797 OpenSSF Branch Improvements#812
Conversation
Replace npm install with npm ci in CI workflows to ensure deterministic, faster installs (copilot-setup-steps.yml and lint.yml). Also pin the global npm version to 11.5.1 in publish.yml instead of installing the latest to avoid unexpected changes from rolling npm releases.
Add a .github/CODEOWNERS file that designates @jonobr1 as the owner for all files, ensuring the project maintainer is requested for review on pull requests. This enforces a single-point review policy for changes.
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Tightens CI configuration for more reproducible dependency installs and adds repository ownership metadata.
Changes:
- Pin npm to 11.5.1 in the publish workflow instead of installing
latest. - Switch dependency installation to
npm ciin lint and Copilot setup workflows. - Add a
.github/CODEOWNERSfile to require maintainer review.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| .github/workflows/publish.yml | Pins npm version used during publish builds for consistency. |
| .github/workflows/lint.yml | Uses npm ci for deterministic installs in lint job. |
| .github/workflows/copilot-setup-steps.yml | Uses npm ci for deterministic installs in Copilot setup job. |
| .github/CODEOWNERS | Adds code ownership rules requiring maintainer review. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -24,7 +24,7 @@ jobs: | |||
|
|
|||
| # Ensure npm 11.5.1 or later is installed | |||
There was a problem hiding this comment.
The comment says 'npm 11.5.1 or later', but the command pins npm to exactly 11.5.1. Either update the comment to match the pin, or change the install to a range/major (e.g., a caret range) if the intent is to allow patch/minor updates. Pinning improves reproducibility, while allowing 'or later' improves getting security/bugfix updates automatically.
| # Ensure npm 11.5.1 or later is installed | |
| # Ensure npm 11.5.1 is installed |
| - uses: jonobr1/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 | ||
| - name: Install modules | ||
| run: npm install | ||
| run: npm ci |
There was a problem hiding this comment.
npm ci requires a committed lockfile (package-lock.json / npm-shrinkwrap.json) and will fail without one. If this repo doesn't always include a lockfile or it can be absent in some branches, this change can break the lint workflow; ensure the lockfile is checked in and kept in sync with package.json.
| run: npm ci | |
| run: | | |
| if [ -f package-lock.json ] || [ -f npm-shrinkwrap.json ]; then | |
| npm ci | |
| else | |
| npm install | |
| fi |
|
|
||
| - name: Install dependencies | ||
| run: npm install | ||
| run: npm ci |
There was a problem hiding this comment.
Same as the lint workflow: npm ci will fail without a committed lockfile. If the Copilot setup workflow is expected to run on contributions where a lockfile might be missing, consider enforcing the lockfile policy (preferred) or using npm install for that specific workflow.
| run: npm ci | |
| run: | | |
| if [ -f package-lock.json ]; then | |
| npm ci | |
| else | |
| npm install | |
| fi |
Up to standards ✅🟢 Issues
|
No description provided.