Supply chain hardening for npm and actions#258
Draft
data-douser wants to merge 11 commits intomainfrom
Draft
Conversation
- Add `--ignore-scripts` to all CI `npm ci`/`npm install` invocations and
set `ignore-scripts=true` in `.npmrc` so install-time scripts from
transitive dependencies cannot run during PR builds.
- Pin `@types/vscode` in Dependabot config and in the root `upgrade:node`
script's `--reject` list so it cannot be auto-upgraded past the
`engines.vscode` floor.
- Add a two-workflow handoff to rebuild `server/dist/**` for Dependabot
PRs without granting write tokens to untrusted PR code:
* `build-server.yml` (pull_request, read-only) uploads the built
`server/dist` artifact and skips the drift check for Dependabot.
* `dependabot-commit-dist.yml` (workflow_run, trusted, contents:write)
downloads the artifact, verifies the head SHA, and commits the
rebuilt files back to the PR branch as `dependabot[bot]`.
- Remove unused `workflow_dispatch:` triggers from workflows that have
no inputs (lint-and-format, client-integration-tests, query-unit-tests,
query-unit-tests-swift, copilot-setup-steps); keep it on `release.yml`
and `update-codeql.yml` (the latter has a meaningful `target_version`
input).
- Update the add-language skill's `SKILL.md` and `workflow-template.yml`
to match: drop `workflow_dispatch:`, pin actions to SHAs, and use
`npm ci --ignore-scripts`.
data-douser
added
enhancement
Contributor
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens the repository’s CI/CD and dependency-update pipeline by preventing npm lifecycle scripts from running in CI and by adding a trusted-workflow handoff to regenerate and commit server/dist for Dependabot PRs.
Changes:
- Enforce
--ignore-scriptsacross CI npm install/ci steps and addignore-scripts=trueto.npmrc. - Add a
workflow_run-based workflow to commit rebuiltserver/distback to Dependabot PR branches, and uploadserver/distas an artifact from the server build workflow. - Prevent automated updates to
@types/vscode(Dependabot +upgrade:node) to keep it aligned with the VS Code engine floor.
Show a summary per file
| File | Description |
|---|---|
| package.json | Prevent upgrade:node from bumping @types/vscode. |
| .npmrc | Enforce ignore-scripts=true repo-wide for npm installs. |
| .github/workflows/update-codeql.yml | Add --ignore-scripts to dependency installation. |
| .github/workflows/release.yml | Add --ignore-scripts for release-time production install. |
| .github/workflows/release-vsix.yml | Add --ignore-scripts to CI installs for VSIX release workflow. |
| .github/workflows/release-tag.yml | Add --ignore-scripts to CI installs for tag workflow. |
| .github/workflows/release-npm.yml | Add --ignore-scripts to CI installs for npm release workflow. |
| .github/workflows/query-unit-tests.yml | Remove workflow_dispatch; add --ignore-scripts to installs. |
| .github/workflows/query-unit-tests-swift.yml | Remove workflow_dispatch; add --ignore-scripts to installs. |
| .github/workflows/lint-and-format.yml | Remove workflow_dispatch; add --ignore-scripts to installs. |
| .github/workflows/dependabot-commit-dist.yml | New trusted workflow to push rebuilt server/dist to Dependabot PRs. |
| .github/workflows/copilot-setup-steps.yml | Tighten triggers and add --ignore-scripts to installs. |
| .github/workflows/client-integration-tests.yml | Remove workflow_dispatch; add --ignore-scripts to installs. |
| .github/workflows/build-server.yml | Remove workflow_dispatch; add --ignore-scripts; upload server/dist artifact; skip “dirty tree” check for Dependabot. |
| .github/workflows/build-and-test-extension.yml | Remove workflow_dispatch; add --ignore-scripts to installs. |
| .github/skills/add-mcp-support-for-new-language/workflow-template.yml | Remove workflow_dispatch from the workflow template. |
| .github/skills/add-mcp-support-for-new-language/SKILL.md | Update documented workflow example to pinned SHAs and --ignore-scripts. |
| .github/dependabot.yaml | Ignore @types/vscode updates via Dependabot. |
Copilot's findings
Comments suppressed due to low confidence (1)
.github/workflows/dependabot-commit-dist.yml:116
- These
cpcommands copy fromartifact/<filename>, but the downloaded artifact will likely contain the files underartifact/server/dist/<filename>(matching the upload paths). Align the copy source paths with the downloaded artifact layout so the workflow can actually updateserver/dist/in the PR branch.
