Skip to content

Ci/workflows#10

Open
cedric-appdirect wants to merge 4 commits into
jgordijn:mainfrom
cedric-appdirect:ci/workflows
Open

Ci/workflows#10
cedric-appdirect wants to merge 4 commits into
jgordijn:mainfrom
cedric-appdirect:ci/workflows

Conversation

@cedric-appdirect

Copy link
Copy Markdown

Idea is to lock version to specific version. This increase maintenance work as new version need to be manually approved, but with continuous ongoing supply chain attack, being specific seems like a safer approach when executing code locally with user priviledge. Being late on a version update is not necessarily that bad in this case.

Run four parallel jobs on every PR and push to main:
- Typecheck (tsc --noEmit)
- Test (bun test)
- Build (bun run build)
- Audit (bun audit --audit-level=high)

All actions pinned to SHA digests for supply-chain safety.
Bun version pinned to 1.2.22. Concurrency group cancels stale
runs on the same branch/PR.

Assisted-by: OpenCode with claude-opus-4-7
Run CodeQL with security-extended queries on every PR, push to main,
and weekly on Monday 06:00 UTC. Actions pinned to SHA digests.
Concurrency-aware: cancels stale PR runs but never scheduled scans.

Assisted-by: OpenCode with claude-opus-4-7
Weekly schedule provides a natural 1-7 day buffer against compromised
fresh npm publishes. Low PR limit (5) ensures each update gets review
attention. Covers both npm and github-actions ecosystems.

Assisted-by: OpenCode with claude-opus-4-7
Remove caret (^) ranges from all dependencies and devDependencies,
locking to the exact currently-resolved versions. This ensures
reproducible installs and prevents silent upgrades from introducing
compromised packages.

Version bumps are now exclusively managed by Dependabot (weekly
schedule), giving maintainers review control over every dependency
change. CI enforces the lockfile via bun install --frozen-lockfile.

Assisted-by: OpenCode with claude-opus-4-7
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant