Skip to content

Harden workflow security #20054

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
RobinMalfait merged 3 commits into from
May 14, 2026
Merged

Harden workflow security #20054

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
293f545
use a frozen lockfile during `pnpm install`
RobinMalfait May 14, 2026
c2fe87c
cleanup permissions
RobinMalfait May 14, 2026
3fa9a00
do not cache `~/.cargo/bin/`
RobinMalfait May 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 1 addition & 2 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,6 @@ jobs:
uses: actions/cache@v5
with:
path: |
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
Expand All @@ -88,7 +87,7 @@ jobs:
run: rustup target add wasm32-wasip1-threads

- name: Install dependencies
run: pnpm install
run: pnpm install --frozen-lockfile
Comment on lines 89 to +90

@coderabbitai coderabbitai Bot May 14, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify all workflow pnpm install commands enforce both flags.
# Expected: no output from the two "missing flag" checks.

echo "All pnpm install lines:"
rg -nP --iglob '*.yml' '^\s*run:\s*pnpm\s+install\b' .github/workflows

echo
echo "Install lines missing --ignore-scripts (should be empty):"
rg -nP --iglob '*.yml' '^\s*run:\s*pnpm\s+install\b(?!.*--ignore-scripts)' .github/workflows

echo
echo "Install lines missing --frozen-lockfile (should be empty):"
rg -nP --iglob '*.yml' '^\s*run:\s*pnpm\s+install\b(?!.*--frozen-lockfile)' .github/workflows

Repository: tailwindlabs/tailwindcss

Length of output: 815

Add --ignore-scripts to complete the workflow hardening goal.

Line 90 allows lifecycle scripts during install, which weakens the supply-chain hardening intent. Other workflows (release.yml, prepare-release.yml) correctly enforce both --frozen-lockfile and --ignore-scripts.

Suggested patch 
-      - name: Install dependencies
-        run: pnpm install --frozen-lockfile
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile --ignore-scripts
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Install dependencies
run: pnpm install
run: pnpm install --frozen-lockfile
- name: Install dependencies
run: pnpm install --frozen-lockfile --ignore-scripts
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 89 - 90, Update the "Install
dependencies" CI step so the pnpm install command also passes --ignore-scripts:
locate the step with name "Install dependencies" that currently runs "pnpm
install --frozen-lockfile" and append "--ignore-scripts" to that run command to
align with other workflows and enforce supply-chain hardening.

@RobinMalfait RobinMalfait May 14, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This results in issues with bun that require it. Will need to figure out another solution here instead.

@coderabbitai coderabbitai Bot May 14, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@RobinMalfait, understood — thanks for the context. Withdrawing the suggestion; --ignore-scripts is not viable here because bun's install lifecycle scripts are required for the setup to work correctly. The --frozen-lockfile flag alone is a meaningful improvement for lockfile consistency, and a targeted approach (e.g., selectively blocking specific packages via .npmrc/.pnpmfile.cjs hooks, or pinning the bun package version and auditing its scripts separately) may be worth exploring as a follow-up if stronger supply-chain hardening is still desired.

✏️ Learnings added 
Learnt from: RobinMalfait
Repo: tailwindlabs/tailwindcss PR: 20054
File: .github/workflows/ci.yml:89-90
Timestamp: 2026-05-14T10:42:57.173Z
Learning: In the tailwindlabs/tailwindcss repository, `pnpm install --ignore-scripts` cannot be used in GitHub Actions workflows because bun requires lifecycle scripts to run during installation. Adding `--ignore-scripts` breaks the bun-related setup. Only `--frozen-lockfile` is safe to enforce across CI/release workflows here.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.


