zsp/everything-claude-code
1
0
Fork 0
mirror of https://github.com/affaan-m/everything-claude-code.git synced 2026-05-16 13:53:04 +08:00
Code Issues Packages Projects Releases Wiki Activity

Harden CI installs against supply-chain lifecycle hooks

Browse Source
This commit is contained in:
Affaan Mustafa
2026-05-15 17:09:19 -04:00
committed by Affaan Mustafa
parent 6951b8d5d2
commit f7035b5644
6 changed files with 80 additions and 157 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
docs/security/supply-chain-incident-response.md
View File

@@ -126,8 +126,10 @@ If ECC or a maintainer machine installed a known-bad package version:
keys, and local `.npmrc` tokens;
- any MCP, plugin, or harness credentials available in environment variables
or user-scope config.
6. Purge GitHub Actions caches for affected repositories.
7. Reinstall from a clean environment with `npm ci --ignore-scripts` first.
6. Purge GitHub Actions dependency caches for affected repositories.
7. Reinstall from a clean environment with lifecycle scripts disabled first:
`npm ci --ignore-scripts`, `pnpm install --ignore-scripts`,
`yarn install --mode=skip-build`, or `bun install --ignore-scripts`.
8. Re-enable lifecycle scripts only after the dependency tree and package
versions are pinned to known-clean releases.
@@ -136,7 +138,9 @@ If ECC or a maintainer machine installed a known-bad package version:
ECC enforces these rules through `scripts/ci/validate-workflow-security.js`:
- privileged workflows must not checkout untrusted PR refs;
- workflows with write permissions must use `npm ci --ignore-scripts`;
- all workflow dependency installs must disable lifecycle scripts;
- workflows must not restore or save shared GitHub Actions dependency caches
during active supply-chain hardening;
- workflows with `id-token: write` must not restore or save shared dependency
caches;
- workflows that run `npm audit` must also run `npm audit signatures`;