Harden workflow security

[RobinMalfait]

This PR improves the workflows a bit more by:

1. Making sure that we always use pnpm install with a frozen lockfile
2. Cleanup permissions
3. By not caching ~/.cargo/bin/

Test plan

1. Every test should still pass

[ci-all]

[greptile-apps]

Confidence Score: 4/5

The changes are safe to merge with one oversight: the integration-tests workflow's pnpm install was not hardened with --frozen-lockfile along with all the others.

All four workflow files received the Cargo cache fix and most received --frozen-lockfile, but the integration-tests.yml pnpm install at line 102 was missed, leaving that job still able to silently pick up unexpected dependency changes.

.github/workflows/integration-tests.yml — the pnpm install step was not updated with --frozen-lockfile.

_{Reviews (3): Last reviewed commit: "do not cache `~/.cargo/bin/`" | Re-trigger Greptile}

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 53bb05dc-f81f-4f36-bfe0-3c13fd69310c

📥 Commits

Reviewing files that changed from the base of the PR and between 4bbee19 and 3fa9a00.

📒 Files selected for processing (4)

• .github/workflows/ci.yml
• .github/workflows/integration-tests.yml
• .github/workflows/prepare-release.yml
• .github/workflows/release.yml

💤 Files with no reviewable changes (1)

• .github/workflows/integration-tests.yml

🚧 Files skipped from review as they are similar to previous changes (3)

• .github/workflows/ci.yml
• .github/workflows/prepare-release.yml
• .github/workflows/release.yml

---

Walkthrough

This PR updates GitHub Actions workflows: it removes ~/.cargo/bin/ from Cargo cache paths (ci.yml, integration-tests.yml, prepare-release.yml, release.yml), adds --frozen-lockfile to multiple pnpm install steps across those workflows (including FreeBSD and WASM steps), and tightens release-related job permissions by removing id-token: write and changing contents from write to read where applicable.

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Harden workflow security' directly summarizes the main changes: improving security by enforcing frozen lockfiles, removing cargo binary caching, and reducing excessive permissions.
Description check	✅ Passed	The description is directly related to the changeset, clearly explaining the three main improvements and providing a test plan that aligns with the modifications made.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/prepare-release.yml (1)

206-206: ⚡ Quick win

Remove || true to ensure --frozen-lockfile failures are not masked.

The || true suppresses install failures, defeating the determinism protection provided by --frozen-lockfile. Either the installation should succeed or the step should fail.

Suggested fix

-            pnpm install --ignore-scripts --frozen-lockfile --filter=!./playgrounds/* || true
+            pnpm install --ignore-scripts --frozen-lockfile --filter=!./playgrounds/*

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/prepare-release.yml at line 206, The workflow step
currently runs "pnpm install --ignore-scripts --frozen-lockfile
--filter=!./playgrounds/* || true", which masks failures; remove the trailing
"|| true" so that failures from --frozen-lockfile cause the job to fail. Update
the step in prepare-release.yml to run the pnpm install command without the "||
true" suffix and keep the existing flags (--ignore-scripts, --frozen-lockfile,
--filter=!./playgrounds/*) intact.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/prepare-release.yml:
- Line 206: The workflow step currently runs "pnpm install --ignore-scripts
--frozen-lockfile --filter=!./playgrounds/* || true", which masks failures;
remove the trailing "|| true" so that failures from --frozen-lockfile cause the
job to fail. Update the step in prepare-release.yml to run the pnpm install
command without the "|| true" suffix and keep the existing flags
(--ignore-scripts, --frozen-lockfile, --filter=!./playgrounds/*) intact.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: a91c6423-f33d-4778-acff-1f47ff6a52ab

📥 Commits

Reviewing files that changed from the base of the PR and between a2b89a7 and 5873e96.

📒 Files selected for processing (4)

• .github/workflows/ci.yml
• .github/workflows/integration-tests.yml
• .github/workflows/prepare-release.yml
• .github/workflows/release.yml

💤 Files with no reviewable changes (1)

• .github/workflows/integration-tests.yml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 89-90: Update the "Install dependencies" CI step so the pnpm
install command also passes --ignore-scripts: locate the step with name "Install
dependencies" that currently runs "pnpm install --frozen-lockfile" and append
"--ignore-scripts" to that run command to align with other workflows and enforce
supply-chain hardening.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 6f685cac-4983-4201-9e33-aebf1a8f0f2b

📥 Commits

Reviewing files that changed from the base of the PR and between 5873e96 and 4bbee19.

📒 Files selected for processing (4)

• .github/workflows/ci.yml
• .github/workflows/integration-tests.yml
• .github/workflows/prepare-release.yml
• .github/workflows/release.yml

💤 Files with no reviewable changes (1)

• .github/workflows/integration-tests.yml

🚧 Files skipped from review as they are similar to previous changes (2)

• .github/workflows/prepare-release.yml
• .github/workflows/release.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify all workflow pnpm install commands enforce both flags.
# Expected: no output from the two "missing flag" checks.

echo "All pnpm install lines:"
rg -nP --iglob '*.yml' '^\s*run:\s*pnpm\s+install\b' .github/workflows

echo
echo "Install lines missing --ignore-scripts (should be empty):"
rg -nP --iglob '*.yml' '^\s*run:\s*pnpm\s+install\b(?!.*--ignore-scripts)' .github/workflows

echo
echo "Install lines missing --frozen-lockfile (should be empty):"
rg -nP --iglob '*.yml' '^\s*run:\s*pnpm\s+install\b(?!.*--frozen-lockfile)' .github/workflows

Repository: tailwindlabs/tailwindcss

Length of output: 815

---

Add --ignore-scripts to complete the workflow hardening goal.

Line 90 allows lifecycle scripts during install, which weakens the supply-chain hardening intent. Other workflows (release.yml, prepare-release.yml) correctly enforce both --frozen-lockfile and --ignore-scripts.

Suggested patch

-      - name: Install dependencies
-        run: pnpm install --frozen-lockfile
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile --ignore-scripts

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Install dependencies
	run: pnpm install
	run: pnpm install --frozen-lockfile
	- name: Install dependencies
	run: pnpm install --frozen-lockfile --ignore-scripts

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 89 - 90, Update the "Install
dependencies" CI step so the pnpm install command also passes --ignore-scripts:
locate the step with name "Install dependencies" that currently runs "pnpm
install --frozen-lockfile" and append "--ignore-scripts" to that run command to
align with other workflows and enforce supply-chain hardening.

[RobinMalfait]

This results in issues with bun that require it. Will need to figure out another solution here instead.

[coderabbitai]

@RobinMalfait, understood — thanks for the context. Withdrawing the suggestion; --ignore-scripts is not viable here because bun's install lifecycle scripts are required for the setup to work correctly. The --frozen-lockfile flag alone is a meaningful improvement for lockfile consistency, and a targeted approach (e.g., selectively blocking specific packages via .npmrc/.pnpmfile.cjs hooks, or pinning the bun package version and auditing its scripts separately) may be worth exploring as a follow-up if stronger supply-chain hardening is still desired.

---

✏️ Learnings added

Learnt from: RobinMalfait
Repo: tailwindlabs/tailwindcss PR: 20054
File: .github/workflows/ci.yml:89-90
Timestamp: 2026-05-14T10:42:57.173Z
Learning: In the tailwindlabs/tailwindcss repository, `pnpm install --ignore-scripts` cannot be used in GitHub Actions workflows because bun requires lifecycle scripts to run during installation. Adding `--ignore-scripts` breaks the bun-related setup. Only `--frozen-lockfile` is safe to enforce across CI/release workflows here.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.