Merge pull request #25 from script-development/security/harden-publish-workflow

Goosterhof · web-flow · commit 07f691ac038e · 2026-04-13T12:05:18.000+02:00
security: harden publish pipeline + CI against supply-chain injection
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -14,7 +14,7 @@ jobs:
       - uses: actions/setup-node@v6
         with:
           node-version: 24
-      - run: npm ci
+      - run: npm ci --ignore-scripts
       - run: npm audit
       - run: npm run format:check
       - run: npm run lint
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -7,7 +7,26 @@ on:
       - "**/package.json"
 
 jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
+        with:
+          node-version: 24
+      - run: npm ci --ignore-scripts
+      - run: npm run build
+      - uses: actions/upload-artifact@v4
+        with:
+          name: build-output
+          path: packages/*/dist/
+          retention-days: 1
+          if-no-files-found: error
+
   publish:
+    needs: build
     runs-on: ubuntu-latest
     permissions:
       contents: write
@@ -19,8 +38,11 @@ jobs:
           node-version: 24
           registry-url: "https://registry.npmjs.org"
           scope: "@script-development"
-      - run: npm ci
-      - run: npm run build
+      - uses: actions/download-artifact@v4
+        with:
+          name: build-output
+          path: .
+      - run: npm ci --ignore-scripts
       - run: npx changeset publish
         env:
           NPM_CONFIG_PROVENANCE: "true"
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -13,19 +13,20 @@ Shared frontend service packages monorepo under the `@script-development` npm sc
 - **Publish:** OIDC Trusted Publishing to public npm registry (no stored tokens)
 - **CI:** 8-gate pipeline: audit → format → lint → build → typecheck → lint:pkg → coverage → mutation
 
-## Packages (9)
-
-| Package          | Vue | Description                                                       |
-| ---------------- | --- | ----------------------------------------------------------------- |
-| fs-http          | No  | HTTP service factory with middleware architecture                 |
-| fs-storage       | No  | localStorage service factory with prefix namespacing              |
-| fs-helpers       | No  | Tree-shakeable utilities: deep copy, type guards, case conversion |
-| fs-theme         | Yes | Reactive dark/light mode with storage persistence                 |
-| fs-loading       | Yes | Loading state service with HTTP middleware                        |
-| fs-adapter-store | Yes | Reactive adapter-store pattern with CRUD resource adapters        |
-| fs-toast         | Yes | Component-agnostic toast queue (FIFO)                             |
-| fs-dialog        | Yes | Component-agnostic dialog stack (LIFO) with error middleware      |
-| fs-translation   | Yes | Type-safe reactive i18n with dot-notation keys                    |
+## Packages (10)
+
+| Package          | Vue | Description                                                                                                      |
+| ---------------- | --- | ---------------------------------------------------------------------------------------------------------------- |
+| fs-http          | No  | HTTP service factory with middleware architecture                                                                |
+| fs-storage       | No  | localStorage service factory with prefix namespacing                                                             |
+| fs-helpers       | No  | Tree-shakeable utilities: deep copy, type guards, case conversion                                                |
+| fs-theme         | Yes | Reactive dark/light mode with storage persistence                                                                |
+| fs-loading       | Yes | Loading state service with HTTP middleware                                                                       |
+| fs-adapter-store | Yes | Reactive adapter-store pattern with CRUD resource adapters                                                       |
+| fs-toast         | Yes | Component-agnostic toast queue (FIFO)                                                                            |
+| fs-dialog        | Yes | Component-agnostic dialog stack (LIFO) with error middleware                                                     |
+| fs-translation   | Yes | Type-safe reactive i18n with dot-notation keys                                                                   |
+| fs-router        | Yes | Type-safe router service factory with CRUD navigation, middleware pipeline, and custom components for Vue Router |
 
 ## Conventions
 
