[codex] Fix npm audit vulnerabilities #1676
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| branches: | |
| - main | |
| permissions: {} | |
| jobs: | |
| build: | |
| strategy: | |
| matrix: | |
| os: [ubuntu-latest, windows-latest, macos-latest] | |
| fail-fast: false | |
| runs-on: ${{ matrix.os }} | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Configure Git line endings | |
| if: runner.os == 'Windows' | |
| run: git config --global core.autocrlf false | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | |
| with: | |
| node-version: '24' | |
| cache: 'npm' | |
| cache-dependency-path: package-lock.json | |
| # Install at root level for npm workspaces | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Lint | |
| run: npm run lint | |
| working-directory: extensions/git-id-switcher | |
| - name: Compile | |
| run: npm run compile | |
| working-directory: extensions/git-id-switcher | |
| - name: Run tests with coverage | |
| run: npm run test:coverage | |
| working-directory: extensions/git-id-switcher | |
| - name: Upload coverage to Codecov | |
| uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v6.0.2 | |
| with: | |
| directory: extensions/git-id-switcher/coverage | |
| fail_ci_if_error: false | |
| - name: Package | |
| run: npm run package | |
| working-directory: extensions/git-id-switcher | |
| - name: Verify VSIX created | |
| shell: bash | |
| run: ls -la extensions/git-id-switcher/*.vsix | |
| - name: Verify package.json URLs (anti-impersonation) | |
| shell: bash | |
| run: | | |
| cd extensions/git-id-switcher | |
| REPO_URL=$(node -e "console.log(require('./package.json').repository.url)") | |
| HOMEPAGE=$(node -e "console.log(require('./package.json').homepage)") | |
| EXPECTED_REPO="https://github.com/nullvariant/nullvariant-vscode-extensions" | |
| EXPECTED_HOME_PREFIX="https://github.com/nullvariant/nullvariant-vscode-extensions" | |
| if [ "$REPO_URL" != "$EXPECTED_REPO" ]; then | |
| echo "::error::repository.url mismatch: expected '$EXPECTED_REPO', got '$REPO_URL'" | |
| exit 1 | |
| fi | |
| if [[ "$HOMEPAGE" != "$EXPECTED_HOME_PREFIX"* ]]; then | |
| echo "::error::homepage does not start with '$EXPECTED_HOME_PREFIX': got '$HOMEPAGE'" | |
| exit 1 | |
| fi | |
| echo "package.json URLs verified" | |
| e2e: | |
| name: E2E Tests (${{ matrix.os }}) | |
| strategy: | |
| matrix: | |
| os: [ubuntu-latest, windows-latest, macos-latest] | |
| fail-fast: false | |
| runs-on: ${{ matrix.os }} | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Configure Git line endings | |
| if: runner.os == 'Windows' | |
| run: git config --global core.autocrlf false | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | |
| with: | |
| node-version: '24' | |
| cache: 'npm' | |
| cache-dependency-path: package-lock.json | |
| # Install at root level for npm workspaces | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Run E2E tests (Linux) | |
| if: runner.os == 'Linux' | |
| run: xvfb-run -a npm run test:e2e | |
| working-directory: extensions/git-id-switcher | |
| - name: Run E2E tests (Windows/macOS) | |
| if: runner.os != 'Linux' | |
| run: npm run test:e2e | |
| working-directory: extensions/git-id-switcher | |
| vex-dependency-review: | |
| name: VEX Dependency Review | |
| runs-on: ubuntu-latest | |
| # Only run on dependency update PRs (Dependabot or Renovate) | |
| if: > | |
| github.event_name == 'pull_request' && | |
| (github.actor == 'dependabot[bot]' || github.actor == 'renovate[bot]') | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout repository | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| fetch-depth: 0 | |
| - name: Check for production dependency changes | |
| id: check | |
| run: | | |
| BASE_REF="${{ github.event.pull_request.base.sha }}" | |
| HEAD_REF="${{ github.event.pull_request.head.sha }}" | |
