ci: use npm ci for reproducible installs and test the declared Node range#19
Open
dmchaledev wants to merge 1 commit into
Open
ci: use npm ci for reproducible installs and test the declared Node range#19dmchaledev wants to merge 1 commit into
dmchaledev wants to merge 1 commit into
Conversation
…ange The workflows installed dependencies with `npm install --include=dev`, which ignores the committed package-lock.json and can resolve newer transitive versions than the locked tree. For a supply-chain-security tool this is especially significant in publish.yml: the package is published with `--provenance` but was built from an unpinned dependency tree, weakening the reproducibility that provenance is meant to attest. Switch all three workflows to `npm ci`, which installs the exact locked tree and fails on lockfile drift. Also run CI across Node 18, 20 and 22 to actually cover the `engines.node: ">=18"` range declared in package.json (previously only Node 20 was exercised, so nothing verified the supported minimum or current LTS), and add an explicit type-check step to the PR gate for a clearer failure signal. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_018iftJL9x2Bjx7T9q2o5Bd6
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
All three GitHub Actions workflows install dependencies with
npm install --include=dev, which ignores the committedpackage-lock.jsonand is free to resolve newer transitive versions than the locked, reviewed tree.For a tool whose keywords are
supply-chain-security, this is most consequential inpublish.yml: the package is published to npm with--provenance, but it is built from an unpinned dependency tree. Provenance attests how/where an artifact was built — building it from non-reproducible inputs weakens exactly the guarantee the flag is there to provide.npm ciinstalls the exact locked tree and fails fast ifpackage.jsonand the lockfile have drifted.Two secondary gaps:
package.jsondeclaresengines.node: ">=18". Nothing verifies the package actually works on its supported minimum (18) or current LTS (22) — a regression that breaks Node 18 would ship undetected.ci.yml) has no dedicated type-check step (the auto-tag workflow already runs one), so a type error only surfaces inside theBuildstep.Changes (workflow-only)
ci.yml—npm install --include=dev→npm ci; run the job across a Node[18, 20, 22]matrix (fail-fast: false); add an explicitType check(npm run typecheck) step.publish.yml—npm install --include=dev→npm ciso the published artifact is built from the locked tree.auto-tag.yml—npm install --include=dev→npm ci; switchnpx tsc --noEmit→npm run typecheckfor parity with the other workflows.npm cialready installsdevDependenciesby default, so--include=devis not needed.Verification
Locally on the committed lockfile:
npm ci— installs cleanly (lockfile is in sync; no drift)npm run typecheck— cleannpm run lint— cleannpm test— 29 passednpm run build— cleanNo source or test changes, so this does not touch — and won't conflict with — the open
src/PRs (#5, #8, #10, #12, #18) or the README docs PRs.🤖 Generated with Claude Code
https://claude.ai/code/session_018iftJL9x2Bjx7T9q2o5Bd6
Generated by Claude Code