Skip to content

ci(sec): add supply-chain security audit workflow#372

Open
Adiz4415 wants to merge 1 commit into
geevapp:mainfrom
Adiz4415:chore/add-supply-chain-audit-ci
Open

ci(sec): add supply-chain security audit workflow#372
Adiz4415 wants to merge 1 commit into
geevapp:mainfrom
Adiz4415:chore/add-supply-chain-audit-ci

Conversation

@Adiz4415

@Adiz4415 Adiz4415 commented Jun 20, 2026

Copy link
Copy Markdown

Summary

Adds .github/workflows/security-audit.yml, a CI workflow that runs two supply-chain hygiene checks (per the SECURITY.md "npm / pnpm Supply Chain" section) on every PR to main and on workflow_dispatch:

  1. pnpm install --frozen-lockfile — surfaces #NOT-IN-LOCKFILE failures whenever a transitive dep was added without regenerating the lockfile. This step is gated on hashFiles(pnpm-lock.yaml) != "" because the repo currently gitignores the lockfile; until a follow-up removes that line, the workflow falls back to a soft-warning plain pnpm install so PRs aren't blocked.
  2. pnpm audit --prod --audit-level=high — exits non-zero if any production dep carries a known high-severity or critical CVE in the GitHub Advisory Database.

Permissions are contents: read only.

Reviewer feedback was integrated: the lockfile step is now conditional on hashFiles(pnpm-lock.yaml) != "" so the workflow survives the current .gitignore policy without blocking PRs. The strict check will flip on automatically the moment a maintainer un-ignores + commits pnpm-lock.yaml.

Active today vs. after the lockfile follow-up

Lockfile state What runs
Currently (gitignored) pnpm install + soft ::warning:: + pnpm audit --prod --audit-level=high. Audit gates PRs; lockfile drift is unmonitored.
After maintainer un-ignores + commits pnpm-lock.yaml pnpm install --frozen-lockfile (strict) + audit. Both gate PRs.

Follow-ups (intentionally out of scope here)

  • Remove the pnpm-lock.yaml line from .gitignore and commit the current lockfile so the strict lockfile step becomes active.
  • Add a paths: filter (["app/**", "package.json", ".github/dependabot.yml"]) so contract-only Rust PRs do not waste CI minutes on npm audit.
  • Capture pnpm audit --json and upload-sarif to GitHub Code Scanning so findings surface in the Security tab alongside CodeQL.
  • Add a weekly schedule: trigger so freshly-published CVEs are caught between PRs.
  • Pin actions/checkout, pnpm/action-setup, and actions/setup-node to commit hashes (per SECURITY.md recommendations).
  • Add a parallel cargo audit workflow for the contracts/ workspace (Cargo is not covered by Dependabot reliably today).

Test / verify

After merge, open any PR; the workflow will appear in the Checks tab. While the lockfile is gitignored, expect a yellow ::warning:: annotation on the install step but a green overall pass on the audit step (assuming no current high/critical CVEs).

@Adiz4415
ci(sec): add supply-chain security audit workflow
5eccc2a 
Adds `.github/workflows/security-audit.yml` that, on every PR to main (and on manual `workflow_dispatch`), runs `pnpm install --frozen-lockfile` (gated on `hashFiles(pnpm-lock.yaml) != \"\"` so it does not hard-fail every PR while the lockfile is still in `.gitignore`) followed by `pnpm audit --prod --audit-level=high`, which fails on any high or critical CVE in production dependencies. Workflow has least-privilege permissions (`contents: read` only). Once the maintainer un-ignores and commits `pnpm-lock.yaml`, the strict lockfile check flips on automatically without further edits.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Adiz4415