Supply chain measures

[RobinTail]

Summary by CodeRabbit

• Chores
  • Tightened CI/CD workflow permissions to explicitly disable OIDC id-token and adjust repository token scopes (including read-only content for CI).
  • Increased workspace and dependency tooling minimum release age to require longer stabilization before automated updates.
  • Bumped a package prerelease version.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 75617166-703f-4e8f-8be1-0c611043e811

📥 Commits

Reviewing files that changed from the base of the PR and between c4f565f and bf74000.

📒 Files selected for processing (1)

• express-zod-api/package.json

✅ Files skipped from review due to trivial changes (1)

• express-zod-api/package.json

---

📝 Walkthrough

Walkthrough

This PR disables OIDC id-token access in several GitHub Actions workflows, raises dependency tooling minimum release age to seven days, and bumps express-zod-api package version to 28.0.1-beta.1.

Changes

Workflow OIDC Token Restriction

Layer / File(s)	Summary
Workflow permission hardening .github/workflows/bump.yml, .github/workflows/codeql-analysis.yml, .github/workflows/headers.yml, .github/workflows/node.js.yml	Added permissions.id-token: none to four workflow files; node.js.yml also sets permissions.contents: read.

Dependency Release Age Configuration

Layer / File(s)	Summary
Release age policy across tooling pnpm-workspace.yaml, renovate.json	Added minimumReleaseAge: 10080 to pnpm-workspace.yaml and changed Renovate's minimumReleaseAge from "1 day" to "7 days".

Package Version Bump

Layer / File(s)	Summary
express-zod-api version increment express-zod-api/package.json	Bumped package version from 28.0.1-beta.0 to 28.0.1-beta.1.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• RobinTail/express-zod-api#2943: Also changes pnpm-workspace.yaml's minimumReleaseAge.
• RobinTail/express-zod-api#3388: Touches pnpm-workspace.yaml minimumReleaseAge and may conflict.

Suggested labels

prevention

Poem

🐰 A rabbit's wisdom, small and spry,
I tuck the id-token gently by,
Seven days' rest for packages near,
Pipelines hum without a fear,
Bumped a version — hop, cheer!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Supply chain measures' is vague and generic, using a broad term that doesn't clearly convey the specific changes made in this changeset.	Use a more descriptive title that specifies the actual changes, such as 'Restrict OIDC tokens and enforce minimum release age for dependencies' or 'Harden supply chain security with token restrictions and dependency age requirements'.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch protocol-mystique

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coveralls-official]

coverage: 100.0%. remained the same — protocol-mystique into master

[pullfrog]

Caution

Re-introducing minimumReleaseAge in pnpm-workspace.yaml reverses PR #3388 ("Resetting the age filter") merged one day ago. With pnpm@11.1.0 (per packageManager), an explicit minimumReleaseAge flips minimumReleaseAgeStrict to true by default (pnpm.io/settings#minimumreleaseagestrict), so any catalog or transitive dep whose entire satisfying range is < 7 days old will hard-fail pnpm install instead of falling back. The previous minimumReleaseAgeExclude allowlist (~26 entries: express, zod, typescript, vitest, prettier, …) is also not restored.

TL;DR — Hardens supply-chain posture by tightening GITHUB_TOKEN id-token scope across CI workflows and lengthening the dependency release-age window in both Renovate and pnpm. The Renovate/CI pieces are clean; the pnpm-side change reintroduces the exact strict-mode regression PR #3388 just fixed.

Key changes

• Disable id-token in non-publishing workflows — adds id-token: none to bump.yml, codeql-analysis.yml, headers.yml, and node.js.yml; npm-publish.yml correctly retains id-token: write for pnpm publish --provenance.
• Bump Renovate minimumReleaseAge to 7 days — was "1 day", now "7 days" in renovate.json.
• Re-add pnpm minimumReleaseAge: 10080 — restores the workspace-level 7-day install gate that PR #3388 removed two days ago, without restoring the strict-mode escape valve or the allowlist.

_{Summary ｜ 6 files ｜ 2 commits ｜ base: master ← protocol-mystique}

OIDC scope tightening across CI

Before: four workflows had no explicit id-token declaration, inheriting the repo-default token.
After: each non-publishing workflow declares id-token: none, and npm-publish.yml is the only place where OIDC remains writable.

Three of the four touched workflows (bump.yml, codeql-analysis.yml, headers.yml) already had explicit permissions: blocks, so adding id-token: none only makes the implicit deny explicit — verified runtime-equivalent. None of these workflows use OIDC-based signing or cloud auth.

bump.yml · codeql-analysis.yml · headers.yml · node.js.yml

7-day release-age gate at two layers

Before: Renovate gated PRs at 1 day; pnpm relied on its built-in 1440-minute non-strict default.
After: Renovate gates at 7 days and pnpm enforces a 7-day strict gate at install time.

Why does the pnpm-side change reintroduce a regression?

PR #3388 removed `minimumReleaseAge` from `pnpm-workspace.yaml` precisely because pnpm@11.0.4+ ([pnpm/pnpm#11436](https://github.com/pnpm/pnpm/pull/11436)) made `minimumReleaseAgeStrict` default to `true` whenever `minimumReleaseAge` is explicitly set — meaning installs hard-fail when no version in a requested range is mature enough, instead of falling back. The current PR re-adds the explicit value at a stricter threshold (10080 vs the prior 2880) without re-adding the previous `minimumReleaseAgeExclude` allowlist or setting `minimumReleaseAgeStrict: false`. Catalog entries (`zod ^4.3.4`, `zod ^4.4.3`, `typescript ^6.0.2`, `vitest`, …) are subject to the same gate per the docs.

pnpm-workspace.yaml · renovate.json

  ^{｜ Fix all ➔ ｜ Fix 👍s ➔ ｜ View workflow run ｜ Using Claude Opus ｜ 𝕏}

[pullfrog]

No new issues. Reviewed the following changes:

• Added contents: read alongside id-token: none in node.js.yml's top-level permissions: block, addressing the prior MINOR concern about implicit-permissions collapse.

The earlier CAUTION on pnpm-workspace.yaml:14 (strict-mode regression of PR #3388) is unaffected by these commits and still stands.

  ^{｜ Fix it ➔ ｜ View workflow run ｜ Using Claude Opus ｜ 𝕏}