feat: pin actions e tripwire publish-watch (postmortem TanStack)#34
Conversation
- pin de todas as actions externas em SHA + comentário de versão nos workflows reusáveis (_publish, _release, _checks, _deploy-site, publish-tag, review, doctor) e no novo publish-watch - helpers:pinGitHubActionDigests no renovate.json para garantir que novas actions adicionadas pelos consumers já entrem fixadas - publish-watch.yml: cron de 15 min comparando `npm view <pkg> version` contra as tags git locais; abre issue `security`/`publish-watch` quando a versão publicada não tem tag correspondente — tripwire para publicação fora do fluxo (workflow comprometido, token vazado, republicação manual) - precisa sync agora lembra do passo manual de criar o environment npm-publish (com revisor requerido) e do cron novo do publish-watch Sync necessário em fhir-brasil, datasus-brasil, medbench-brasil após o release deste pacote (semantic-release publica o CLI ao merge). Motivação: postmortem do TanStack (2026-05-11) — embora a entrada do ataque (pull_request_target + cache poisoning + OIDC) não exista aqui, o postmortem destacou refs flutuantes de actions e ausência de tripwire em registry como riscos independentes de supply chain.
Automated Review — Round 1SummaryThe PR introduces a new workflow for publishing watch and modifies multiple GitHub workflows and scripts for improved notifications and environment dependency checks. However, there are several issues related to potential performance drawbacks and security concerns with hardcoding action versions. Changes
🔍 Found 6 suggestions (see inline comments) Reviewed by OpenAI gpt-4o-mini (fallback) | 7,207 in / 385 out | $0.0013 — Round 1 of 2 |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
| @@ -55,9 +58,60 @@ export async function runSync(opts: SyncOptions): Promise<void> { | |||
| ), | |||
There was a problem hiding this comment.
The method readFileSync is called multiple times on the same file, which results in unnecessary I/O operations. Consider storing the file contents in a variable to improve performance.
| @@ -18,9 +18,9 @@ jobs: | |||
| runs-on: ubuntu-latest | |||
There was a problem hiding this comment.
Dependencies on specific SHA commits for actions (e.g., actions/checkout) can lead to potential security issues if those commits become vulnerable or deprecated. Instead, consider using tagged versions to ensure stability while allowing updates.
| @@ -33,7 +33,7 @@ jobs: | |||
| steps: | |||
There was a problem hiding this comment.
Similar to previous comments, hardcoding specific commit hashes for actions introduces risks. It’s better to rely on specific version tags for the respective GitHub actions for better security.
| @@ -41,13 +41,13 @@ jobs: | |||
| contents: read | |||
There was a problem hiding this comment.
As previously noted, using fixed SHAs for actions can be insecure. Change to version tags.
| @@ -44,7 +44,7 @@ jobs: | |||
| - name: Check for package changes across pushed commits | |||
There was a problem hiding this comment.
The same issue with fixed commit hashes applies here. It's recommended to work with stable action version tags instead.
| @@ -30,11 +30,11 @@ jobs: | |||
| should_run: ${{ steps.check.outputs.should_run }} | |||
There was a problem hiding this comment.
Hardcoding commit hashes for actions creates security vulnerabilities; it's preferable to use stable versions.
## [1.10.0](v1.9.0...v1.10.0) (2026-05-14) ### Features * pin actions e tripwire publish-watch (postmortem TanStack) ([#34](#34)) ([4bcd453](4bcd453))
1 participant
Resumo
Endurecimento dos templates de workflow após o postmortem do TanStack (2026-05-11). A entrada do ataque (
pull_request_target+ cache poisoning + extração de OIDC) não existe aqui, mas duas lições independentes do postmortem se aplicam:actions/checkout@v6,pnpm/action-setup@v5, etc. agora aponta para SHA imutável + comentário de versão (formato suportado pelo Renovate).publish-watch.ymlroda em cron de 15 min, comparanpm view <pkg> versioncontra as tags git locais e abre issuesecurity/publish-watchquando há divergência.Mudanças
_publish,_release,_checks,_deploy-site,publish-tag,review,doctor) + no novopublish-watch. Cobreactions/*,pnpm/action-setup,actions/create-github-app-token,cloudflare/wrangler-action,slackapi/slack-github-action.renovate.json: presethelpers:pinGitHubActionDigests+ regrapinDigests: trueno grupogithub-actions— novas actions adicionadas pelos consumers já entram fixadas.publish-watch.yml(novo): cron*/15 * * * *, lê pacotes públicos do workspace viapnpm m ls --json, valida que cada<pkg>@<latestNpm>existe como tag local (formato<name>@<ver>ouv<ver>). Mensagens em pt-BR. Não enumera categorias de ameaças.templates.manifest.yml: registrapublish-watch.ymlcomrequired_when: publishes_to_npm.precisa sync: imprime lembrete pós-sync sobre criar o environmentnpm-publishcom revisor requerido (passo manual no UI do GitHub que o CLI não consegue automatizar) e sobre o cron novo do publish-watch.Itens fora desta PR
setup-nodeporactions/cache@<sha>com chave porgithub.event_name) para um ganho de defense-in-depth baixo, dado que não temospull_request_target. PR separado se valer a pena.precisa syncapós o merge + publish deste CLI. Será feito em sequência.Verificação
pnpm format:check,pnpm turbo run lint typecheck testpassaram localmente@v[0-9]em ações externas (grep)npm-publishem Settings → Environments com revisor requerido (já presente nos consumers; conferir após sync)