From 4cb78fbd3f4423b9bd79121a73d08267868cdbd0 Mon Sep 17 00:00:00 2001 From: atishj99 Date: Fri, 10 Jul 2026 13:20:43 +0530 Subject: [PATCH 1/5] change release version in package.json --- .github/workflows/scan-github-action.yml | 30 ++++++++++++++++++++++++ package.json | 2 +- 2 files changed, 31 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/scan-github-action.yml diff --git a/.github/workflows/scan-github-action.yml b/.github/workflows/scan-github-action.yml new file mode 100644 index 0000000..e41d5bb --- /dev/null +++ b/.github/workflows/scan-github-action.yml @@ -0,0 +1,30 @@ +name: Scan for GitHub Actions issues + +on: + pull_request: + +concurrency: + group: ${{ github.workflow }}-${{ github.repository }}-${{ github.ref }} + +permissions: {} + +jobs: + zizmor: + name: Scan repository contents + runs-on: cx-private-ubuntu-x64 + permissions: + contents: read + steps: + - name: Check out repository + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + with: + persist-credentials: false + + - name: Run Zizmor linter + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 + with: + advanced-security: false + annotations: false + persona: pedantic + fail-on-no-inputs: false + online-audits: false \ No newline at end of file diff --git a/package.json b/package.json index 3e95b18..027d1e0 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@Checkmarx/ast-cli-javascript-wrapper", - "version": "0.0.158", + "version": "0.0.159", "description": "AST CLI Javascript wrapper", "main": "dist/main/wrapper/CxWrapper.js", "typings": "dist/main/wrapper/CxWrapper.d.ts", From d9bd28f1cec8bbb736fd8507c034a61819666400 Mon Sep 17 00:00:00 2001 From: atishj99 Date: Fri, 10 Jul 2026 13:35:46 +0530 Subject: [PATCH 2/5] Fix: Remove registry-url from setup-node to resolve NODE_AUTH_TOKEN conflicts - Removed registry-url parameter from setup-node action in ci.yml and release.yml - Registry configuration now handled exclusively by .npmrc file - Auth tokens configured via npm config commands with ECHO_LIBRARIES_ACCESS_KEY - Eliminates NODE_AUTH_TOKEN environment variable creation and logging - Fixes 403 Forbidden errors during npm ci with Echo registry - Maintains dual-registry support: Echo for dependencies, GitHub for publishing Changes: - .github/workflows/ci.yml: Removed registry-url from setup-node - .github/workflows/release.yml: Removed registry-url from setup-node This ensures proper authentication with Echo (npm.echohq.com) registry while avoiding conflicts with GitHub Actions' automatic NODE_AUTH_TOKEN creation. Co-Authored-By: Claude Haiku 4.5 --- .github/workflows/ci.yml | 1 - .github/workflows/release.yml | 1 - 2 files changed, 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 39bb705..adff7f0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -34,7 +34,6 @@ jobs: uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 22.11.0 - registry-url: https://npm.echohq.com/ - name: Configure echohq auth (both hosts) env: ECHO_LIBRARIES_ACCESS_KEY: ${{ secrets.ECHO_LIBRARIES_ACCESS_KEY }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7792f44..2225e35 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -99,7 +99,6 @@ jobs: - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 22.11.0 - registry-url: https://npm.echohq.com/ # CONFIGURE ECHOHQ AUTH - name: Configure echohq auth (both hosts) From 3288b2c8eb19179890bba3a4e43c3bdd7a2ae5f4 Mon Sep 17 00:00:00 2001 From: atishj99 Date: Fri, 10 Jul 2026 14:07:04 +0530 Subject: [PATCH 3/5] Fix echo registry auth via .npmrc env var interpolation, restore registry-url Root cause was npm config precedence: the project-level .npmrc (checked into the repo) always overrides user-level config, so its literal blank auth token lines were shadowing whatever the separate "npm config set" step wrote at the user level - regardless of registry-url on setup-node. - .npmrc now resolves tokens via ${ECHO_LIBRARIES_ACCESS_KEY} at