Skip to content

chore: Harden CI workflow against supply chain attacks#678

Merged
ava-silver merged 1 commit intomainfrom
ava.silver/security/harden-ci-against-supply-chain-attacks
Mar 31, 2026
Merged

chore: Harden CI workflow against supply chain attacks#678
ava-silver merged 1 commit intomainfrom
ava.silver/security/harden-ci-against-supply-chain-attacks

Conversation

@ava-silver
Copy link
Copy Markdown
Contributor

@ava-silver ava-silver commented Mar 31, 2026
edited
Loading

Summary

  • SHA-pin all GitHub Actions (actions/checkout, actions/setup-node) to prevent tag-based supply chain attacks
  • Replace bash <(curl -s https://codecov.io/bash) with SHA-pinned codecov/codecov-action@v5 to avoid piping remote scripts
  • Pin depcheck to a specific version (1.4.7) in global install

Context

Following the axios npm supply chain compromise, we are hardening CI workflows to reduce exposure to this class of attack. Unpinned GitHub Action tags can be moved to point at arbitrary code, and piping remote scripts (curl | bash) has no integrity verification. These changes ensure all external dependencies in CI are pinned to immutable references.

Follows up on #677 which added --immutable to yarn install.

Test plan

  • CI passes with updated action versions and codecov integration

🤖 Generated with Claude Code

@ava-silver Graphite App
Copy link
Copy Markdown
Contributor Author

ava-silver commented Mar 31, 2026

This stack of pull requests is managed by Graphite. Learn more about stacking.

@ava-silver ava-silver changed the title [SECURITY] harden CI against supply chain attacks Harden CI workflow against supply chain attacks Mar 31, 2026
@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Mar 31, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 77.69%. Comparing base (11fe0b8) to head (7e25ae7).
⚠️ Report is 174 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #678      +/-   ##
==========================================
- Coverage   79.82%   77.69%   -2.14%     
==========================================
  Files          12       12              
  Lines        1046     1112      +66     
  Branches      329      350      +21     
==========================================
+ Hits          835      864      +29     
+ Misses        142      118      -24     
- Partials       69      130      +61

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@ava-silver ava-silver changed the title Harden CI workflow against supply chain attacks chore: Harden CI workflow against supply chain attacks Mar 31, 2026
@ava-silver ava-silver marked this pull request as ready for review March 31, 2026 12:36
@ava-silver ava-silver requested a review from a team as a code owner March 31, 2026 12:36
@ava-silver ava-silver merged commit 2e05845 into main Mar 31, 2026
7 checks passed
@ava-silver ava-silver deleted the ava.silver/security/harden-ci-against-supply-chain-attacks branch March 31, 2026 12:37
@ava-silver ava-silver mentioned this pull request Mar 31, 2026
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@avangelillo avangelillo avangelillo approved these changes

@nina9753 nina9753 Awaiting requested review from nina9753 nina9753 is a code owner automatically assigned from DataDog/serverless-onboarding-and-enablement

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ava-silver @codecov-commenter @avangelillo