| # Get production dependency count from base and head | |
| BASE_DEPS=$(git show "${BASE_REF}:extensions/git-id-switcher/package.json" | jq -r '.dependencies // {} | keys | length') | |
| HEAD_DEPS=$(git show "${HEAD_REF}:extensions/git-id-switcher/package.json" | jq -r '.dependencies // {} | keys | length') | |
| echo "Base production deps: $BASE_DEPS" | |
| echo "Head production deps: $HEAD_DEPS" | |
| if [ "$HEAD_DEPS" != "0" ]; then | |
| echo "has_prod_deps=true" >> "$GITHUB_OUTPUT" | |
| NEW_DEPS=$(git show "${HEAD_REF}:extensions/git-id-switcher/package.json" | jq -r '.dependencies | keys[]') | |
| echo "prod_deps<<DEPSEOF" >> "$GITHUB_OUTPUT" | |
| echo "$NEW_DEPS" >> "$GITHUB_OUTPUT" | |
| echo "DEPSEOF" >> "$GITHUB_OUTPUT" | |
| echo "::error::Production dependencies detected. VEX must be manually reviewed." | |
| else | |
| echo "has_prod_deps=false" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Post VEX assessment (devDependencies only) | |
| if: steps.check.outputs.has_prod_deps == 'false' | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| # Prevent duplicate comments on force-pushed PRs | |
| EXISTING=$(gh pr view "${{ github.event.pull_request.number }}" --json comments \ | |
| --jq '.comments[] | select(.body | contains("VEX Assessment")) | .id' | head -1) | |
| if [ -n "$EXISTING" ]; then | |
| echo "VEX assessment comment already exists. Skipping." | |
| exit 0 | |
| fi | |
| gh pr comment "${{ github.event.pull_request.number }}" --body "$(cat <<'COMMENTEOF' | |
| ### VEX Assessment: `not_affected` | |
| This dependency update modifies **devDependencies only**. | |
| - **Status**: `not_affected` | |
| - **Justification**: `vulnerable_code_not_in_execute_path` | |
| - **Impact**: Zero production dependencies. No third-party code is included in the published VSIX. | |
| Any CVEs in updated devDependencies do not affect end users. The VEX document will be automatically updated by the weekly [VEX Auto-Update](.github/workflows/vex-update.yml) workflow. | |
| 🤖 Automated VEX assessment | |
| COMMENTEOF | |
| )" | |
| - name: Warn about production dependencies | |
| if: steps.check.outputs.has_prod_deps == 'true' | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| # Prevent duplicate comments on force-pushed PRs | |
| EXISTING=$(gh pr view "${{ github.event.pull_request.number }}" --json comments \ | |
| --jq '.comments[] | select(.body | contains("VEX Assessment")) | .id' | head -1) | |
| if [ -n "$EXISTING" ]; then | |
| echo "VEX assessment comment already exists. Skipping." | |
| else | |
| DEPS="${{ steps.check.outputs.prod_deps }}" | |
| gh pr comment "${{ github.event.pull_request.number }}" --body "$(cat <<COMMENTEOF | |
| ### ⚠️ VEX Assessment: Manual Review Required | |
| This PR adds **production dependencies**: | |
| \`\`\` | |
| $DEPS | |
| \`\`\` | |
| Production dependencies are bundled into the published VSIX and may affect end users. | |
| The current VEX blanket statement (\`not_affected\` for all CVEs) **no longer applies**. | |
| **Action required:** | |
| 1. Review whether production dependencies are truly necessary | |
| 2. Update \`.vex/vex.json\` to reflect the new risk assessment | |
| 3. Consider the impact on supply chain security | |
| 🤖 Automated VEX assessment | |
| COMMENTEOF | |
| )" | |
| fi | |
| # Always fail when production dependencies are detected | |
| exit 1 | |
| dependency-review: | |
| name: Dependency Review | |
| runs-on: ubuntu-latest | |
| # Only run on pull requests (requires base/head comparison) | |
| if: github.event_name == 'pull_request' | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| - name: Dependency Review | |
| uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0 | |
| with: | |
| config-file: './.github/dependency-review-config.yml' | |
| comment-summary-in-pr: always |