mirror of
https://github.com/affaan-m/everything-claude-code.git
synced 2026-05-14 00:23:04 +08:00
cbecf5689d
Add a repo-level supply-chain incident response playbook for npm/GitHub Actions package-registry incidents, anchored on the May 2026 TanStack compromise and prior Shai-Hulud-style npm incidents. - add `docs/security/supply-chain-incident-response.md` with exposure checks, immediate response steps, workflow rules, publication rules, and escalation triggers - link the playbook from `SECURITY.md` - reject `pull_request_target` workflows that restore or save shared dependency caches - add a regression test for the new `pull_request_target + actions/cache` guardrail Validation: - node tests/ci/validate-workflow-security.test.js (12 passed, 0 failed) - node scripts/ci/validate-workflow-security.js (validated 7 workflow files) - npx markdownlint-cli 'SECURITY.md' 'docs/security/supply-chain-incident-response.md' - npx markdownlint-cli '**/*.md' --ignore node_modules - git diff --check - node tests/run-all.js (2377 passed, 0 failed) - GitHub CI for #1848 green across Ubuntu, Windows, and macOS No release, tag, npm publish, plugin tag, marketplace submission, or announcement was performed.