Skip to content

feat(ci): harden CI with linters, security audit, and smart filtering#61

Merged
iamladi merged 6 commits intomainfrom
fix/npm-oidc-publish
Apr 2, 2026
Merged

feat(ci): harden CI with linters, security audit, and smart filtering#61
iamladi merged 6 commits intomainfrom
fix/npm-oidc-publish

Conversation

@iamladi
Copy link
Copy Markdown
Owner

@iamladi iamladi commented Apr 2, 2026

Summary

Comprehensive CI/CD improvements assimilated from loombrain patterns and zizmor security audit findings.

Release pipeline fixes (follow-up to #56, #57, #58, #60)

  • Node 24 for npm publish — npm 11.x supports OIDC trusted publishing natively
  • Changelog sync via PRpeter-evans/create-pull-request@v8 instead of direct push (branch protection)
  • --provenance on npm publish — explicit OIDC flag
  • registry-url on setup-node — configures OIDC auth exchange

New CI jobs

  • Lockfile Integrity — catches bun.lock drift from package.json
  • Security Audit — OSV Scanner on bun.lock (non-blocking)
  • Lint GitHub Actions — actionlint (syntax) + zizmor (security)

CI improvements

  • PR concurrency — cancel superseded PR runs, save CI minutes
  • Smart test filtering — Turbo --filter on PRs, full suite on main
  • Per-job turbo cache keys — prevents cache thrashing between jobs

Security hardening

  • permissions: contents: read (least privilege) on CI workflow
  • persist-credentials: false on all checkout steps
  • environment: cloudflare on deploy-web (secrets gate)
  • .zizmor.yml config for design-choice suppressions

Action upgrades (Node.js 20 → 24)

Action Old New
actions/checkout v4 v6
actions/setup-node v4 v6
actions/cache v4 v5
peter-evans/create-pull-request v7 v8

Test plan

  • CI passes on this PR (validates new jobs)
  • actionlint and zizmor report clean in the actions-lint job
  • Security audit job runs (non-blocking)
  • Lockfile integrity job passes
  • Smart filtering runs affected-only checks on this PR
  • Create cloudflare environment in GitHub repo settings

iamladi added 3 commits April 2, 2026 13:52
@iamladi
feat(ci): add lockfile integrity, security audit, smart filtering, PR…
8ba0c2a 
… concurrency

Assimilate proven CI patterns from loombrain:

- Cancel superseded PR runs (save CI minutes on force-pushes)
- Run tests/typecheck on affected packages only for PRs (Turbo filter)
- Lockfile integrity check (catches bun.lock drift)
- Security audit via OSV Scanner (non-blocking vuln detection)
- Separate turbo cache keys per job to avoid cache thrashing
@iamladi
feat(ci): add actionlint + zizmor workflow linters, harden permissions
b98b556 
- Add actions-lint job (actionlint for syntax, zizmor for security)
- Add top-level `permissions: contents: read` to CI (least privilege)
- Add `persist-credentials: false` to all checkout steps
- Add `environment: cloudflare` to deploy-web (secrets gate)
- Add .zizmor.yml to suppress design-choice findings
  (tag pinning, workflow_run trigger, cache-poisoning)
@iamladi
fix(ci): correct actionlint and zizmor-action references
8ae64ec 
rhysd/actionlint has no v1 tag — use v1.7.12.
zizmor-action moved to zizmorcore org — use zizmorcore/zizmor-action@v0.5.2.
@github-advanced-security
Copy link
Copy Markdown

github-advanced-security bot commented Apr 2, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

github-advanced-security[bot]
github-advanced-security bot found potential problems Apr 2, 2026
View reviewed changes
iamladi added 3 commits April 2, 2026 14:15
@iamladi
fix(ci): pass .zizmor.yml config to zizmor-action
5c5f1f3 
The action uploads SARIF to Code Scanning but wasn't using our config
file, so suppressed rules (unpinned-uses, etc.) were still reported.
@iamladi
fix(security): resolve all OSV vulnerabilities, make audit blocking
14a77a0 
Override transitive deps to patched versions:
- brace-expansion >=2.0.3 (GHSA-f886-m6hf-6m8v)
- fast-xml-parser >=5.5.6 (GHSA-8gc5-j5rx-235r)
- picomatch >=2.3.2 (GHSA-3v7f-55p6-f55p)
- smol-toml >=1.6.1 (GHSA-v3rj-xjv7-4jmq)
- undici >=6.24.0 (GHSA-2mjp-6q6p-2qxm and 4 others)
- yaml >=2.8.3 (GHSA-48c2-rrv3-qjmp)

Remove continue-on-error from security audit — vulns now block CI.
@iamladi
fix(security): cap undici override at ^7.24.0 to keep jsdom compat
20eb8b2 
undici >=6.24.0 resolved to 8.0.0 which removed internal module paths
that jsdom relies on (undici/lib/handler/wrap-handler.js). Cap at ^7.24.0
to stay within the 7.x range that jsdom supports while patching all CVEs.
@iamladi iamladi merged commit 5bc16b6 into main Apr 2, 2026
8 checks passed
@iamladi iamladi deleted the fix/npm-oidc-publish branch April 2, 2026 12:30
@iamladi iamladi mentioned this pull request Apr 2, 2026
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@iamladi @github-advanced-security