Skip to content

build: harden npm supply-chain security#296

Open
akudev wants to merge 2 commits into
mainfrom
chore/harden
Open

build: harden npm supply-chain security#296
akudev wants to merge 2 commits into
mainfrom
chore/harden

Conversation

@akudev

@akudev akudev commented Jun 30, 2026

Copy link
Copy Markdown
Member
  • Add .npmrc with ignore-scripts, allow-git=none, min-release-age=3, save-exact, and explicit registry
  • Pin all GitHub Actions to full SHA digests
  • Replace npm install with npm ci --ignore-scripts in CI
  • Add lockfile-lint as pinned devDependency with CI validation step
  • Pin root devDependency versions (remove ^ ranges)
  • Move workflow-level permissions to job-level in deploy.yml

Renovate:

  • Upgrade to config:best-practices (includes SHA pinning, abandoned package monitoring, Docker digest pinning)
  • Add minimumReleaseAge: 3 days (top-level + lockFileMaintenance)
  • Switch rangeStrategy from bump to pin
  • Add prCreation: immediate to avoid PR deadlock
  • Set minimumReleaseAge: 0 days on openui5 group (own lib, no delay)
- Add .npmrc with ignore-scripts, allow-git=none, min-release-age=3,
  save-exact, and explicit registry
- Pin all GitHub Actions to full SHA digests
- Replace npm install with npm ci --ignore-scripts in CI
- Add lockfile-lint as pinned devDependency with CI validation step
- Pin root devDependency versions (remove ^ ranges)
- Move workflow-level permissions to job-level in deploy.yml

Renovate:
- Upgrade to config:best-practices (includes SHA pinning, abandoned
  package monitoring, Docker digest pinning)
- Add minimumReleaseAge: 3 days (top-level + lockFileMaintenance)
- Switch rangeStrategy from bump to pin
- Add prCreation: immediate to avoid PR deadlock
- Set minimumReleaseAge: 0 days on openui5 group (own lib, no delay)
- Exclude @types/openui5 from minor auto-merge (framework-coupled)

Also:
- Bump archiver 7 -> 8 (only breaking change: Node 18 minimum)

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the project’s npm and CI supply-chain posture by tightening Renovate behavior, pinning dependencies, and adding CI checks intended to reduce risk from untrusted package sources and mutable CI actions.

Changes:

  • Strengthen Renovate configuration (best-practices preset, minimum release age, pinning strategy, and faster PR creation).
  • Pin devDependency versions and add a lockfile validation script using lockfile-lint.
  • Harden GitHub Actions workflows by SHA-pinning actions and switching CI installs to npm ci --ignore-scripts.

Reviewed changes

Copilot reviewed 6 out of 7 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
renovate.json Moves to Renovate best-practices and adds minimum release age + pinning strategy adjustments.
package.json Pins devDependency versions and adds a lockfile-lint script for CI validation.
.npmrc Adds npm configuration intended to reduce supply-chain risk (registry, ignore scripts, exact saves).
.github/workflows/reuse-compliance.yml Pins actions to SHA digests for supply-chain integrity.
.github/workflows/deploy.yml Pins actions to SHA digests, uses npm ci --ignore-scripts, and scopes permissions at job level.
.github/workflows/build.yml Pins actions to SHA digests, uses npm ci --ignore-scripts, and adds a lockfile validation step.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread package.json
Comment thread .github/workflows/reuse-compliance.yml
Comment thread .github/workflows/build.yml
Comment thread renovate.json
"extends": [
"config:recommended",
"config:best-practices",
"github>ui5/renovate-config"

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"github>ui5/renovate-config"
"github>ui5/renovate-config:lts#v1.2.1"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

3 participants