Skip to content

797 OpenSSF Branch Improvements#812

Merged
jonobr1 merged 2 commits into
devfrom
797-ossf-branch-improvements
Apr 10, 2026
Merged

797 OpenSSF Branch Improvements#812
jonobr1 merged 2 commits into
devfrom
797-ossf-branch-improvements

Conversation

@jonobr1

@jonobr1 jonobr1 commented Apr 10, 2026

Copy link
Copy Markdown
Owner

No description provided.

jonobr1 added 2 commits April 10, 2026 15:11
Replace npm install with npm ci in CI workflows to ensure deterministic, faster installs (copilot-setup-steps.yml and lint.yml). Also pin the global npm version to 11.5.1 in publish.yml instead of installing the latest to avoid unexpected changes from rolling npm releases.
Add a .github/CODEOWNERS file that designates @jonobr1 as the owner for all files, ensuring the project maintainer is requested for review on pull requests. This enforces a single-point review policy for changes.
Copilot AI review requested due to automatic review settings April 10, 2026 22:18
@jonobr1 jonobr1 merged commit 3e71425 into dev Apr 10, 2026
4 checks passed
@jonobr1 jonobr1 deleted the 797-ossf-branch-improvements branch April 10, 2026 22:18

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Tightens CI configuration for more reproducible dependency installs and adds repository ownership metadata.

Changes:

  • Pin npm to 11.5.1 in the publish workflow instead of installing latest.
  • Switch dependency installation to npm ci in lint and Copilot setup workflows.
  • Add a .github/CODEOWNERS file to require maintainer review.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File Description
.github/workflows/publish.yml Pins npm version used during publish builds for consistency.
.github/workflows/lint.yml Uses npm ci for deterministic installs in lint job.
.github/workflows/copilot-setup-steps.yml Uses npm ci for deterministic installs in Copilot setup job.
.github/CODEOWNERS Adds code ownership rules requiring maintainer review.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@@ -24,7 +24,7 @@ jobs:

# Ensure npm 11.5.1 or later is installed

Copilot AI Apr 10, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The comment says 'npm 11.5.1 or later', but the command pins npm to exactly 11.5.1. Either update the comment to match the pin, or change the install to a range/major (e.g., a caret range) if the intent is to allow patch/minor updates. Pinning improves reproducibility, while allowing 'or later' improves getting security/bugfix updates automatically.

Suggested change
# Ensure npm 11.5.1 or later is installed
# Ensure npm 11.5.1 is installed

Copilot uses AI. Check for mistakes.
- uses: jonobr1/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
- name: Install modules
run: npm install
run: npm ci

Copilot AI Apr 10, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

npm ci requires a committed lockfile (package-lock.json / npm-shrinkwrap.json) and will fail without one. If this repo doesn't always include a lockfile or it can be absent in some branches, this change can break the lint workflow; ensure the lockfile is checked in and kept in sync with package.json.

Suggested change
run: npm ci
run: |
if [ -f package-lock.json ] || [ -f npm-shrinkwrap.json ]; then
npm ci
else
npm install
fi

Copilot uses AI. Check for mistakes.

- name: Install dependencies
run: npm install
run: npm ci

Copilot AI Apr 10, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as the lint workflow: npm ci will fail without a committed lockfile. If the Copilot setup workflow is expected to run on contributions where a lockfile might be missing, consider enforcing the lockfile policy (preferred) or using npm install for that specific workflow.

Suggested change
run: npm ci
run: |
if [ -f package-lock.json ]; then
npm ci
else
npm install
fi

Copilot uses AI. Check for mistakes.
@codacy-production

Copy link
Copy Markdown

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

TIP This summary will be updated as you push new changes. Give us feedback

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants