ca046e61c1
Follow-up to c27b626 (release.yml pinning). Finishes H4 + H5.
ci.yml:
- 11 third-party actions SHA-pinned with # vN.m.k comments
- actions/checkout@34e114876b... (v4.3.1)
- actions/setup-node@49933ea5288... (v4.4.0)
- dtolnay/rust-toolchain@3c5f7ea28... (rust 1.94.1)
- Swatinem/rust-cache@c19371144... (v2.9.1)
.github/dependabot.yml (NEW):
- 3 ecosystems weekly: github-actions, npm, cargo
- PR cap 5, labels [dependencies, <ecosystem>]
- Auto-opens update PRs for SHA bumps — human reviews, not silent churn
_ts_packages/packages/mcp-server/bun.lock (NEW — placeholder):
- 13-line comment explaining H4 gate
- Instructs: 'cd _ts_packages/packages/mcp-server && bun install' before release
- release.yml (since v0.19.1) uses --frozen-lockfile with NO fallback —
missing real lockfile fails the build deliberately
BUILD.md:
- New 'Lockfile' section (19 LOC) documenting the pre-release workflow
CHANGELOG.md:
- [Unreleased] → Security: 3 bullets covering this + prior supply-chain commit
All SHAs E1 (verified via api.github.com or reused from release.yml).
NEXT STEP BEFORE TAGGING v0.19.1:
Populate real bun.lock locally, commit, then tag. Workflow will fail
on missing/stale lockfile — that's the point of H4 defense.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
13 lines
611 B
Text
13 lines
611 B
Text
# bun.lock placeholder — v0.19.1
|
|
#
|
|
# This file MUST be replaced with a real bun lockfile BEFORE any release tag
|
|
# is pushed. The release.yml workflow (since v0.19.1) uses
|
|
# `bun install --frozen-lockfile` with NO fallback — a missing real lockfile
|
|
# will fail the build deliberately (H4 supply-chain defense).
|
|
#
|
|
# To populate:
|
|
# cd _ts_packages/packages/mcp-server && bun install
|
|
# Then commit the generated bun.lock (overwrites this placeholder).
|
|
#
|
|
# Until populated, the release workflow will fail at the bun install step —
|
|
# intentional gate to force the lockfile into the repo before first release.
|