feat(ci): add and test supply-chain hardening in release workflows

auxesis · auxesis · commit dd96de52cdd9 · 2026-05-16T14:57:11.000+10:00
GitHub Actions cache poisoning is a [known attack][1] against credential-bearing workflows: - a lower-privileged run plants a malicious entry under a deterministic cache key - a privileged workflow restores a cache from that cache key and executes it - secrets are exfiltrated The `release.yml` workflow publishes packages to npm using OIDC trusted publishing and an `NPM_TOKEN`. Before this change, `release.yml` was vulnerable to this class of attack. Mitigate this by explicitly disabling all build caching in `release.yml`: - `pnpm/action-setup` sets `cache: false` - `actions/setup-node` sets `package-manager-cache: false` - `actions/setup-node` does not set `cache:` - no `actions/cache` step is used Also add a check to the repo (`tests-supply-chain.yml`) to test that high-risk workflows (`release.yml`) are not using caching, and it is not added back in. [1](https://adnanthekhan.com/2024/05/06/the-monsters-in-your-build-cache-github-actions-cache-poisoning/)
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -26,12 +26,19 @@ jobs:
         name: Install pnpm
         with:
           run_install: false
+          # Supply-chain hardening — never cache the pnpm store; a poisoned
+          # cache entry would execute in this credential-bearing workflow.
+          cache: false
 
       - name: Install Node.js
         uses: actions/setup-node@v6
         with:
           node-version: 22
-          cache: 'pnpm'
+          # No `cache:`, and package-manager-cache disabled. release.yml
+          # publishes to npm (NPM_TOKEN + OIDC) and must not restore the
+          # GitHub Actions cache — a cache-poisoning / supply-chain vector.
+          # Enforced by .github/workflows/tests-supply-chain.yml.
+          package-manager-cache: false
 
       # node-pty's install hook falls back to `node-gyp rebuild` when no
       # linux-x64 prebuild matches. pnpm/action-setup v6 no longer ships
diff --git a/.github/workflows/tests-supply-chain.yml b/.github/workflows/tests-supply-chain.yml
@@ -0,0 +1,80 @@
+name: Test supply chain security
+
+# Supply-chain gate: asserts that release.yml (and this workflow) never
+# restore the GitHub Actions cache. A workflow that both restores a cache
+# and holds publish credentials is a cache-poisoning target — see
+# https://adnanthekhan.com/2024/05/06/the-monsters-in-your-build-cache-github-actions-cache-poisoning/
+#
+# The check (scripts/lint-no-workflow-caching.mjs) requires caching to be
+# disabled *explicitly*, not just left at its default:
+# - `pnpm/action-setup` must set `cache: false`
+# - `actions/setup-node` must set `package-manager-cache: false`
+# - no `cache:` input and no `actions/cache` step anywhere
+# See the "CI/CD Supply-Chain Hardening" section of SECURITY.md.
+#
+# Deliberately minimal:
+# - GitHub-hosted runner (no Blacksmith transparent cache)
+# - contents:read only
+# - no secrets
+# - no caching
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - '.github/workflows/release.yml'
+      - '.github/workflows/tests-supply-chain.yml'
+      - 'scripts/lint-no-workflow-caching.mjs'
+      - 'scripts/__tests__/lint-no-workflow-caching.test.mjs'
+      - 'scripts/__tests__/fixtures/lint-no-workflow-caching/**'
+  pull_request:
+    branches:
+      - '**'
+    paths:
+      - '.github/workflows/release.yml'
+      - '.github/workflows/tests-supply-chain.yml'
+      - 'scripts/lint-no-workflow-caching.mjs'
+      - 'scripts/__tests__/lint-no-workflow-caching.test.mjs'
+      - 'scripts/__tests__/fixtures/lint-no-workflow-caching/**'
+
+permissions:
+  contents: read
+
+jobs:
+  verify-no-caching-in-release-workflows:
+    name: Verify no caching in release workflows
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v6
+
+      - uses: pnpm/action-setup@v6
+        name: Install pnpm
+        with:
+          run_install: false
+          # Do not use caching in this cache-testing workflow
+          cache: false
+
+      - name: Install Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: 22
+          # Do not use caching in this cache-testing workflow
+          package-manager-cache: false
+
+      # node-pty's install hook falls back to `node-gyp rebuild` when no
+      # linux-x64 prebuild matches. pnpm/action-setup v6 no longer ships
+      # node-gyp on PATH, so install it explicitly.
+      - name: Install node-gyp
+        run: npm install -g node-gyp
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Run lint script self-tests
+        run: pnpm run test:scripts
+
+      - name: Verify no caching in release.yml and tests-supply-chain.yml
+        run: pnpm run lint:workflow-cache
diff --git a/SECURITY.md b/SECURITY.md
@@ -135,6 +135,28 @@ To maintain a strong security posture, contributors MUST:
 
