Skip to content

build: harden npm supply-chain security#296

Open
akudev wants to merge 2 commits into
mainfrom
chore/harden
Open

build: harden npm supply-chain security#296
akudev wants to merge 2 commits into
mainfrom
chore/harden

Conversation

@akudev

@akudev akudev commented Jun 30, 2026

Copy link
Copy Markdown
Member
  • Add .npmrc with ignore-scripts, allow-git=none, min-release-age=3, save-exact, and explicit registry
  • Pin all GitHub Actions to full SHA digests
  • Replace npm install with npm ci --ignore-scripts in CI
  • Add lockfile-lint as pinned devDependency with CI validation step
  • Pin root devDependency versions (remove ^ ranges)
  • Move workflow-level permissions to job-level in deploy.yml

Renovate:

  • Upgrade to config:best-practices (includes SHA pinning, abandoned package monitoring, Docker digest pinning)
  • Add minimumReleaseAge: 3 days (top-level + lockFileMaintenance)
  • Switch rangeStrategy from bump to pin
  • Add prCreation: immediate to avoid PR deadlock
  • Set minimumReleaseAge: 0 days on openui5 group (own lib, no delay)

- Add .npmrc with ignore-scripts, allow-git=none, min-release-age=3,
  save-exact, and explicit registry
- Pin all GitHub Actions to full SHA digests
- Replace npm install with npm ci --ignore-scripts in CI
- Add lockfile-lint as pinned devDependency with CI validation step
- Pin root devDependency versions (remove ^ ranges)
- Move workflow-level permissions to job-level in deploy.yml

Renovate:
- Upgrade to config:best-practices (includes SHA pinning, abandoned
  package monitoring, Docker digest pinning)
- Add minimumReleaseAge: 3 days (top-level + lockFileMaintenance)
- Switch rangeStrategy from bump to pin
- Add prCreation: immediate to avoid PR deadlock
- Set minimumReleaseAge: 0 days on openui5 group (own lib, no delay)
- Exclude @types/openui5 from minor auto-merge (framework-coupled)

Also:
- Bump archiver 7 -> 8 (only breaking change: Node 18 minimum)

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the project’s npm and CI supply-chain posture by tightening Renovate behavior, pinning dependencies, and adding CI checks intended to reduce risk from untrusted package sources and mutable CI actions.

Changes:

  • Strengthen Renovate configuration (best-practices preset, minimum release age, pinning strategy, and faster PR creation).
  • Pin devDependency versions and add a lockfile validation script using lockfile-lint.
  • Harden GitHub Actions workflows by SHA-pinning actions and switching CI installs to npm ci --ignore-scripts.

Reviewed changes

Copilot reviewed 6 out of 7 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
renovate.json Moves to Renovate best-practices and adds minimum release age + pinning strategy adjustments.
package.json Pins devDependency versions and adds a lockfile-lint script for CI validation.
.npmrc Adds npm configuration intended to reduce supply-chain risk (registry, ignore scripts, exact saves).
.github/workflows/reuse-compliance.yml Pins actions to SHA digests for supply-chain integrity.
.github/workflows/deploy.yml Pins actions to SHA digests, uses npm ci --ignore-scripts, and scopes permissions at job level.
.github/workflows/build.yml Pins actions to SHA digests, uses npm ci --ignore-scripts, and adds a lockfile validation step.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread package.json
Comment thread .github/workflows/reuse-compliance.yml
Comment thread .github/workflows/build.yml
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants