Skip to content

chore: tighten security even more- workflows, pinning, GH settings, etc #381

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mobilemind merged 3 commits into from
Jan 24, 2026
Merged

chore: tighten security even more- workflows, pinning, GH settings, etc #381

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
d7a1b1d
chore: tighten security even more- workflows, pinning, GH settings, etc
mobilemind Jan 24, 2026
0607a73
chore(pre-push): check .mcp.json if it exists
mobilemind Jan 24, 2026
566fd88
chore(pre-push): check .mcp.json if it exists
mobilemind Jan 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 0 additions & 2 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,8 +35,6 @@ jobs:

- name: Security Audit
run: npm audit --omit=dev --audit-level=moderate
# TODO: re-evaluate continue-on-error on Dec 18, 2025 or after js-yaml update
continue-on-error: true

- name: Install Dependencies
run: npm ci --prefer-offline
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/linter.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,10 @@ on:
branches: [main]
workflow_dispatch:

permissions:
contents: read
statuses: write

# Prevent concurrent runs for the same PR/branch
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
Expand Down
11 changes: 4 additions & 7 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,6 @@ name: "Release"
- 'true'
- 'false'

permissions:
contents: write

# Prevent concurrent releases
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
Expand All @@ -30,6 +27,8 @@ jobs:
release:
runs-on: ubuntu-latest
timeout-minutes: 15
permissions:
contents: write

steps:
- uses: actions/checkout@v6
Expand All @@ -43,8 +42,6 @@ jobs:

- name: Security Audit
run: npm audit --audit-level=moderate
# TODO: re-evaluate continue-on-error on Dec 18, 2025 or after js-yaml update
continue-on-error: true

- name: Install Dependencies and Build
run: |
Expand Down Expand Up @@ -170,13 +167,13 @@ jobs:
retention-days: 90

deploy-gh-pages:
permissions:
contents: write
runs-on: ubuntu-latest
needs: release
timeout-minutes: 8
# Only deploy gh-pages on actual releases, not dry-runs
if: github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && inputs.dry_run == 'false')
permissions:
contents: write

steps:
- name: Checkout Tag
Expand Down
11 changes: 3 additions & 8 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -137,7 +137,7 @@ attacks:
- Require branches to be up to date before merging: ✓
- Required status checks:
- `Analyze (javascript)` - CodeQL security analysis
- `Build Summary` - Build and test completion across Node.js versions
- `build` - Build and test completion across Node.js versions
- `Lint Code Base` - Code quality and style checks

- **Require signed commits**
Expand All @@ -153,17 +153,12 @@ attacks:
- Only repository administrators can push directly

- **Rules applied to administrators**
- Include administrators: ✓
- Even admins must follow branch protection rules
- Admins can push commits to pull request branches (bypass mode: pull_request)
- Admins still require passing status checks and reviews to merge

- **Allow force pushes**: ✗ (disabled)
- **Allow deletions**: ✗ (disabled)

#### Additional Protections

- **Lock branch**: Consider enabling for release branches
- **Do not allow bypassing the above settings**: ✓

### Repository Settings

Additional security settings enabled:
Expand Down
8 changes: 4 additions & 4 deletions package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

18 changes: 9 additions & 9 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,15 +9,15 @@
},
"description": "Project that makes Safari bookmarklets to automagically jump to the corresponding app and more.",
"devDependencies": {
"@eslint/js": "^9.39.2",
"@types/node": "~25.0.10",
"@typescript-eslint/eslint-plugin": "^8.53.1",
"@typescript-eslint/parser": "^8.53.1",
"eslint": "^9.39.2",
"eslint-plugin-security": "^3.0.1",
"globals": "~17.0.0",
"terser": "~5.46.0",
"typescript": "~5.9.3"
"@eslint/js": "9.39.2",
"@types/node": "25.0.10",
"@typescript-eslint/eslint-plugin": "8.53.1",
"@typescript-eslint/parser": "8.53.1",
"eslint": "9.39.2",
"eslint-plugin-security": "3.0.1",
"globals": "17.1.0",
"terser": "5.46.0",
"typescript": "5.9.3"
},
"engines": {
"node": ">=24.13.0",
Expand Down
12 changes: 12 additions & 0 deletions preflight
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -109,4 +109,16 @@ fi
echo ' scripts/*.js, src/*.ts, .github/linters/*.js: TypeScript & JavaScript OK'
echo

## check for @eslint/mcp updates (pinned in .mcp.json)
if [ -f .mcp.json ]; then
MCP_CURRENT=$(sed -n 's/.*@eslint\/mcp@\([0-9][0-9.]*\).*/\1/p' .mcp.json)
if [ -n "$MCP_CURRENT" ]; then
MCP_LATEST=$(npm view @eslint/mcp version 2>/dev/null)
if [ -n "$MCP_LATEST" ] && [ "$MCP_CURRENT" != "$MCP_LATEST" ]; then
echo " NOTE: @eslint/mcp $MCP_LATEST available (pinned: $MCP_CURRENT) - update .mcp.json"
fi
fi
fi
echo

echo ' OK, preflight checks passed.'
Loading