feat(ci): add and test supply-chain hardening in release workflows

GitHub Actions cache poisoning is a known attack[^1] against
credential-bearing workflows:

- a lower-privileged run plants a malicious entry under a deterministic
  cache key
- a privileged workflow restores a cache from that cache key and executes it
- secrets are exfiltrated

The `release.yml` workflow publishes packages to npm using OIDC trusted
publishing and an `NPM_TOKEN`. Before this change, `release.yml` was
vulnerable to this class of attack.

Mitigate this by explicitly disabling all build caching in `release.yml`:

- `pnpm/action-setup` sets `cache: false`
- `actions/setup-node` sets `package-manager-cache: false`
- `actions/setup-node` does not set `cache:`
- no `actions/cache` step is used

Also add a check to the repo (`tests-supply-chain.yml`) to test that high-risk
workflows (`release.yml`) are not using caching, and it is not added
back in.

[^1]: https://adnanthekhan.com/2024/05/06/the-monsters-in-your-build-cache-github-actions-cache-poisoning/

Author: auxesis

.github/workflows/release.yml

@@ -26,12 +26,19 @@ jobs:
         name: Install pnpm
         with:
           run_install: false
+          # Supply-chain hardening — never cache the pnpm store; a poisoned
+          # cache entry would execute in this credential-bearing workflow.
+          cache: false
 
       - name: Install Node.js
         uses: actions/setup-node@v6
         with:
           node-version: 22
-          cache: 'pnpm'
+          # No `cache:`, and package-manager-cache disabled. release.yml
+          # publishes to npm (NPM_TOKEN + OIDC) and must not restore the
+          # GitHub Actions cache — a cache-poisoning / supply-chain vector.
+          # Enforced by .github/workflows/tests-supply-chain.yml.
+          package-manager-cache: false
 
       # node-pty's install hook falls back to `node-gyp rebuild` when no
       # linux-x64 prebuild matches. pnpm/action-setup v6 no longer ships

.github/workflows/tests-supply-chain.yml

@@ -0,0 +1,80 @@
+name: Test supply chain security
+
+# Supply-chain gate: asserts that release.yml (and this workflow) never
+# restore the GitHub Actions cache. A workflow that both restores a cache
+# and holds publish credentials is a cache-poisoning target — see
+# https://adnanthekhan.com/2024/05/06/the-monsters-in-your-build-cache-github-actions-cache-poisoning/
+#
+# The check (scripts/lint-no-workflow-caching.mjs) requires caching to be
+# disabled *explicitly*, not just left at its default:
+# - `pnpm/action-setup` must set `cache: false`
+# - `actions/setup-node` must set `package-manager-cache: false`
+# - no `cache:` input and no `actions/cache` step anywhere
+# See the "CI/CD Supply-Chain Hardening" section of SECURITY.md.
+#
+# Deliberately minimal:
+# - GitHub-hosted runner (no Blacksmith transparent cache)
+# - contents:read only
+# - no secrets
+# - no caching
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - '.github/workflows/release.yml'
+      - '.github/workflows/tests-supply-chain.yml'
+      - 'scripts/lint-no-workflow-caching.mjs'
+      - 'scripts/__tests__/lint-no-workflow-caching.test.mjs'
+      - 'scripts/__tests__/fixtures/lint-no-workflow-caching/**'
+  pull_request:
+    branches:
+      - '**'
+    paths:
+      - '.github/workflows/release.yml'
+      - '.github/workflows/tests-supply-chain.yml'
+      - 'scripts/lint-no-workflow-caching.mjs'
+      - 'scripts/__tests__/lint-no-workflow-caching.test.mjs'
+      - 'scripts/__tests__/fixtures/lint-no-workflow-caching/**'
+
+permissions:
+  contents: read
+
+jobs:
+  verify-no-caching-in-release-workflows:
+    name: Verify no caching in release workflows
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v6
+
+      - uses: pnpm/action-setup@v6
+        name: Install pnpm
+        with:
+          run_install: false
+          # Do not use caching in this cache-testing workflow
+          cache: false
+
+      - name: Install Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: 22
+          # Do not use caching in this cache-testing workflow
+          package-manager-cache: false
+
+      # node-pty's install hook falls back to `node-gyp rebuild` when no
+      # linux-x64 prebuild matches. pnpm/action-setup v6 no longer ships
+      # node-gyp on PATH, so install it explicitly.
+      - name: Install node-gyp
+        run: npm install -g node-gyp
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Run lint script self-tests
+        run: pnpm run test:scripts
+
+      - name: Verify no caching in release.yml and tests-supply-chain.yml
+        run: pnpm run lint:workflow-cache

