hai/everything-claude-code
1
0
Fork 0
mirror of https://github.com/affaan-m/everything-claude-code.git synced 2026-05-14 08:28:39 +08:00
Code Issues Packages Projects Releases Wiki Activity

ci: require npm audit signature checks

Browse Source 
Require npm registry signature verification wherever workflow npm audit checks run.

- add npm audit signatures to CI Security Scan and maintenance security audit jobs
- teach the workflow security validator to reject npm audit without signature verification
- keep the repair and Copilot prompt tests portable across Windows path/case and CRLF frontmatter behavior

Validation:
- node tests/run-all.js (2376 passed, 0 failed)
- CI current-head matrix green on #1846
This commit is contained in:
Affaan Mustafa
2026-05-12 23:48:56 -04:00
committed by GitHub
parent 766f4ee1d8
commit 797f283036
6 changed files with 44 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
scripts/ci/validate-workflow-security.js
View File

@@ -26,6 +26,8 @@ const RULES = [
const WRITE_PERMISSION_PATTERN = /^\s*(?:contents|issues|pull-requests|actions|checks|deployments|discussions|id-token|packages|pages|repository-projects|security-events|statuses):\s*write\b/m;
const NPM_CI_PATTERN = /\bnpm\s+ci\b(?![^\n]*--ignore-scripts)/g;
const NPM_AUDIT_PATTERN = /\bnpm\s+audit\b(?!\s+signatures\b)/;
const NPM_AUDIT_SIGNATURES_PATTERN = /\bnpm\s+audit\s+signatures\b/;
const ACTIONS_CACHE_PATTERN = /uses:\s*['"]?actions\/cache@/m;
const ID_TOKEN_WRITE_PATTERN = /^\s*id-token:\s*write\b/m;
@@ -127,6 +129,16 @@ function findViolations(filePath, source) {
});
}
if (NPM_AUDIT_PATTERN.test(source) && !NPM_AUDIT_SIGNATURES_PATTERN.test(source)) {
violations.push({
filePath,
event: 'npm audit signatures',
description: 'workflows that run npm audit must also verify registry signatures',
expression: 'npm audit without npm audit signatures',
line: getLineNumber(source, source.search(NPM_AUDIT_PATTERN)),
});
}
return violations;
}