chore: update bumpy to 1.17.0 + adopt split release workflow#837
Merged
Conversation
theoephraim
changed the title
- Split the release workflow into dedicated version-pr and publish jobs, each asserting its mode with 'ci release --expect-mode' and scoping permissions to what it needs. - Pin bumpy to the version committed on main across release jobs. - Move the PR release-plan check into its own pull_request_target workflow (bumpy-check.yaml) that runs a base-pinned bumpy with no install step, so it posts on fork PRs without executing PR code with write permissions.
theoephraim
changed the title
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Run bumpy from a trusted base checkout and read PR files as data only: - check out base 'main' at the root (trusted bunfig.toml / lockfile) - check out PR head isolated in ./pr, never executed - run bunx from root with 'ci check --cwd ./pr' Prevents a malicious fork's bunfig.toml/.npmrc/preload from hijacking package resolution and achieving code execution in the pull_request_target job (which holds a pull-requests:write token).
theoephraim
changed the title
Resolve the pinned bumpy version straight into the bunx invocation instead of writing it to $GITHUB_ENV. The value comes from the trusted base package.json, but removing the env write eliminates the env-injection sink CodeQL flags for pull_request_target workflows.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Updates
@varlock/bumpyand brings our CI in line with bumpy's current recommended setup.Version bump
@varlock/bumpyfrom^1.10.2to^1.17.0.@varlock/bumpytominimumReleaseAgeExcludesinbunfig.tomlso a freshly-published release isn't blocked by the 1-day minimum-release-age check.Split release workflow
release.yamlinto dedicatedversion-prandpublishjobs.plan(read-only) computes the mode; each downstream job runsbumpy ci release --expect-mode <mode>so a mode mismatch fails loudly, and each is scoped to only the permissions it needs.mainacross the release jobs.Hardened PR check (
bumpy-check.yaml)pull_request_targetworkflow that posts the release-plan comment, including on fork PRs (a plainpull_requestgives forks a read-only token, so the comment couldn't post before)../pr, and runsbunx … ci check --cwd ./prfrom the root. This stops a malicious fork'sbunfig.toml/.npmrc/preloadfrom hijacking package resolution and getting code execution in the elevated job.test.yamland drops its now-unneededpull-requests: write.Note:
pull_request_targetworkflows run from the base branch, sobumpy-check.yamlonly takes effect once merged — expect no bumpy comment on this PR.