Skip to content

chore: add security analysis workflow #1441

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
Boshen wants to merge 4 commits into from
Closed

chore: add security analysis workflow #1441

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
57d0ad7
chore: add security analysis workflow
Boshen Apr 22, 2026
8b4bb59
chore: use checkout action in workflows
Boshen Apr 22, 2026
dbfd860
chore: fix security workflow findings
Boshen Apr 22, 2026
f9d1d3d
chore: format security workflow
Boshen Apr 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .github/actions/clone/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,12 +36,14 @@ runs:
repository: rolldown/rolldown
path: rolldown
ref: ${{ steps.upstream-versions.outputs.ROLLDOWN_HASH }}
persist-credentials: false

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
repository: vitejs/vite
path: vite
ref: ${{ steps.upstream-versions.outputs.ROLLDOWN_VITE_HASH }}
persist-credentials: false

# Disable autocrlf to preserve LF line endings on Windows
# This prevents prettier/eslint from failing with "Delete ␍" errors
Expand Down
18 changes: 9 additions & 9 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ jobs:
outputs:
code-changed: ${{ steps.filter.outputs.code }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2
- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
id: filter
with:
Expand All @@ -60,7 +60,7 @@ jobs:
contents: read
packages: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2
- uses: ./.github/actions/download-rolldown-binaries
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
Expand All @@ -80,7 +80,7 @@ jobs:
target: aarch64-apple-darwin
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2
- uses: ./.github/actions/clone

- name: Setup Dev Drive
Expand Down Expand Up @@ -133,7 +133,7 @@ jobs:
shell: sh {0}
run: apk add --no-cache bash curl git musl-dev gcc g++ python3 cmake make

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2
- uses: ./.github/actions/clone

- name: Install rustup
Expand All @@ -159,7 +159,7 @@ jobs:
name: Lint
runs-on: namespace-profile-linux-x64-default
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2
- uses: ./.github/actions/clone

- uses: oxc-project/setup-rust@23f38cfb0c04af97a055f76acee94d5be71c7c82 # v1.0.16
Expand Down Expand Up @@ -206,7 +206,7 @@ jobs:
target: x86_64-pc-windows-msvc
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2
- uses: ./.github/actions/clone

- name: Setup Dev Drive
Expand Down Expand Up @@ -640,7 +640,7 @@ jobs:
shardTotal: 3
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2
- uses: ./.github/actions/clone

- name: Setup Dev Drive
Expand Down Expand Up @@ -698,7 +698,7 @@ jobs:
- download-previous-rolldown-binaries
runs-on: namespace-profile-linux-x64-default
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2
- uses: ./.github/actions/clone

- uses: oxc-project/setup-rust@23f38cfb0c04af97a055f76acee94d5be71c7c82 # v1.0.16
Expand Down Expand Up @@ -777,7 +777,7 @@ jobs:
github.event_name != 'pull_request' ||
contains(github.event.pull_request.labels.*.name, 'test: install-e2e')
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2
- uses: ./.github/actions/clone

- uses: oxc-project/setup-rust@23f38cfb0c04af97a055f76acee94d5be71c7c82 # v1.0.16
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/claude.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ jobs:
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 100
persist-credentials: true
persist-credentials: false

- name: Run Claude Code
id: claude
Expand Down
50 changes: 0 additions & 50 deletions .github/workflows/deny.yml
View file
Open in desktop

This file was deleted.

8 changes: 4 additions & 4 deletions .github/workflows/e2e-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ jobs:
outputs:
related-files-changed: ${{ steps.filter.outputs.related-files }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2
- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
id: filter
with:
Expand All @@ -55,7 +55,7 @@ jobs:
contents: read
packages: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2
- uses: ./.github/actions/download-rolldown-binaries
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
Expand All @@ -77,7 +77,7 @@ jobs:
- os: windows-latest
target: x86_64-pc-windows-msvc
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2
- uses: ./.github/actions/clone

# Disable Windows Defender real-time scanning to speed up I/O-heavy builds (~30-50% faster)
Expand Down Expand Up @@ -337,7 +337,7 @@ jobs:
name: npmx.dev

steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2
- uses: ./.github/actions/clone
with:
ecosystem-ci-project: ${{ matrix.project.name }}
Expand Down
5 changes: 3 additions & 2 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ jobs:
with:
fetch-depth: 0
fetch-tags: true
persist-credentials: false
- uses: ./.github/actions/set-snapshot-version
if: ${{ inputs.version == '' }}
id: computed
Expand Down Expand Up @@ -74,7 +75,7 @@ jobs:
- target: aarch64-pc-windows-msvc
os: windows-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2
- uses: ./.github/actions/clone
- uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
- uses: oxc-project/setup-rust@23f38cfb0c04af97a055f76acee94d5be71c7c82 # v1.0.16
Expand Down Expand Up @@ -188,7 +189,7 @@ jobs:
env:
VERSION: ${{ needs.prepare.outputs.version }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2
- uses: ./.github/actions/clone

- uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
Expand Down
24 changes: 24 additions & 0 deletions .github/workflows/security.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
name: Security Analysis

on:
workflow_dispatch:
pull_request:
types: [opened, synchronize]
push:
branches:
- main
paths:
- ".github/workflows/**"
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Run security analysis on main lockfile/security policy pushes

The new push trigger only matches .github/workflows/**, so direct pushes to main that change Cargo.lock or deny.toml will skip this workflow entirely. The removed deny.yml explicitly ran on those files for push events, so this introduces a coverage gap where dependency or deny-policy changes can land on main without any security check.