SECURITY.md

@@ -1,6 +1,6 @@
 # Security Policy
 
-CipherStash takes the security of our software, infrastructure, and customers extremely seriously.  
+CipherStash takes the security of our software, infrastructure, and customers extremely seriously.
 This document describes the security posture, reporting process, and guidelines for this repository and associated packages.
 
 ## Supported Packages
@@ -80,13 +80,13 @@ We will acknowledge receipt within **48 hours** and provide regular updates unti
 
 CipherStash follows a **coordinated responsible disclosure** process:
 
-1. **Submit report** privately via `security@cipherstash.com`.  
-2. **Acknowledgement** within 48 hours.  
-3. **Assessment** of severity using CVSS and internal risk models.  
-4. **Fix development** and patch release in a private branch.  
+1. **Submit report** privately via `security@cipherstash.com`.
+2. **Acknowledgement** within 48 hours.
+3. **Assessment** of severity using CVSS and internal risk models.
+4. **Fix development** and patch release in a private branch.
 5. **Coordinated disclosure**, including:
    - New patch release(s)
-   - Security advisory on GitHub  
+   - Security advisory on GitHub
    - Credit to reporter (optional)
 
 We will never take legal action against good-faith security researchers who follow this policy.
@@ -102,14 +102,14 @@ The following are **in scope**:
 - Protect.js cryptographic implementations, configuration layers, and CLI tooling
 - Key-handling, authenticated encryption behaviour, JSON/JSONB field-level encryption flows
 - Documentation or code examples that could lead to insecure usage
-- CipherStash’s internal infrastructure  
+- CipherStash’s internal infrastructure
 - CipherStash Proxy, ZeroKMS, or other backend products
 
 The following are **out of scope**:
 
 - Example applications in the `examples` dir (though we are still grateful for any relevant disclosires there)
-- Social engineering, physical attacks, or denial-of-service  
-- Attacks requiring privileged access to developer machines or CI/CD infrastructure  
+- Social engineering, physical attacks, or denial-of-service
+- Attacks requiring privileged access to developer machines or CI/CD infrastructure
 
 ---
 
@@ -118,23 +118,46 @@ The following are **out of scope**:
 To maintain a strong security posture, contributors MUST:
 
 ### ⚙️ Follow cryptographic safety rules
-- Do **not** modify cryptographic primitives without prior discussion 
-- Avoid introducing new crypto dependencies without prior discussion  
-- Never check in test keys, secrets, or example credentials  
+- Do **not** modify cryptographic primitives without prior discussion
+- Avoid introducing new crypto dependencies without prior discussion
+- Never check in test keys, secrets, or example credentials
 
 ### 🛡 Coding & dependency hygiene
-- Avoid adding dependencies unless necessary  
-- Keep dependencies updated and vetted  
-- Use TypeScript for all new code  
-- Ensure all code paths that handle keys or encrypted data include type-safe boundaries  
+- Avoid adding dependencies unless necessary
+- Keep dependencies updated and vetted
+- Use TypeScript for all new code
+- Ensure all code paths that handle keys or encrypted data include type-safe boundaries
 
 ### 🔍 Testing & review
-- Submit PRs with tests covering edge cases and misuse-resistant behaviour  
-- Flag any changes involving key derivation, key wrapping, AAD, or encryption modes for mandatory security review  
+- Submit PRs with tests covering edge cases and misuse-resistant behaviour
+- Flag any changes involving key derivation, key wrapping, AAD, or encryption modes for mandatory security review
 - Do not merge PRs that downgrade security controls or introduce unsafe defaults
 
 ---
 
+## CI/CD Supply-Chain Hardening
+
+The `release.yml` workflow publishes packages to npm using OIDC trusted
+publishing and an `NPM_TOKEN`.
+
+[GitHub Actions cache poisoning is a known attack][1] against credential-bearing
+workflows. The mechanism is:
+
+- A lower-privileged workflow run plants a malicious entry under a deterministic
+  cache key
+- A privileged workflow restores a cache from that deterministic cache key
+- The malicious entry is executed by the privileged workflow, and secrets
+  are exfiltrated
+
+We mitigate this by:
+
+- Explicitly disabling all caching in `release.yml`
+- Automated checks for disabled caching on high-risk workflows
+
+[1]: https://adnanthekhan.com/2024/05/06/the-monsters-in-your-build-cache-github-actions-cache-poisoning/
+
+---
+
 ## Questions?
 
 For general questions about CipherStash security practices (not security incidents), contact:

package.json

@@ -48,6 +48,7 @@
     "clean": "rimraf --glob **/.next **/.turbo **/dist **/node_modules",
     "code:fix": "biome check --write",
     "lint:runners": "node scripts/lint-no-hardcoded-runners.mjs",
+    "lint:workflow-cache": "node scripts/lint-no-workflow-caching.mjs",
     "release": "pnpm run build && changeset publish",
     "test": "turbo test --filter './packages/*'",
     "test:e2e": "turbo run test:e2e",
@@ -57,6 +58,7 @@
     "@biomejs/biome": "^1.9.4",
     "@changesets/cli": "^2.29.6",
     "@types/node": "^22.15.12",
+    "js-yaml": "^3.14.2",
     "rimraf": "^6.1.2",
     "turbo": "2.1.1",
     "vitest": "catalog:repo"

pnpm-lock.yaml

@@ -0,0 +1,15 @@
+name: Actions Cache Restore
+on:
+  push:
+    branches: [main]
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - name: Restore build cache
+        uses: actions/cache/restore@v4
+        with:
+          path: .turbo
+          key: turbo-${{ github.sha }}
+      - run: pnpm install --frozen-lockfile

scripts/__tests__/fixtures/lint-no-workflow-caching/actions-cache-restore.yml

@@ -0,0 +1,15 @@
+name: Actions Cache Save
+on:
+  push:
+    branches: [main]
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - name: Save build cache
+        uses: actions/cache/save@v4
+        with:
+          path: .turbo
+          key: turbo-${{ github.sha }}
+      - run: pnpm install --frozen-lockfile

scripts/__tests__/fixtures/lint-no-workflow-caching/actions-cache-save.yml

@@ -0,0 +1,15 @@
+name: Actions Cache
+on:
+  push:
+    branches: [main]
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - name: Restore build cache
+        uses: actions/cache@v4
+        with:
+          path: .turbo
+          key: turbo-${{ github.sha }}
+      - run: pnpm install --frozen-lockfile

scripts/__tests__/fixtures/lint-no-workflow-caching/actions-cache.yml

@@ -0,0 +1,19 @@
+name: Clean
+on:
+  push:
+    branches: [main]
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: pnpm/action-setup@v6
+        with:
+          run_install: false
+          cache: false
+      - name: Install Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: 22
+          package-manager-cache: false
+      - run: pnpm install --frozen-lockfile

scripts/__tests__/fixtures/lint-no-workflow-caching/clean.yml

@@ -0,0 +1,17 @@
+name: Missing Explicit False
+on:
+  push:
+    branches: [main]
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: pnpm/action-setup@v6
+        with:
+          run_install: false
+      - name: Install Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: 22
+      - run: pnpm install --frozen-lockfile