 ---
 
+## CI/CD Supply-Chain Hardening
+
+The `release.yml` workflow publishes packages to npm using OIDC trusted
+publishing and an `NPM_TOKEN`. **GitHub Actions cache poisoning** is a known
+attack against credential-bearing workflows: a lower-privileged run plants a
+malicious entry under a deterministic cache key, and a privileged workflow
+restores and executes it — exfiltrating its secrets.
+
+To close this vector, `release.yml` and `.github/workflows/tests-supply-chain.yml`
+disable all build caching, *explicitly*:
+
+- `pnpm/action-setup` sets `cache: false`
+- `actions/setup-node` sets `package-manager-cache: false`
+- no `cache:` input and no `actions/cache` step is used
+
+This is enforced on every pull request by the `tests-supply-chain.yml` workflow,
+which runs `scripts/lint-no-workflow-caching.mjs` against both files. Contributors
+**must not** re-enable caching in these workflows — doing so downgrades a
+security control and will fail the gate.
+
+---
+
 ## Questions?
 
 For general questions about CipherStash security practices (not security incidents), contact:
diff --git a/package.json b/package.json
@@ -48,6 +48,7 @@
     "clean": "rimraf --glob **/.next **/.turbo **/dist **/node_modules",
     "code:fix": "biome check --write",
     "lint:runners": "node scripts/lint-no-hardcoded-runners.mjs",
+    "lint:workflow-cache": "node scripts/lint-no-workflow-caching.mjs",
     "release": "pnpm run build && changeset publish",
     "test": "turbo test --filter './packages/*'",
     "test:e2e": "turbo run test:e2e",
@@ -57,6 +58,7 @@
     "@biomejs/biome": "^1.9.4",
     "@changesets/cli": "^2.29.6",
     "@types/node": "^22.15.12",
+    "js-yaml": "^3.14.2",
     "rimraf": "^6.1.2",
     "turbo": "2.1.1",
     "vitest": "catalog:repo"
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
diff --git a/scripts/__tests__/fixtures/lint-no-workflow-caching/actions-cache-restore.yml b/scripts/__tests__/fixtures/lint-no-workflow-caching/actions-cache-restore.yml
@@ -0,0 +1,15 @@
+name: Actions Cache Restore
+on:
+  push:
+    branches: [main]
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - name: Restore build cache
+        uses: actions/cache/restore@v4
+        with:
+          path: .turbo
+          key: turbo-${{ github.sha }}
+      - run: pnpm install --frozen-lockfile
diff --git a/scripts/__tests__/fixtures/lint-no-workflow-caching/actions-cache-save.yml b/scripts/__tests__/fixtures/lint-no-workflow-caching/actions-cache-save.yml
@@ -0,0 +1,15 @@
+name: Actions Cache Save
+on:
+  push:
+    branches: [main]
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - name: Save build cache
+        uses: actions/cache/save@v4
+        with:
+          path: .turbo
+          key: turbo-${{ github.sha }}
+      - run: pnpm install --frozen-lockfile
diff --git a/scripts/__tests__/fixtures/lint-no-workflow-caching/actions-cache.yml b/scripts/__tests__/fixtures/lint-no-workflow-caching/actions-cache.yml
@@ -0,0 +1,15 @@
+name: Actions Cache
+on:
+  push:
+    branches: [main]
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - name: Restore build cache
+        uses: actions/cache@v4
+        with:
+          path: .turbo
+          key: turbo-${{ github.sha }}
+      - run: pnpm install --frozen-lockfile
diff --git a/scripts/__tests__/fixtures/lint-no-workflow-caching/clean.yml b/scripts/__tests__/fixtures/lint-no-workflow-caching/clean.yml
@@ -0,0 +1,19 @@
+name: Clean
+on:
+  push:
+    branches: [main]
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: pnpm/action-setup@v6
+        with:
+          run_install: false
+          cache: false
+      - name: Install Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: 22
+          package-manager-cache: false
+      - run: pnpm install --frozen-lockfile
diff --git a/scripts/__tests__/fixtures/lint-no-workflow-caching/missing-explicit-false.yml b/scripts/__tests__/fixtures/lint-no-workflow-caching/missing-explicit-false.yml
@@ -0,0 +1,17 @@
+name: Missing Explicit False
+on:
+  push:
+    branches: [main]
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: pnpm/action-setup@v6
+        with:
+          run_install: false
+      - name: Install Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: 22
+      - run: pnpm install --frozen-lockfile
diff --git a/scripts/__tests__/fixtures/lint-no-workflow-caching/no-actions-cache.yml b/scripts/__tests__/fixtures/lint-no-workflow-caching/no-actions-cache.yml
