Skip to content

Supply chain improvements#118

Merged
dgreif merged 1 commit into
mainfrom
copilot/security-defaults
Jun 3, 2026
Merged

Supply chain improvements#118
dgreif merged 1 commit into
mainfrom
copilot/security-defaults

Conversation

@dgreif

@dgreif dgreif commented Jun 3, 2026

Copy link
Copy Markdown
Contributor

Summary

  • update CI and publish automation to current pinned GitHub Actions and Node 26
  • add the requested npm release-age policy and refresh the lockfile with npm audit fix

What changed

  • added project-level .npmrc with min-release-age=3
  • updated actions/checkout to v6.0.3 and actions/setup-node to v6.4.0, pinned to full SHAs
  • moved the main CI workflow from Node 22 to Node 26
  • moved the publish workflow from Node 24 to Node 26
  • kept npm ci in CI and publish workflows
  • kept npm publishing on OIDC trusted publishing; this repo was already using npm publish --provenance with id-token: write and no NODE_AUTH_TOKEN
  • ran npm audit fix and refreshed package-lock.json

Files changed

  • .npmrc
  • .github/workflows/nodejs.yml
  • .github/workflows/publish.yml
  • package-lock.json

Ecosystems detected

  • npm
  • GitHub Actions

Applied recommendations

  • deterministic npm installs in CI via npm ci
  • install-time npm release-age controls via .npmrc
  • pinned third-party GitHub Actions to full SHAs and updated stale action versions
  • Node 26 used in CI and publish automation
  • OIDC-based npm publishing retained
  • audit fixes applied with checks passing afterward

Could not be applied automatically

  • none

Human review notes

  • no pull_request_target workflows were found
  • workflow permissions remain narrow: contents: read in CI and contents: read plus id-token: write for publish
  • npm 11 emits a warning that min-release-age is an unknown project config in this environment, even though installs/build/tests continue to pass

Validation

  • npm install
  • npm ci
  • npm run build
  • CI=1 npm test
  • npm audit (0 vulnerabilities)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@dgreif dgreif marked this pull request as ready for review June 3, 2026 13:42
@dgreif dgreif requested a review from a team as a code owner June 3, 2026 13:42
Copilot AI review requested due to automatic review settings June 3, 2026 13:42

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request applies supply-chain oriented maintenance updates across GitHub Actions workflows and npm configuration, aiming to harden CI/publishing and refresh dependency resolutions without changing the existing Dependabot setup.

Changes:

  • Added a project .npmrc with a minimum package release age policy (min-release-age=3).
  • Updated CI and publish workflows to use pinned SHAs for actions/checkout and actions/setup-node, and bumped automation to Node 26.
  • Refreshed package-lock.json via npm audit fix (transitive dependency updates/removals).
Show a summary per file
File Description
.npmrc Introduces npm release-age policy configuration intended to reduce supply-chain risk.
.github/workflows/nodejs.yml Pins third-party actions to SHAs and moves CI to Node 26.
.github/workflows/publish.yml Pins third-party actions to SHAs and moves publish pipeline to Node 26.
package-lock.json Updates resolved dependency versions to incorporate audit fixes.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 3/4 changed files
  • Comments generated: 3
Comment thread .npmrc
@@ -0,0 +1 @@
min-release-age=3
Comment on lines +13 to 17
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: 22
node-version: 26
registry-url: https://registry.npmjs.org/
cache: npm
Comment on lines +15 to 18
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: '24'
node-version: '26'
registry-url: 'https://registry.npmjs.org'
@dgreif dgreif merged commit 70261cb into main Jun 3, 2026
6 checks passed
@dgreif dgreif deleted the copilot/security-defaults branch June 3, 2026 17:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

3 participants