chore(ci): harden workflows and bump packageManager to pnpm@11.1.1 by AlemTuzlak · Pull Request #215 · TanStack/pacer

AlemTuzlak · 2026-05-13T09:32:49Z

Summary

Hardens GitHub Actions workflows against common CI/CD attack vectors (action pinning, persist-credentials, timeouts) and bumps the package manager to pnpm@11.1.1.

Findings & fixes applied

Action SHA pinning — pinned 3 actions to commit SHAs (was floating tags). Affected files: .github/workflows/autofix.yml, .github/workflows/pr.yml, .github/workflows/release.yml.
- actions/checkout@v6.0.2 → actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- nrwl/nx-set-shas@v4.4.0 → nrwl/nx-set-shas@3e9ad7370203c1e93d109be57f3b72eb0eb511b1 # v4.4.0
- changesets/action@v1.8.0 → changesets/action@63a615b9cd06ba9a3e6d13796c7fbcb080a60a0b # v1.8.0
- autofix-ci/action already pinned to SHA — added # v1 comment.
Workflow permissions — all 3 existing workflows already declared top-level permissions: (no change needed). New zizmor.yml declares permissions: {} (empty, least-privilege).
persist-credentials: false — added to 3 actions/checkout invocations in autofix.yml (the autofix-ci action uses GitHub's app-token flow, not the checkout credential) and pr.yml (test + preview jobs, neither pushes back). NOT added to release.yml since the changesets action pushes version PRs and tags.
Job timeout-minutes: — added timeout-minutes: 20 to autofix, test, preview jobs; timeout-minutes: 40 to release job; timeout-minutes: 10 on the new zizmor job.
Concurrency — already configured with cancel-in-progress: true on PR-triggered workflows. Removed cancel-in-progress: true from release.yml since cancelling mid-publish is dangerous (kept the concurrency group so concurrent release runs still serialise).
Zizmor security analysis workflow — added new .github/workflows/zizmor.yml to lint workflows for security weaknesses on push to main and on every PR.

Findings deferred (need maintainer review)

None. No pull_request_target usage, no obvious script-injection sinks, no echoed secrets, no curl | sh.

pnpm bump

packageManager: pnpm@11.1.0 → pnpm@11.1.1 (corepack-written integrity hash).
pnpm install: succeeds cleanly. No "Ignored build scripts" warnings — the existing pnpm-workspace.yaml already declares an allowBuilds allowlist with nx, esbuild enabled and unrs-resolver, @parcel/watcher, lmdb, msgpackr-extract explicitly disabled.
onlyBuiltDependencies allowlist: n/a — already configured under allowBuilds in pnpm-workspace.yaml; no additions required for clean install.
pnpm.overrides migration: n/a — no "pnpm": { ... } block exists in package.json. The overrides field at the top level of package.json is the standard npm-compatible overrides format (not the pnpm-specific nested form) and was left as-is.
Workflow pnpm refs aligned: n/a — pnpm version is derived from packageManager via the TanStack/config/.github/setup composite action.

Validation

YAML parse: OK 4 files (autofix.yml, pr.yml, release.yml, zizmor.yml)
actionlint: not available locally; SHAs verified individually via gh api.
zizmor: not available locally; workflow added to run in CI.
pnpm install: clean (169 workspace projects, no warnings)
pnpm run build:all: build itself succeeded for all 10 projects; a downstream size-limit step hit a Windows path quirk (EISDIR: ... 'F:') unrelated to pnpm 11 or these workflow changes — will resolve in CI's Linux environment.

What I did NOT change

No changes to CI behavior (test commands, schedules, deploy targets, matrix configs)
No wholesale workflow rewrites
No auth flow changes
No .npmrc edits (no warnings from pnpm 11)
No edits to release.yml checkout's persist-credentials setting — release publishes via changesets/action which pushes back

pkg-pr-new · 2026-05-13T09:34:47Z

More templates

@tanstack/angular-pacer

npm i https://pkg.pr.new/@tanstack/angular-pacer@215

@tanstack/pacer

npm i https://pkg.pr.new/@tanstack/pacer@215

@tanstack/pacer-devtools

npm i https://pkg.pr.new/@tanstack/pacer-devtools@215

@tanstack/pacer-lite

npm i https://pkg.pr.new/@tanstack/pacer-lite@215

@tanstack/preact-pacer

npm i https://pkg.pr.new/@tanstack/preact-pacer@215

@tanstack/preact-pacer-devtools

npm i https://pkg.pr.new/@tanstack/preact-pacer-devtools@215

@tanstack/react-pacer

npm i https://pkg.pr.new/@tanstack/react-pacer@215

@tanstack/react-pacer-devtools

npm i https://pkg.pr.new/@tanstack/react-pacer-devtools@215

@tanstack/solid-pacer

npm i https://pkg.pr.new/@tanstack/solid-pacer@215

@tanstack/solid-pacer-devtools

npm i https://pkg.pr.new/@tanstack/solid-pacer-devtools@215

commit: 9aff9a4

chore(ci): harden workflows and bump packageManager to pnpm@11.1.1

9aff9a4

AlemTuzlak force-pushed the chore/cicd-hardening-pnpm-bump branch from ec050bd to 9aff9a4 Compare May 13, 2026 09:35

AlemTuzlak closed this May 13, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore(ci): harden workflows and bump packageManager to pnpm@11.1.1#215

chore(ci): harden workflows and bump packageManager to pnpm@11.1.1#215
AlemTuzlak wants to merge 1 commit into
TanStack:mainfrom
AlemTuzlak:chore/cicd-hardening-pnpm-bump

AlemTuzlak commented May 13, 2026

Uh oh!

pkg-pr-new Bot commented May 13, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

Conversation

AlemTuzlak commented May 13, 2026

Summary

Findings & fixes applied

Findings deferred (need maintainer review)

pnpm bump

Validation

What I did NOT change

Uh oh!

pkg-pr-new Bot commented May 13, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

pkg-pr-new Bot commented May 13, 2026 •

edited

Loading