read time instead of committing blank placeholders, so the project-level config itself carries valid auth. - Restored registry-url on setup-node in ci.yml/release.yml (safe now that .npmrc's interpolated values take precedence over it either way). - Removed the now-redundant "Configure echohq auth" npm config set steps. Co-Authored-By: Claude Sonnet 5 --- .github/workflows/ci.yml | 7 +------ .github/workflows/release.yml | 9 +-------- .npmrc | 4 ++-- 3 files changed, 4 insertions(+), 16 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index adff7f0..ac27704 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -34,12 +34,7 @@ jobs: uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 22.11.0 - - name: Configure echohq auth (both hosts) - env: - ECHO_LIBRARIES_ACCESS_KEY: ${{ secrets.ECHO_LIBRARIES_ACCESS_KEY }} - run: | - npm config set //npm.echohq.com/:_authToken "${ECHO_LIBRARIES_ACCESS_KEY}" - npm config set //packages.echohq.com/:_authToken "${ECHO_LIBRARIES_ACCESS_KEY}" + registry-url: https://npm.echohq.com/ - run: npm ci env: ECHO_LIBRARIES_ACCESS_KEY: ${{ secrets.ECHO_LIBRARIES_ACCESS_KEY }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2225e35..0914663 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -99,14 +99,7 @@ jobs: - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 22.11.0 - - # CONFIGURE ECHOHQ AUTH - - name: Configure echohq auth (both hosts) - env: - ECHO_LIBRARIES_ACCESS_KEY: ${{ secrets.ECHO_LIBRARIES_ACCESS_KEY }} - run: | - npm config set //npm.echohq.com/:_authToken "${ECHO_LIBRARIES_ACCESS_KEY}" - npm config set //packages.echohq.com/:_authToken "${ECHO_LIBRARIES_ACCESS_KEY}" + registry-url: https://npm.echohq.com/ # CONFIGURE GITHUB PACKAGES AUTH FOR PUBLISH - name: Configure GitHub Packages auth diff --git a/.npmrc b/.npmrc index 3280741..7799f5c 100644 --- a/.npmrc +++ b/.npmrc @@ -1,6 +1,6 @@ # Default registry for most packages registry=https://npm.echohq.com/ -//npm.echohq.com/:_authToken= -//packages.echohq.com/:_authToken= +//npm.echohq.com/:_authToken=${ECHO_LIBRARIES_ACCESS_KEY} +//packages.echohq.com/:_authToken=${ECHO_LIBRARIES_ACCESS_KEY} always-auth=true ignore-scripts=true \ No newline at end of file From eac190083f103fea1396d7d0d439b7257b76bdfb Mon Sep 17 00:00:00 2001 From: atishj99 Date: Fri, 10 Jul 2026 14:20:34 +0530 Subject: [PATCH 4/5] Temporarily increase npm ci verbosity to prove echo registry usage in logs Diagnostic-only change to show explicit HTTP fetch URLs in CI output. Will be reverted once confirmed. Co-Authored-By: Claude Sonnet 5 --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ac27704..b6b437f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -35,7 +35,7 @@ jobs: with: node-version: 22.11.0 registry-url: https://npm.echohq.com/ - - run: npm ci + - run: npm ci --loglevel=http env: ECHO_LIBRARIES_ACCESS_KEY: ${{ secrets.ECHO_LIBRARIES_ACCESS_KEY }} - name: Code Linting From 35c586a69b7d2d0315b9971af038763f2c7d55d4 Mon Sep 17 00:00:00 2001 From: atishj99 Date: Fri, 10 Jul 2026 14:33:03 +0530 Subject: [PATCH 5/5] Remove npm ci --loglevel flag and bump version --- .github/workflows/ci.yml | 2 +- package-lock.json | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b6b437f..ac27704 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -35,7 +35,7 @@ jobs: with: node-version: 22.11.0 registry-url: https://npm.echohq.com/ - - run: npm ci --loglevel=http + - run: npm ci env: ECHO_LIBRARIES_ACCESS_KEY: ${{ secrets.ECHO_LIBRARIES_ACCESS_KEY }} - name: Code Linting diff --git a/package-lock.json b/package-lock.json index e847573..aaa1770 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "@Checkmarx/ast-cli-javascript-wrapper", - "version": "0.0.158", + "version": "0.0.159", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "@Checkmarx/ast-cli-javascript-wrapper", - "version": "0.0.158", + "version": "0.0.159", "license": "ISC", "dependencies": { "log4js": "^6.9.1"