vps https://github.com/sveltejs/vite-plugin-svelte/blob/71f93de833a48f1f7134b56d9a38d0e2d1255d1c/pnpm-workspace.yaml#L9

Copy link
Copy Markdown
Contributor Author

@elliott-with-the-longest-name-on-github elliott-with-the-longest-name-on-github May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm. zimmerframe and esm-env seem legit but it's weird to exclude the other ones. They're legitimately outside our sphere of influence / direct trust

Copy link
Copy Markdown
Member

@benmccann benmccann May 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While true that we don't control them, I have a lot of trust in Vite and we have to bump it a lot for testing new beta releases, addressing CVEs, etc. and it gets annoying if we can't do that

- '@sveltejs/*'
- svelte
- esrap
- devalue
- zimmerframe
- prettier-plugin-svelte
- svelte-check
- esm-env
blockExoticSubdeps: true
linkWorkspacePackages: true
shellEmulator: true

packages:
- packages/*
- packages/adapter-cloudflare/test/apps/*
Expand Down
Loading