fix(ci): protect CI against supply chain attack on nodejs

darkweaver87 · web-flow · commit 6f326ecb56c4 · 2025-12-05T14:48:04.000+01:00
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -10,6 +10,9 @@ permissions:
   pages: write
   id-token: write
 
+env:
+  SAFE_CHAIN_MINIMUM_PACKAGE_AGE_HOURS: 360  # 15 days
+
 jobs:
   faency:
     name: Deploy
@@ -18,17 +21,22 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: enable corepack
         run: corepack enable
 
       - name: Setup node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version-file: .nvmrc
           cache: yarn
 
+      - name: Setup safe-chain
+        run: |
+          npm i -g @aikidosec/safe-chain
+          safe-chain setup-ci
+
       - name: Config git
         run: |
           git config --local user.email "30906710+traefiker@users.noreply.github.com"
diff --git a/.github/workflows/pr-prod-build.yaml b/.github/workflows/pr-prod-build.yaml
@@ -3,23 +3,31 @@ name: Production build test
 on:
   pull_request:
 
+env:
+  SAFE_CHAIN_MINIMUM_PACKAGE_AGE_HOURS: 360  # 15 days
+
 jobs:
   faency:
     name: Production build test
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: enable corepack
         run: corepack enable
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version-file: .nvmrc
           cache: yarn
 
+      - name: Setup safe-chain
+        run: |
+          npm i -g @aikidosec/safe-chain
+          safe-chain setup-ci
+
       - name: Install production dependencies
         run: yarn workspaces focus --all --production
 
diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
@@ -3,24 +3,32 @@ name: Pull Request Lint
 on:
   pull_request:
 
+env:
+  SAFE_CHAIN_MINIMUM_PACKAGE_AGE_HOURS: 360  # 15 days
+
 jobs:
   faency:
     name: Test, lint and build
     runs-on: ubuntu-latest
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: enable corepack
         run: corepack enable
 
       - name: Setup node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version-file: .nvmrc
           cache: yarn
 
+      - name: Setup safe-chain
+        run: |
+          npm i -g @aikidosec/safe-chain
+          safe-chain setup-ci
+
       - name: Install
         run: yarn install
 
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -5,24 +5,32 @@ on:
     branches:
       - master
 
+env:
+  SAFE_CHAIN_MINIMUM_PACKAGE_AGE_HOURS: 360  # 15 days
+
 jobs:
   faency:
     name: Release
     if: github.repository == 'traefik/faency'
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: enable corepack
         run: corepack enable
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version-file: .nvmrc
           cache: yarn
 
+      - name: Setup safe-chain
+        run: |
+          npm i -g @aikidosec/safe-chain
+          safe-chain setup-ci
+
       - name: Install dependencies
         run: yarn workspaces focus --all --production
 
diff --git a/.yarnrc.yml b/.yarnrc.yml
@@ -1 +1,2 @@
 nodeLinker: node-modules
+enableScripts: false

Original file line number	Diff line number	Diff line change
`@@ -1 +1,2 @@`
`1`	`1`	`nodeLinker: node-modules`
	`2`	`+enableScripts: false`