- name: Build
run: pnpm run build
Expand Down
1 change: 0 additions & 1 deletion .github/workflows/integration-tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,6 @@ jobs:
uses: actions/cache@v5
with:
path: |
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
Expand Down
10 changes: 3 additions & 7 deletions .github/workflows/prepare-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,7 +104,6 @@ jobs:
uses: actions/cache@v5
with:
path: |
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
Expand Down Expand Up @@ -146,7 +145,7 @@ jobs:
run: rustup target add ${{ matrix.target }}

- name: Install dependencies
run: pnpm install --ignore-scripts --filter=!./playgrounds/*
run: pnpm install --ignore-scripts --frozen-lockfile --filter=!./playgrounds/*

- name: Build release
run: pnpm run --filter ${{ env.OXIDE_LOCATION }} build:platform --target=${{ matrix.target }} ${{ matrix.build-flags }}
Expand Down Expand Up @@ -204,7 +203,7 @@ jobs:
chmod +x rustup-init
./rustup-init -y --profile minimal
source "$HOME/.cargo/env"
pnpm install --ignore-scripts --filter=!./playgrounds/* || true
pnpm install --ignore-scripts --frozen-lockfile --filter=!./playgrounds/* || true
echo "~~~~ rustc --version ~~~~"
rustc --version
echo "~~~~ node -v ~~~~"
Expand All @@ -227,8 +226,6 @@ jobs:

permissions:
contents: write # for softprops/action-gh-release to create GitHub release
# https://docs.npmjs.com/generating-provenance-statements#publishing-packages-with-provenance-via-github-actions
id-token: write

needs:
- build
Expand Down Expand Up @@ -262,7 +259,6 @@ jobs:
uses: actions/cache@v5
with:
path: |
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
Expand All @@ -289,7 +285,7 @@ jobs:
run: rustup target add wasm32-wasip1-threads

- name: Install dependencies
run: pnpm --filter=!./playgrounds/* install
run: pnpm --filter=!./playgrounds/* install --frozen-lockfile

- name: Download artifacts
uses: actions/download-artifact@v7
Comment thread
greptile-apps[bot] marked this conversation as resolved.
Expand Down
10 changes: 4 additions & 6 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,6 @@ jobs:
uses: actions/cache@v5
with:
path: |
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
Expand Down Expand Up @@ -150,7 +149,7 @@ jobs:
run: rustup target add ${{ matrix.target }}

- name: Install dependencies
run: pnpm install --ignore-scripts --filter=!./playgrounds/*
run: pnpm install --ignore-scripts --frozen-lockfile --filter=!./playgrounds/*

- name: Build release
run: pnpm run --filter ${{ env.OXIDE_LOCATION }} build:platform --target=${{ matrix.target }} ${{ matrix.build-flags }}
Expand Down Expand Up @@ -214,7 +213,7 @@ jobs:
node -v
echo "~~~~ pnpm --version ~~~~"
pnpm --version
pnpm install --ignore-scripts --filter=!./playgrounds/* || true
pnpm install --ignore-scripts --frozen-lockfile --filter=!./playgrounds/* || true
pnpm run --filter ${{ env.OXIDE_LOCATION }} build:platform
strip -x ${{ env.OXIDE_LOCATION }}/*.node
ls -la ${{ env.OXIDE_LOCATION }}
Expand All @@ -230,7 +229,7 @@ jobs:
name: Build and publish Tailwind CSS

permissions:
contents: write # for softprops/action-gh-release to create GitHub release
contents: read
# https://docs.npmjs.com/generating-provenance-statements#publishing-packages-with-provenance-via-github-actions
id-token: write

Expand Down Expand Up @@ -280,7 +279,6 @@ jobs:
uses: actions/cache@v5
with:
path: |
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
Expand All @@ -307,7 +305,7 @@ jobs:
run: rustup target add wasm32-wasip1-threads

- name: Install dependencies
run: pnpm --filter=!./playgrounds/* install
run: pnpm --filter=!./playgrounds/* install --frozen-lockfile
Comment thread
greptile-apps[bot] marked this conversation as resolved.

- name: Download artifacts
uses: actions/download-artifact@v7
Expand Down
Loading