zsp/everything-claude-code
1
0
Fork 0
mirror of https://github.com/affaan-m/everything-claude-code.git synced 2026-05-16 13:53:04 +08:00
Code Issues Packages Projects Releases Wiki Activity

Harden CI installs against supply-chain lifecycle hooks

Browse Source
This commit is contained in:
Affaan Mustafa
2026-05-15 17:09:19 -04:00
committed by Affaan Mustafa
parent 6951b8d5d2
commit f7035b5644
6 changed files with 80 additions and 157 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
scripts/ci/validate-workflow-security.js
View File

@@ -25,11 +25,28 @@ const RULES = [
];
const WRITE_PERMISSION_PATTERN = /^\s*(?:contents|issues|pull-requests|actions|checks|deployments|discussions|id-token|packages|pages|repository-projects|security-events|statuses):\s*write\b/m;
const NPM_CI_PATTERN = /\bnpm\s+ci\b(?![^\n]*--ignore-scripts)/g;
const NPM_AUDIT_PATTERN = /\bnpm\s+audit\b(?!\s+signatures\b)/;
const NPM_AUDIT_SIGNATURES_PATTERN = /\bnpm\s+audit\s+signatures\b/;
const ACTIONS_CACHE_PATTERN = /uses:\s*['"]?actions\/cache@/m;
const ID_TOKEN_WRITE_PATTERN = /^\s*id-token:\s*write\b/m;
const UNSAFE_INSTALL_PATTERNS = [
{
pattern: /\bnpm\s+ci\b(?![^\n]*--ignore-scripts)/g,
description: 'npm ci must include --ignore-scripts',
},
{
pattern: /\bpnpm\s+install\b(?![^\n]*--ignore-scripts)/g,
description: 'pnpm install must include --ignore-scripts',
},
{
pattern: /\byarn\s+install\b(?![^\n]*--mode=skip-build)/g,
description: 'yarn install must use --mode=skip-build',
},
{
pattern: /\bbun\s+install\b(?![^\n]*--ignore-scripts)/g,
description: 'bun install must include --ignore-scripts',
},
];
function getWorkflowFiles(workflowsDir) {
if (!fs.existsSync(workflowsDir)) {
@@ -120,11 +137,14 @@ function findViolations(filePath, source) {
}
}
for (const match of source.matchAll(NPM_CI_PATTERN)) {
}
for (const installRule of UNSAFE_INSTALL_PATTERNS) {
for (const match of source.matchAll(installRule.pattern)) {
violations.push({
filePath,
event: 'write-permission install',
description: 'workflows with write permissions must install npm dependencies with --ignore-scripts',
event: 'dependency install scripts',
description: `workflow dependency installs must not run lifecycle scripts: ${installRule.description}`,
expression: match[0],
line: getLineNumber(source, match.index),
});
@@ -141,6 +161,16 @@ function findViolations(filePath, source) {
});
}
if (ACTIONS_CACHE_PATTERN.test(source)) {
violations.push({
filePath,
event: 'dependency cache',
description: 'GitHub Actions dependency caches are disabled during active supply-chain hardening',
expression: 'actions/cache',
line: getLineNumber(source, source.search(ACTIONS_CACHE_PATTERN)),
});
}
if (/\bpull_request_target\s*:/m.test(source) && ACTIONS_CACHE_PATTERN.test(source)) {
violations.push({
filePath,