Ci/workflows#10
Open
cedric-appdirect wants to merge 4 commits into
Open
Conversation
Run four parallel jobs on every PR and push to main: - Typecheck (tsc --noEmit) - Test (bun test) - Build (bun run build) - Audit (bun audit --audit-level=high) All actions pinned to SHA digests for supply-chain safety. Bun version pinned to 1.2.22. Concurrency group cancels stale runs on the same branch/PR. Assisted-by: OpenCode with claude-opus-4-7
Run CodeQL with security-extended queries on every PR, push to main, and weekly on Monday 06:00 UTC. Actions pinned to SHA digests. Concurrency-aware: cancels stale PR runs but never scheduled scans. Assisted-by: OpenCode with claude-opus-4-7
Weekly schedule provides a natural 1-7 day buffer against compromised fresh npm publishes. Low PR limit (5) ensures each update gets review attention. Covers both npm and github-actions ecosystems. Assisted-by: OpenCode with claude-opus-4-7
Remove caret (^) ranges from all dependencies and devDependencies, locking to the exact currently-resolved versions. This ensures reproducible installs and prevents silent upgrades from introducing compromised packages. Version bumps are now exclusively managed by Dependabot (weekly schedule), giving maintainers review control over every dependency change. CI enforces the lockfile via bun install --frozen-lockfile. Assisted-by: OpenCode with claude-opus-4-7
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Idea is to lock version to specific version. This increase maintenance work as new version need to be manually approved, but with continuous ongoing supply chain attack, being specific seems like a safer approach when executing code locally with user priviledge. Being late on a version update is not necessarily that bad in this case.