@@ -0,0 +1,13 @@
+name: No Actions Cache
+on:
+  push:
+    branches: [main]
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      # `actions/cache` is named here in prose but never used as a step —
+      # the check must only match a real `uses:` reference.
+      - name: Note — actions/cache is intentionally avoided
+        run: echo "this project does not use actions/cache"
diff --git a/scripts/__tests__/fixtures/lint-no-workflow-caching/setup-node-cache.yml b/scripts/__tests__/fixtures/lint-no-workflow-caching/setup-node-cache.yml
@@ -0,0 +1,15 @@
+name: Setup Node Cache
+on:
+  push:
+    branches: [main]
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - name: Install Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: 22
+          cache: 'pnpm'
+      - run: pnpm install --frozen-lockfile
diff --git a/scripts/__tests__/lint-no-workflow-caching.test.mjs b/scripts/__tests__/lint-no-workflow-caching.test.mjs
@@ -0,0 +1,101 @@
+import { execFileSync } from 'node:child_process'
+import { readFileSync } from 'node:fs'
+import { resolve } from 'node:path'
+import { fileURLToPath } from 'node:url'
+import yaml from 'js-yaml'
+import { describe, expect, it } from 'vitest'
+
+// Workflows the supply-chain gate is responsible for.
+const TARGET_WORKFLOWS = [
+  '.github/workflows/release.yml',
+  '.github/workflows/tests-supply-chain.yml',
+]
+
+const SCRIPT = resolve(
+  fileURLToPath(import.meta.url),
+  '../../lint-no-workflow-caching.mjs',
+)
+const REPO_ROOT = resolve(fileURLToPath(import.meta.url), '../../..')
+
+function run(...targets) {
+  try {
+    execFileSync('node', [SCRIPT, ...targets], { encoding: 'utf8' })
+    return { exitCode: 0, output: '' }
+  } catch (err) {
+    return { exitCode: err.status, output: String(err.stdout) + String(err.stderr) }
+  }
+}
+
+describe('lint-no-workflow-caching', () => {
+  const fx = (name) =>
+    resolve(fileURLToPath(import.meta.url), `../fixtures/lint-no-workflow-caching/${name}`)
+
+  it('defaults to checking release.yml and tests-supply-chain.yml', () => {
+    expect(run().exitCode).toBe(0)
+  })
+
+  it('passes on a workflow with no caching', () => {
+    expect(run(fx('clean.yml')).exitCode).toBe(0)
+  })
+
+  it('fails on `cache:` under a setup-node step', () => {
+    const r = run(fx('setup-node-cache.yml'))
+    expect(r.exitCode).toBe(1)
+    expect(r.output).toMatch(/with\.cache/)
+  })
+
+  it('fails on an `actions/cache` step', () => {
+    const r = run(fx('actions-cache.yml'))
+    expect(r.exitCode).toBe(1)
+    expect(r.output).toMatch(/actions\/cache@/)
+  })
+
+  it('fails on an `actions/cache/restore` step', () => {
+    const r = run(fx('actions-cache-restore.yml'))
+    expect(r.exitCode).toBe(1)
+    expect(r.output).toMatch(/actions\/cache\/restore@/)
+  })
+
+  it('fails on an `actions/cache/save` step', () => {
+    const r = run(fx('actions-cache-save.yml'))
+    expect(r.exitCode).toBe(1)
+    expect(r.output).toMatch(/actions\/cache\/save@/)
+  })
+
+  it('passes when `actions/cache` appears only as prose, not a step', () => {
+    expect(run(fx('no-actions-cache.yml')).exitCode).toBe(0)
+  })
+
+  it('fails when caching is not disabled explicitly', () => {
+    const r = run(fx('missing-explicit-false.yml'))
+    expect(r.exitCode).toBe(1)
+    expect(r.output).toMatch(/\bcache\b/)
+    expect(r.output).toMatch(/package-manager-cache/)
+  })
+
+  it('keeps release.yml free of GitHub Actions caching', () => {
+    expect(run(resolve(REPO_ROOT, '.github/workflows/release.yml')).exitCode).toBe(0)
+  })
+
+  it('keeps tests-supply-chain.yml free of GitHub Actions caching', () => {
+    expect(
+      run(resolve(REPO_ROOT, '.github/workflows/tests-supply-chain.yml')).exitCode,
+    ).toBe(0)
+  })
+
+  it('the target workflows contain no `actions/cache` step', () => {
+    for (const target of TARGET_WORKFLOWS) {
+      const doc = yaml.load(readFileSync(resolve(REPO_ROOT, target), 'utf8'))
+      for (const [jobName, job] of Object.entries(doc?.jobs ?? {})) {
+        for (const step of job?.steps ?? []) {
+          if (typeof step?.uses === 'string') {
+            expect(
+              step.uses,
+              `${target} job "${jobName}" must not use actions/cache`,
+            ).not.toMatch(/^actions\/cache(\/(restore|save))?@/)
+          }
+        }
+      }
+    }
+  })
+})
diff --git a/scripts/lint-no-workflow-caching.mjs b/scripts/lint-no-workflow-caching.mjs