Useful? React with 👍 / 👎.


permissions: {}

concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
cancel-in-progress: ${{ github.ref_name != 'main' }}

jobs:
security:
name: Security Analysis
runs-on: ubuntu-slim
steps:
- uses: oxc-project/security-action@4211cd3f56ba742507263ea4a999f3be4165a53c # v1.0.1
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Restore rolldown checkout before running cargo-deny

This replacement removes the explicit rolldown/rolldown checkout that deny.yml performed before running cargo deny check, but the workspace still defines many path dependencies under ./rolldown/crates/* in Cargo.toml. The pinned oxc-project/security-action only checks out the current repo and then runs cargo deny check when Cargo.lock changes, so lockfile-update PRs can hit missing local path dependencies and fail the security job for infrastructure reasons rather than real advisories.

Useful? React with 👍 / 👎.

Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Keep cargo-deny coverage for deny.toml-only edits

The new workflow delegates to security-action, whose cargo-deny step is gated on steps.cargo_lock.outputs.changed == 'true' and that flag is computed by diffing only Cargo.lock; therefore PRs that change deny.toml but not the lockfile skip cargo-deny entirely. The removed deny.yml explicitly ran on deny.toml changes, so this commit introduces a regression where policy/config updates can merge without any deny validation.

Useful? React with 👍 / 👎.

Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Enforce this repo's deny.toml when running cargo-deny

This step delegates entirely to oxc-project/security-action, whose pinned action.yml runs cargo deny with the action’s bundled config (${{ github.action_path }}/deny.toml) instead of this repository’s root deny.toml. That means the project-specific advisory ignores and policy rules are no longer what the CI check enforces, which is a regression from the previous workflow’s cargo deny check behavior.

Useful? React with 👍 / 👎.

24 changes: 11 additions & 13 deletions .github/workflows/test-standalone-install.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ jobs:
- os: macos-latest
name: macOS ARM64
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2

- name: Run install.sh
run: cat packages/cli/install.sh | bash
Expand Down Expand Up @@ -122,7 +122,7 @@ jobs:
permissions:
contents: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2

- name: Make shell config files read-only
run: |
Expand Down Expand Up @@ -157,7 +157,7 @@ jobs:
permissions:
contents: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2

- name: Set up QEMU
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
Expand Down Expand Up @@ -221,7 +221,7 @@ jobs:
permissions:
contents: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2

- name: Run install.sh in Alpine container
run: |
Expand Down Expand Up @@ -274,7 +274,7 @@ jobs:
permissions:
contents: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2

- name: Set up QEMU
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
Expand Down Expand Up @@ -333,7 +333,7 @@ jobs:
permissions:
contents: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2

- name: Assert PowerShell 5.x
shell: powershell
Expand Down Expand Up @@ -415,7 +415,7 @@ jobs:
permissions:
contents: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2

- name: Run install.ps1
shell: pwsh
Expand Down Expand Up @@ -482,7 +482,7 @@ jobs:
permissions:
contents: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2

- name: Install PowerShell 7.6
shell: pwsh
Expand Down Expand Up @@ -562,9 +562,7 @@ jobs:
permissions:
contents: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2

- name: Verify minimumReleaseAge blocks non-interactive install
shell: powershell
Expand Down Expand Up @@ -642,7 +640,7 @@ jobs:
permissions:
contents: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2

- name: Run install.ps1
shell: pwsh
Expand Down Expand Up @@ -795,7 +793,7 @@ jobs:
permissions:
contents: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2
- uses: ./.github/actions/clone

- name: Setup Dev Drive
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/test-vp-create.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ jobs:
outputs:
related-files-changed: ${{ steps.filter.outputs.related-files }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2
- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
id: filter
with:
Expand All @@ -55,7 +55,7 @@ jobs:
contents: read
packages: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2
- uses: ./.github/actions/download-rolldown-binaries
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
Expand All @@ -69,7 +69,7 @@ jobs:
needs:
- download-previous-rolldown-binaries
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2
- uses: ./.github/actions/clone

- uses: oxc-project/setup-rust@23f38cfb0c04af97a055f76acee94d5be71c7c82 # v1.0.16
Expand Down Expand Up @@ -145,7 +145,7 @@ jobs:
# vite-plus dep gets overridden with the local tgz
VP_FORCE_MIGRATE: '1'
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2

- uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
with:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/upgrade-deps.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ jobs:
actions: read
id-token: write
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2
- uses: ./.github/actions/clone

- name: Set up metadata directory
Expand Down
Loading
Loading