ca046e61c1
Follow-up to c27b626 (release.yml pinning). Finishes H4 + H5.
ci.yml:
- 11 third-party actions SHA-pinned with # vN.m.k comments
- actions/checkout@34e114876b... (v4.3.1)
- actions/setup-node@49933ea5288... (v4.4.0)
- dtolnay/rust-toolchain@3c5f7ea28... (rust 1.94.1)
- Swatinem/rust-cache@c19371144... (v2.9.1)
.github/dependabot.yml (NEW):
- 3 ecosystems weekly: github-actions, npm, cargo
- PR cap 5, labels [dependencies, <ecosystem>]
- Auto-opens update PRs for SHA bumps — human reviews, not silent churn
_ts_packages/packages/mcp-server/bun.lock (NEW — placeholder):
- 13-line comment explaining H4 gate
- Instructs: 'cd _ts_packages/packages/mcp-server && bun install' before release
- release.yml (since v0.19.1) uses --frozen-lockfile with NO fallback —
missing real lockfile fails the build deliberately
BUILD.md:
- New 'Lockfile' section (19 LOC) documenting the pre-release workflow
CHANGELOG.md:
- [Unreleased] → Security: 3 bullets covering this + prior supply-chain commit
All SHAs E1 (verified via api.github.com or reused from release.yml).
NEXT STEP BEFORE TAGGING v0.19.1:
Populate real bun.lock locally, commit, then tag. Workflow will fail
on missing/stale lockfile — that's the point of H4 defense.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
86 lines
3.3 KiB
YAML
86 lines
3.3 KiB
YAML
name: CI
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
pull_request:
|
|
|
|
# v0.19.1 supply-chain hardening (H5): every third-party action is pinned
|
|
# by full commit SHA. A floating tag like @v4 can be re-pointed by a
|
|
# compromised maintainer (CVE-2025-30066 class). The `# vN.m.k` comment
|
|
# next to each SHA is a human-readable hint only — the SHA is the load-
|
|
# bearing identifier. When Dependabot proposes a bump, review the new SHA
|
|
# against the release tag before merging.
|
|
|
|
jobs:
|
|
rust-assembler:
|
|
runs-on: ${{ matrix.os }}
|
|
strategy:
|
|
matrix:
|
|
os: [ubuntu-latest, macos-latest]
|
|
steps:
|
|
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
|
|
- uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # rust 1.94.1 (dtolnay/rust-toolchain master)
|
|
- uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1
|
|
with:
|
|
workspaces: _assembler
|
|
- run: cd _assembler && cargo test --release
|
|
|
|
rust-primitives:
|
|
runs-on: ${{ matrix.os }}
|
|
strategy:
|
|
matrix:
|
|
os: [ubuntu-latest, macos-latest]
|
|
steps:
|
|
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
|
|
- uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # rust 1.94.1 (dtolnay/rust-toolchain master)
|
|
- uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1
|
|
with:
|
|
workspaces: _primitives/_rust
|
|
- run: cd _primitives/_rust && cargo test --workspace --release
|
|
|
|
ts-packages:
|
|
runs-on: ${{ matrix.os }}
|
|
strategy:
|
|
matrix:
|
|
os: [ubuntu-latest, macos-latest]
|
|
node: ['20', '22']
|
|
steps:
|
|
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
|
|
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
|
|
with:
|
|
node-version: ${{ matrix.node }}
|
|
- run: cd _ts_packages && npm ci
|
|
- run: cd _ts_packages && npm run build --workspaces
|
|
- run: cd _ts_packages && npm test --workspaces --if-present
|
|
|
|
install-dry-run:
|
|
runs-on: ${{ matrix.os }}
|
|
strategy:
|
|
matrix:
|
|
os: [ubuntu-latest, macos-latest]
|
|
steps:
|
|
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
|
|
- uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # rust 1.94.1 (dtolnay/rust-toolchain master)
|
|
- name: Install hard deps (Ubuntu)
|
|
if: matrix.os == 'ubuntu-latest'
|
|
run: sudo apt-get update && sudo apt-get install -y jq pandoc
|
|
- name: Install hard deps (macOS)
|
|
if: matrix.os == 'macos-latest'
|
|
run: brew install jq pandoc
|
|
- run: bash -n install.sh
|
|
- run: ./install.sh --no-execute --profile=minimal
|
|
- run: ./install.sh --no-execute --profile=dev
|
|
- run: ./install.sh --no-execute --profile=full
|
|
|
|
shell-lint:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
|
|
- run: sudo apt-get update && sudo apt-get install -y shellcheck
|
|
- name: shellcheck (advisory)
|
|
run: find hooks _primitives -name '*.sh' -exec shellcheck -S warning {} +
|
|
# v0.15.1: kept advisory because local shellcheck sweep not yet clean
|
|
# (quoted-var nits in hooks). Flip to fatal once the sweep is committed;
|
|
# planned for v0.16.
|
|
continue-on-error: true
|