ci(skills): pin clawhub CLI by hash via committed lockfile#268
Open
davida-ps wants to merge 1 commit into
Open
ci(skills): pin clawhub CLI by hash via committed lockfile#268davida-ps wants to merge 1 commit into
davida-ps wants to merge 1 commit into
Conversation
Scorecard flags the skill-release workflow's npm install of the clawhub CLI (code-scanning alerts #25/#26): version pinning alone carries no integrity guarantee. Install it with npm ci from a committed package-lock.json instead, so every package (clawhub + 35 transitive deps) is verified against its sha512 hash at install time. The publish-payload patch step now resolves the module from the local node_modules instead of npm root -g. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
![baz-reviewer[bot]](https://avatars.githubusercontent.com/in/933528?s=60&v=4){kind=small}
Comment on lines
1534
to
+1538
| - name: Install clawhub CLI | ||
| if: needs.release-tag.outputs.publish_clawhub == 'true' && env.CLAWHUB_TOKEN != '' | ||
| run: npm install -g clawhub@${CLAWHUB_CLI_VERSION} | ||
| run: | | ||
| npm ci --prefix .github/clawhub-cli | ||
| echo "${GITHUB_WORKSPACE}/.github/clawhub-cli/node_modules/.bin" >> "$GITHUB_PATH" |
Contributor
There was a problem hiding this comment.
Missing CodeArtifact auth before npm ci --prefix .github/clawhub-cli (also at lines 1726-1729) means private tarballs can't be fetched — should we add an AWS CodeArtifact login step before each npm ci, and factor both into a shared reusable step to avoid duplication?
Want Baz to fix this for you? Activate Fixer
Other fix methods
Prompt for AI Agents
Before applying, verify this suggestion against the current code. In
.github/workflows/skill-release.yml, add an AWS CodeArtifact login step (or equivalent
that writes the required npm auth token to .npmrc) before each `npm ci --prefix
.github/clawhub-cli` run — once around lines 1534-1538 in the publish-clawhub job, and
once around lines 1726-1729 in the republish-clawhub job. Then refactor both the auth
step and the `npm ci` + PATH export into a single shared step/anchor, since the same
CodeArtifact domain/repo/region are used in both jobs.
Comment on lines
1544
to
+1548
| node <<'NODE' | ||
| const { execSync } = require("node:child_process"); | ||
| const fs = require("node:fs"); | ||
| const path = require("node:path"); | ||
|
|
||
| const npmRoot = execSync("npm root -g", { encoding: "utf8" }).trim(); | ||
| const npmRoot = path.join(process.env.GITHUB_WORKSPACE, ".github", "clawhub-cli", "node_modules"); |
Contributor
There was a problem hiding this comment.
The temporary patch clawhub publish payload Node script is duplicated in publish-clawhub and republish-clawhub; should we move it into .github/scripts/patch-clawhub.js and reuse it from both jobs?
Want Baz to fix this for you? Activate Fixer
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
User description
Summary
Fixes code-scanning alerts #25 and #26 (OSSF Scorecard
PinnedDependenciesID, "npmCommand not pinned by hash"): theskill-release.ymlworkflow installed the clawhub CLI withnpm install -g clawhub@0.7.0in two jobs. Version pinning alone carries no integrity guarantee — a compromised registry entry for the same version would install silently.Changes
.github/clawhub-cli/package.json+package-lock.json(new) — pinsclawhub@0.7.0and all 35 transitive dependencies with sha512 integrity hashes. To bump the CLI: edit the version inpackage.json, runnpm install --package-lock-onlyin that directory, and commit both files..github/workflows/skill-release.yml— bothInstall clawhub CLIsteps now runnpm ci --prefix .github/clawhub-cli(hash-verified, lockfile-exact) and prepend the localnode_modules/.binto$GITHUB_PATH, so the laterclawhub login/inspect/publishsteps are unchanged. The publish-payload patch step resolves the module from the localnode_modulesinstead ofnpm root -g. The now-redundantCLAWHUB_CLI_VERSIONenv was removed (the version lives in the lockfile).Verification
npm cifrom the committed lockfile installs a working CLI (clawhub -hreports v0.7.0) and exposes theclawhubbin innode_modules/.bin.publish.jspatch target exists at the new local path and thechangelog,\n…tags,pattern the patch step rewrites still matches.integrityhashes (none missing).node scripts/test-skill-release-workflow.mjspasses;./scripts/prepare-to-push.shpasses.🤖 Generated with Claude Code
Generated description
Below is a concise technical summary of the changes proposed in this PR:
Pin the
clawhubCLI and all of its transitive packages via the committed.github/clawhub-climanifests sonpm cibrings in only hash-verified dependencies. Update theskill-releaseworkflow to runnpm ci --prefix .github/clawhub-cli, load the local binary into$GITHUB_PATH, and patchclawhub’spublish.jsfrom that install location.clawhubCLI plus every downstream dependency with integrity hashes in the committedpackage.json/package-lock.jsonsonpm cican install a hash-verified CLI for the release workflow.Modified files (2)
Latest Contributors(1)
skill-releaseworkflow to runnpm ci --prefix .github/clawhub-cli, expose the localnode_modules/.binto later steps, and resolve/patchpublish.jsfrom that local install.Modified files (1)
Latest Contributors(2)