Skip to content

fix(release): pin npm publish checkout to release ref#21

Closed
BunsDev wants to merge 1 commit into
mainfrom
codex/fix-npm-publish-workflow-to-use-release-commit
Closed

fix(release): pin npm publish checkout to release ref#21
BunsDev wants to merge 1 commit into
mainfrom
codex/fix-npm-publish-workflow-to-use-release-commit

Conversation

@BunsDev
Copy link
Copy Markdown
Member

@BunsDev BunsDev commented Jun 1, 2026

Motivation

  • Remediate a release provenance vulnerability where the Release workflow dispatched npm-publish.yml on the mutable main ref, allowing npm artifacts to be built from a different commit than the GitHub Release and exposing downstream consumers to supply-chain risks.

Description

  • Dispatch now uses the immutable release tag and passes the release commit SHA to the npm workflow, and npm-publish.yml gained an optional release_sha input and pins the actions/checkout ref to ${{ inputs.release_sha || inputs.version }} for manual dispatches.

Testing

  • Verified workflow provenance and syntax with a python check for the ref changes, parsed both YAMLs with ruby -e 'require "yaml"; ...', and ran git diff --check, and all checks passed.

Codex Task

Copilot AI review requested due to automatic review settings June 1, 2026 05:21
Copilot AI reviewed Jun 1, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the release → npm publish workflow handoff to ensure npm artifacts are built from the same commit as the GitHub Release, reducing supply-chain/provenance risk from publishing off a mutable ref.

Changes:

  • Update release.yml to dispatch npm-publish.yml using the release tag ref (instead of main) and pass the release commit SHA.
  • Add an optional release_sha input to npm-publish.yml and pin actions/checkout to ${{ inputs.release_sha || inputs.version }} for manual dispatches.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File Description
.github/workflows/release.yml Dispatch npm-publish.yml from the release ref and pass release_sha for commit pinning.
.github/workflows/npm-publish.yml Add release_sha input and use it to pin checkout for workflow_dispatch runs.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/release.yml
--repo "${{ github.repository }}" \
--ref main \
-f version="${{ inputs.version }}"
--ref "${{ inputs.version }}" \
Comment thread .github/workflows/npm-publish.yml
Comment on lines +47 to +48
with:
ref: ${{ inputs.release_sha || inputs.version }}
Comment thread .github/workflows/release.yml
--repo "${{ github.repository }}" \
--ref main \
-f version="${{ inputs.version }}"
--ref "${{ inputs.version }}" \
Comment thread .github/workflows/npm-publish.yml
Comment on lines +47 to +48
with:
ref: ${{ inputs.release_sha || inputs.version }}
@BunsDev
Copy link
Copy Markdown
Member Author

BunsDev commented Jun 2, 2026

Closing this in favor of #24.

#24 covers the same release/source provenance risk with stricter checks: manual publishes are gated to main, dispatch input is validated through env-safe handling, checkout is pinned to the explicit release tag ref, and the workflow verifies the GitHub Release, tag commit, checked-out HEAD, and Cargo version before publishing.

This PR still leaves a caller-controlled release_sha path and bare ref fallback in the manual workflow path, so keeping #24 as the canonical fix is safer.

@BunsDev BunsDev closed this Jun 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

aardvark codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@BunsDev