From eccd2ab8cd3ed2e53b58251767b9b6206a6f0dc1 Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 24 Jun 2026 01:07:43 +0000 Subject: [PATCH] ci: align SHA pins, add pnpm audit, and add change detection to TypeScript CIs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Align actions/checkout SHA to 9c091bb2 (canonical post-#29 Dependabot pin) in reusable-ci-docker.yml, reusable-ci-terraform.yml, and reusable-ci-typescript-lib.yml — all three had the pre-bump de0fac2e SHA. - Align pnpm/action-setup SHA to 0ebf4713 in reusable-ci-typescript-lib.yml (was 71c92474, which diverged when #29 bumped the other workflows). - Align github/codeql-action/upload-sarif SHA to 8aad20d1 in reusable-ci-docker.yml (was 95e58e9a, stale relative to all other callers). - Add pnpm audit job to reusable-ci-typescript.yml and reusable-ci-typescript-lib.yml, closing the gap with reusable-ci-nextjs-monorepo.yml and the ORG_SETTINGS.md required checks. - Add dorny/paths-filter change detection to reusable-ci-typescript.yml, matching the pattern used by the lib, Rust, Python, and Solidity CIs. - Add hashicorp/setup-terraform and terraform-linters/setup-tflint to the ORG_SETTINGS.md Actions allow-list (both used in reusable-ci-terraform.yml but previously omitted from the allow-list source of truth). Co-Authored-By: Claude Sonnet 4.6 Claude-Session: https://claude.ai/code/session_014EVAdrE6agqSNHqvi6JhsR Signed-off-by: Claude --- .github/workflows/reusable-ci-docker.yml | 8 +-- .github/workflows/reusable-ci-terraform.yml | 8 +-- .../workflows/reusable-ci-typescript-lib.yml | 36 +++++++++---- .github/workflows/reusable-ci-typescript.yml | 51 ++++++++++++++++++- ORG_SETTINGS.md | 4 +- 5 files changed, 88 insertions(+), 19 deletions(-) diff --git a/.github/workflows/reusable-ci-docker.yml b/.github/workflows/reusable-ci-docker.yml index c285379..9e88977 100644 --- a/.github/workflows/reusable-ci-docker.yml +++ b/.github/workflows/reusable-ci-docker.yml @@ -69,7 +69,7 @@ jobs: outputs: docker: ${{ steps.filter.outputs.docker }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 with: fetch-depth: 0 - id: filter @@ -88,7 +88,7 @@ jobs: if: needs.changes.outputs.docker == 'true' runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 - name: Install hadolint env: HADOLINT_VERSION: ${{ inputs.hadolint-version }} @@ -127,7 +127,7 @@ jobs: contents: read security-events: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 - name: docker build env: @@ -181,7 +181,7 @@ jobs: "${IMAGE_NAME}:ci" - name: Upload Trivy SARIF to GitHub Security tab - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4 with: sarif_file: trivy-results.sarif category: trivy-docker diff --git a/.github/workflows/reusable-ci-terraform.yml b/.github/workflows/reusable-ci-terraform.yml index 118cd24..eafd6f2 100644 --- a/.github/workflows/reusable-ci-terraform.yml +++ b/.github/workflows/reusable-ci-terraform.yml @@ -57,7 +57,7 @@ jobs: outputs: terraform: ${{ steps.filter.outputs.terraform }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 with: fetch-depth: 0 - id: filter @@ -76,7 +76,7 @@ jobs: if: needs.changes.outputs.terraform == 'true' runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 - uses: hashicorp/setup-terraform@dfe3c3f87815947d99a8997f908cb6525fc44e9e # v4.0.1 with: terraform_version: ${{ inputs.terraform-version }} @@ -99,7 +99,7 @@ jobs: if: needs.changes.outputs.terraform == 'true' runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 - uses: hashicorp/setup-terraform@dfe3c3f87815947d99a8997f908cb6525fc44e9e # v4.0.1 with: terraform_version: ${{ inputs.terraform-version }} @@ -128,7 +128,7 @@ jobs: if: needs.changes.outputs.terraform == 'true' runs-on: ubuntu-latest steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 - uses: terraform-linters/setup-tflint@b480b8fcdaa6f2c577f8e4fa799e89e756bb7c93 # v6.2.2 with: tflint_version: ${{ inputs.tflint-version }} diff --git a/.github/workflows/reusable-ci-typescript-lib.yml b/.github/workflows/reusable-ci-typescript-lib.yml index 1d1f139..b1e5950 100644 --- a/.github/workflows/reusable-ci-typescript-lib.yml +++ b/.github/workflows/reusable-ci-typescript-lib.yml @@ -50,13 +50,31 @@ permissions: contents: read jobs: + audit: + name: pnpm audit + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 + - uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 + with: + node-version-file: ${{ inputs.node-version-file }} + cache: pnpm + - run: pnpm install --frozen-lockfile + - name: pnpm audit + working-directory: ${{ inputs.working-directory }} + shell: bash + run: | + set -euo pipefail + pnpm audit --audit-level=moderate + changes: name: detect changes runs-on: ubuntu-latest outputs: typescript: ${{ steps.filter.outputs.typescript }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 with: fetch-depth: 0 - id: filter @@ -84,8 +102,8 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: pnpm/action-setup@71c92474e7e4f5bca283fb17ef80fba9cdb2b4b1 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 + - uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6 - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version-file: ${{ inputs.node-version-file }} @@ -102,8 +120,8 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: pnpm/action-setup@71c92474e7e4f5bca283fb17ef80fba9cdb2b4b1 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 + - uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6 - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version-file: ${{ inputs.node-version-file }} @@ -120,8 +138,8 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: pnpm/action-setup@71c92474e7e4f5bca283fb17ef80fba9cdb2b4b1 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 + - uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6 - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version-file: ${{ inputs.node-version-file }} @@ -138,8 +156,8 @@ jobs: run: working-directory: ${{ inputs.working-directory }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: pnpm/action-setup@71c92474e7e4f5bca283fb17ef80fba9cdb2b4b1 # v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 + - uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6 - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version-file: ${{ inputs.node-version-file }} diff --git a/.github/workflows/reusable-ci-typescript.yml b/.github/workflows/reusable-ci-typescript.yml index 7a503dd..70e8bfe 100644 --- a/.github/workflows/reusable-ci-typescript.yml +++ b/.github/workflows/reusable-ci-typescript.yml @@ -62,8 +62,52 @@ permissions: contents: read jobs: + audit: + name: pnpm audit + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 + - uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 + with: + node-version-file: ${{ inputs.node-version-file }} + cache: pnpm + - run: pnpm install --frozen-lockfile + - name: pnpm audit + shell: bash + run: | + set -euo pipefail + pnpm audit --audit-level=moderate + + changes: + name: detect changes + runs-on: ubuntu-latest + outputs: + typescript: ${{ steps.filter.outputs.typescript }} + steps: + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 + with: + fetch-depth: 0 + - id: filter + uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4 + with: + filters: | + typescript: + - '**/*.ts' + - '**/*.tsx' + - '**/*.mts' + - '**/*.cts' + - '**/tsconfig*.json' + - '**/package.json' + - 'pnpm-lock.yaml' + - '.nvmrc' + - '.node-version' + - '.github/workflows/**' + typecheck: name: tsc + needs: changes + if: needs.changes.outputs.typescript == 'true' runs-on: ubuntu-latest steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 @@ -87,6 +131,8 @@ jobs: lint: name: lint + needs: changes + if: needs.changes.outputs.typescript == 'true' runs-on: ubuntu-latest steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 @@ -110,6 +156,8 @@ jobs: test: name: test + needs: changes + if: needs.changes.outputs.typescript == 'true' runs-on: ubuntu-latest steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 @@ -133,7 +181,8 @@ jobs: build: name: build - if: ${{ !inputs.skip-build }} + needs: changes + if: needs.changes.outputs.typescript == 'true' && !inputs.skip-build runs-on: ubuntu-latest steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 diff --git a/ORG_SETTINGS.md b/ORG_SETTINGS.md index 40823b6..97f9e1d 100644 --- a/ORG_SETTINGS.md +++ b/ORG_SETTINGS.md @@ -95,7 +95,9 @@ At **Settings → Actions → General**: aquasecurity/trivy-action@*, sigstore/cosign-installer@*, opentofu/setup-opentofu@*, - actions/attest-build-provenance@* + actions/attest-build-provenance@*, + hashicorp/setup-terraform@*, + terraform-linters/setup-tflint@* ``` To audit drift against what's actually referenced in the