cp artifact/codeql-development-mcp-server.js server/dist/
cp artifact/codeql-development-mcp-server.js.map server/dist/
- Files reviewed: 18/18 changed files
- Comments generated: 1
Avoid Code Scanning alert for newly added workflow. To be revisited in future work. Removes the workflow_run-based handoff that rebuilt and pushed 'server/dist/**' back to Dependabot PR branches, along with the upload-artifact step and Dependabot-specific dirty-tree guard in 'build-server.yml' that fed it. - Delete '.github/workflows/dependabot-commit-dist.yml' - Remove 'server-dist' upload-artifact step from build-server.yml - Drop 'if: github.actor != dependabot[bot]' on the dirty-tree check so it now fails loudly for all PRs, including Dependabot
Contributor
There was a problem hiding this comment.
Copilot's findings
Comments suppressed due to low confidence (1)
.github/workflows/client-integration-tests.yml:180
- In this job,
npm run bundle -w servernow rebuilds esbuild internally (viaserver/package.json’s updatedbundlescript). The explicitnpm rebuild esbuild --ignore-scripts=falsestep is therefore redundant and can likely be removed.
## esbuild's optional platform binary is normally wired up by its postinstall
## script; .npmrc 'ignore-scripts=true' suppresses that, so rebuild here.
- name: CODEQL_PATH Tests - Rebuild esbuild platform binary
run: npm rebuild esbuild --ignore-scripts=false
- Files reviewed: 20/20 changed files
- Comments generated: 6
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Nathan Randall <70299490+data-douser@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Nathan Randall <70299490+data-douser@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Copilot's findings
Comments suppressed due to low confidence (1)
.github/workflows/build-and-test-extension.yml:47
- This explicit
npm rebuild esbuildstep looks redundant now that bothserverandextensions/vscodebundlescripts runrebuild:esbuildthemselves. Keeping both causes duplicated work (and can be confusing about where the rebuild is supposed to happen). Consider removing this workflow step and relying on the package scripts, or adjust the scripts so the rebuild happens in exactly one place.
- name: Build server (dependency)
run: npm run build -w server
- name: Run extension unit tests with coverage
- Files reviewed: 19/19 changed files
- Comments generated: 2
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Nathan Randall <70299490+data-douser@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary of Changes
This pull request introduces several improvements to the repository's CI/CD workflows and dependency management practices, with a primary focus on increasing security and reliability when installing npm dependencies. The most significant change is the adoption of
--ignore-scriptsfor all npm install/ci commands in CI workflows, preventing the execution of potentially unsafe lifecycle scripts from dependencies. Minor enhancements and cleanups are also made to workflow triggers and configuration.Outline of Changes
CI/CD Security and Reliability Improvements:
--ignore-scriptsfor allnpm installandnpm cicommands across workflows to prevent execution of potentially unsafe lifecycle scripts from dependencies. This is backed by addingignore-scripts=trueto.npmrcfor extra safety. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15]Dependency Management Enhancements:
@types/vscode, aligning its versioning with the minimum supported VS Code version and preventing accidental exposure of unsupported APIs. Also updates theupgrade:nodescript to reject updates for@types/vscodeas well aszod. [1] [2]Workflow and Trigger Cleanup:
workflow_dispatch(manual trigger) entries from GitHub Actions workflows, reducing clutter and ensuring workflows are only triggered automatically as intended. [1] [2] [3] [4] [5] [6] [7] [8] [9]These changes collectively improve the security, maintainability, and automation of the project's CI/CD pipeline.