zsp/everything-claude-code
1
0
Fork 0
mirror of https://github.com/affaan-m/everything-claude-code.git synced 2026-05-16 22:03:05 +08:00
Code Issues Packages Projects Releases Wiki Activity

Harden CI installs against supply-chain lifecycle hooks

Browse Source
This commit is contained in:
Affaan Mustafa
2026-05-15 17:09:19 -04:00
committed by Affaan Mustafa
parent 6951b8d5d2
commit f7035b5644
6 changed files with 80 additions and 157 deletions
Download Patch File Download Diff File Expand all files Collapse all files

76
.github/workflows/reusable-test.yml vendored
View File

@@ -59,88 +59,24 @@ jobs:
if: inputs.package-manager == 'bun'
uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
- name: Get npm cache directory
if: inputs.package-manager == 'npm'
id: npm-cache-dir
shell: bash
run: echo "dir=$(npm config get cache)" >> $GITHUB_OUTPUT
- name: Restore npm cache
if: inputs.package-manager == 'npm'
continue-on-error: true
uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
with:
path: ${{ steps.npm-cache-dir.outputs.dir }}
key: ${{ runner.os }}-node-${{ inputs.node-version }}-npm-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-${{ inputs.node-version }}-npm-
- name: Get pnpm store directory
if: inputs.package-manager == 'pnpm'
id: pnpm-cache-dir
shell: bash
env:
COREPACK_ENABLE_STRICT: '0'
run: echo "dir=$(pnpm store path)" >> $GITHUB_OUTPUT
- name: Restore pnpm cache
if: inputs.package-manager == 'pnpm'
continue-on-error: true
uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
with:
path: ${{ steps.pnpm-cache-dir.outputs.dir }}
key: ${{ runner.os }}-node-${{ inputs.node-version }}-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }}
restore-keys: |
${{ runner.os }}-node-${{ inputs.node-version }}-pnpm-
- name: Get yarn cache directory
if: inputs.package-manager == 'yarn'
id: yarn-cache-dir
shell: bash
run: |
# Try Yarn Berry first, fall back to Yarn v1
if yarn config get cacheFolder >/dev/null 2>&1; then
echo "dir=$(yarn config get cacheFolder)" >> $GITHUB_OUTPUT
else
echo "dir=$(yarn cache dir)" >> $GITHUB_OUTPUT
fi
- name: Restore yarn cache
if: inputs.package-manager == 'yarn'
continue-on-error: true
uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
with:
path: ${{ steps.yarn-cache-dir.outputs.dir }}
key: ${{ runner.os }}-node-${{ inputs.node-version }}-yarn-${{ hashFiles('**/yarn.lock') }}
restore-keys: |
${{ runner.os }}-node-${{ inputs.node-version }}-yarn-
- name: Restore bun cache
if: inputs.package-manager == 'bun'
continue-on-error: true
uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
with:
path: ~/.bun/install/cache
key: ${{ runner.os }}-bun-${{ hashFiles('**/bun.lockb') }}
restore-keys: |
${{ runner.os }}-bun-
# COREPACK_ENABLE_STRICT=0 allows pnpm to install even though
# package.json declares "packageManager": "yarn@..."
- name: Install dependencies
shell: bash
env:
COREPACK_ENABLE_STRICT: '0'
npm_config_ignore_scripts: 'true'
YARN_ENABLE_SCRIPTS: 'false'
run: |
case "${{ inputs.package-manager }}" in
npm) npm ci ;;
npm) npm ci --ignore-scripts ;;
# pnpm v10 can fail CI on ignored native build scripts
# (for example msgpackr-extract) even though this repo is Yarn-native
# and pnpm is only exercised here as a compatibility lane.
pnpm) pnpm install --config.strict-dep-builds=false --no-frozen-lockfile ;;
pnpm) pnpm install --ignore-scripts --config.strict-dep-builds=false --no-frozen-lockfile ;;
# Yarn Berry (v4+) removed --ignore-engines; engine checking is no longer a core feature
yarn) yarn install ;;
bun) bun install ;;
yarn) yarn install --mode=skip-build ;;
bun) bun install --ignore-scripts ;;
*) echo "Unsupported package manager: ${{ inputs.package-manager }}" && exit 1 ;;
esac