Skip to content

ci: SHA-pin GitHub Actions + assert lockfile version in verify-versions.mjs #163

Description

@dean0x

Deferred (pre-existing) finding from the PR #161 code review — not introduced by #161. Two supply-chain / drift-hardening items surfaced by the dependencies reviewer. (The related WASM-toolchain-pin item is already tracked in #128 — see below.)

(a) SHA-pin GitHub Actions

CI workflows reference actions by floating major tags (@v6, @v5, @v2, @stable) rather than pinned commit SHAs — standard supply-chain exposure. Pin third-party actions to commit SHAs.

(b) Assert lockfile version in the version gate

scripts/verify-versions.mjs does not assert the package-lock.json version. This is why a 0.2.0 lockfile drift reached main unnoticed (repaired in #161). Add a lockfile-version assertion to the gate so a stale lockfile fails fast.

Related (tracked elsewhere — not duplicated here)

Metadata

Metadata

Assignees

No one assigned

    Labels

    dependenciesPull requests that update a dependency filegithub_actionsPull requests that update GitHub Actions codetech-debtTechnical debt

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions