Skip to content

ci: harden privileged PR workflows#4450

Merged
icehaunter merged 1 commit into
mainfrom
horton/ci-immediate-supply-chain-fixes-clean
Jun 1, 2026
Merged

ci: harden privileged PR workflows#4450
icehaunter merged 1 commit into
mainfrom
horton/ci-immediate-supply-chain-fixes-clean

Conversation

@KyleAMathews
Copy link
Copy Markdown
Contributor

@KyleAMathews KyleAMathews commented May 30, 2026

Summary

Immediate CI supply-chain hardening following the TanStack incident audit:

  • remove implicit pnpm cache from the release workflow
  • restrict privileged load-test runs to same-repo PR branches
  • restrict benchmark comment trigger to MEMBER/OWNER and reject fork PRs before privileged steps
  • remove CROSSREPO_PAT callback payloads from benchmark requests
  • downgrade TS test workflow package permission from write to read
  • add CODEOWNERS protection for .github CI/CD files

Validation

  • Parsed changed workflow YAML files with Ruby YAML loader:
    • .github/workflows/changesets_release.yml
    • .github/workflows/load_test.yml
    • .github/workflows/benchmarking.yml
    • .github/workflows/ts_tests.yml

Note: this PR is from the clean branch horton/ci-immediate-supply-chain-fixes-clean and contains only the immediate CI hardening commit.

icehaunter
icehaunter requested changes Jun 1, 2026
View reviewed changes
Comment thread .github/workflows/benchmarking.yml Outdated
"url":"https://api.github.com/repos/electric-sql/electric/actions/workflows/leave_benchmark_comment.yml/dispatches",
"body": "{\"ref\":\"main\",\"inputs\":{\"pr\":\"${{ github.event.issue.number }}\",\"benchmark_info\":#{benchmark_info},\"original_commit\":\"${{ env.SHORT_SHA }}\"}}"
}
"short_version": "pr-${{ github.event.issue.number }}-${{ env.SHORT_SHA }}"
Copy link
Copy Markdown
Contributor

@icehaunter icehaunter Jun 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this removing our own infra work of benchmarking leaving GH comments?

@KyleAMathews KyleAMathews force-pushed the horton/ci-immediate-supply-chain-fixes-clean branch from 4c5d168 to 1718113 Compare June 1, 2026 12:57
@KyleAMathews
Copy link
Copy Markdown
Contributor Author

KyleAMathews commented Jun 1, 2026

Addressed @icehaunter review: restored the benchmark callback blocks so result comments continue to work, while keeping the same-repo/member-owner hardening.

@KyleAMathews
Copy link
Copy Markdown
Contributor Author

KyleAMathews commented Jun 1, 2026

Updated CODEOWNERS to list all current repository admins instead of a single owner. GitHub CODEOWNERS can also use teams, but explicit admins matches the review suggestion.

@KyleAMathews KyleAMathews force-pushed the horton/ci-immediate-supply-chain-fixes-clean branch from 1718113 to 2a95b8a Compare June 1, 2026 13:03
@KyleAMathews KyleAMathews requested a review from icehaunter June 1, 2026 13:07
@icehaunter icehaunter merged commit 83a97c8 into main Jun 1, 2026
8 checks passed
@icehaunter icehaunter deleted the horton/ci-immediate-supply-chain-fixes-clean branch June 1, 2026 13:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@icehaunter icehaunter icehaunter approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@KyleAMathews @icehaunter