Skip to content

ci: harden workflows against cache-poisoning publish chain#1265

Merged
mathuo merged 2 commits into
masterfrom
ci/harden-workflows
May 12, 2026
Merged

ci: harden workflows against cache-poisoning publish chain#1265
mathuo merged 2 commits into
masterfrom
ci/harden-workflows

Conversation

@mathuo
Copy link
Copy Markdown
Owner

@mathuo mathuo commented May 12, 2026

Closes the actions/cache -> OIDC chain demonstrated by the TanStack npm supply-chain compromise (May 2026):

  • publish.yml: gate publish + publish-experimental behind the release environment, and drop the unused ~/.npm cache step (workflow installs with yarn, so the cache was both dead weight and a poisoning surface in the job that holds id-token: write).
  • release.yml: re-key the build cache with a release- prefix so CI's ${runner.os}-modules- scope can no longer be restored into the release runner (which holds the GitHub App signing token).
  • main.yml: declare top-level permissions: contents: read as a least-privilege default for the GITHUB_TOKEN; the gen job's existing per-job override still grants pull-requests: write where needed.
  • codeql-analysis.yml: remove the dead commented-out push/pull_request triggers. Intent is nightly-only; Sonar covers per-PR analysis.

Description

Type of change

  • Bug fix
  • New feature
  • Breaking change
  • Documentation
  • Refactor / cleanup
  • Build / CI / tooling

Affected packages

  • dockview-core
  • dockview (vanilla JS)
  • dockview-react
  • dockview-vue
  • dockview-angular
  • docs

How to test

Checklist

  • yarn lint:fix passes
  • yarn format passes
  • npm run gen has been run and generated files are up to date
  • yarn test passes
  • I have added or updated tests where applicable
  • Breaking changes are documented

mathuo and others added 2 commits May 12, 2026 17:13
@mathuo @claude
ci: harden workflows against cache-poisoning publish chain
aeca7f1 
Closes the actions/cache -> OIDC chain demonstrated by the TanStack
npm supply-chain compromise (May 2026):

- publish.yml: gate publish + publish-experimental behind the release
  environment, and drop the unused ~/.npm cache step (workflow installs
  with yarn, so the cache was both dead weight and a poisoning surface
  in the job that holds id-token: write).
- release.yml: re-key the build cache with a release- prefix so CI's
  ${runner.os}-modules- scope can no longer be restored into the
  release runner (which holds the GitHub App signing token).
- main.yml: declare top-level permissions: contents: read as a
  least-privilege default for the GITHUB_TOKEN; the gen job's existing
  per-job override still grants pull-requests: write where needed.
- codeql-analysis.yml: remove the dead commented-out push/pull_request
  triggers. Intent is nightly-only; Sonar covers per-PR analysis.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@mathuo @claude
ci: gate publish jobs behind dedicated publish environment
57392fa 
Move publish.yml off the shared release environment and onto its own
publish environment. release.yml uses release (signs master commit/tag,
holds the App private key); publish.yml uses publish (mints OIDC token,
ships to npm). Names now match what each environment is actually
protecting, and npm Trusted Publishing can pin to the publish env
cleanly.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 12, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@mathuo mathuo merged commit 9570bf3 into master May 12, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mathuo