Add CI/CD hardening, security scanning, and npm publish readiness#55
Closed
jeremy wants to merge 3 commits into
Closed
Add CI/CD hardening, security scanning, and npm publish readiness#55jeremy wants to merge 3 commits into
jeremy wants to merge 3 commits into
Conversation
Releng infrastructure to bring the plugin to parity with sibling repos: CI (.github/workflows/ci.yml): - Split monolithic job into 5 parallel jobs: typecheck, lint+actionlint, test+coverage, build+verify, dependency-review (PR only) - All jobs use setup-node with npm cache Security (.github/workflows/security.yml): - npm audit (HIGH+), Trivy filesystem scan (SARIF), CodeQL (security-and-quality), gitleaks secret scanning - Runs on push/PR to main + weekly Monday schedule - Reusable via workflow_call Release (.github/workflows/release.yml): - Triggered on v* tag push, gated on security + test jobs - npm publish with OIDC provenance, pre-release tag detection - GitHub Release with auto-generated notes - Idempotency guard via npm view Dependency management: - Dependabot: weekly npm + github-actions, grouped minor/patch - Auto-merge: squash npm patch/minor PRs (excludes actions) PR automation: - Path-based labeling (adapters, inbound, outbound, tests, ci, docs, config) Package readiness: - Add main, types, exports, files fields for npm publishing - Add build, clean, prepublishOnly, check scripts - Move typescript to devDependencies - Point openclaw.extensions at ./dist/index.js (matches files field) - Add .npmrc with engine-strict=true - Add .env patterns to .gitignore
- Pin all GitHub Actions to commit SHAs across ci.yml, security.yml, release.yml, dependabot-auto-merge.yml, and labeler.yml - Fix release publish job: use fetch-depth: 0 so git merge-base --is-ancestor works for non-tip tags on main, and drop the redundant shallow fetch of origin/main
There was a problem hiding this comment.
Pull request overview
This PR hardens the repo’s CI/CD and security posture while making the package ready for npm publish (including provenance) and automating dependency/label management.
Changes:
- Refactors CI into parallel jobs (typecheck, lint + actionlint, tests + coverage artifact, build verification, dependency review).
- Adds security scanning workflow (npm audit, Trivy SARIF upload, CodeQL, gitleaks) and a tag-driven release workflow that publishes to npm and creates a GitHub Release.
- Prepares the package for publishing (exports/types/files fields, build/clean/check scripts, moves TypeScript to devDependencies) plus Dependabot config + auto-merge and PR label automation.
Reviewed changes
Copilot reviewed 10 out of 11 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| package.json | Adds publish-ready entrypoints/exports/files and CI-friendly scripts; moves TypeScript to devDependencies and points OpenClaw extension to built output. |
| .npmrc | Enforces engine-strict=true for installs. |
| .gitignore | Ignores .env files. |
| .github/workflows/ci.yml | Splits CI into parallel jobs; adds actionlint and dependency review. |
| .github/workflows/security.yml | Introduces security scanning (audit/Trivy/CodeQL/gitleaks) and makes it reusable via workflow_call. |
| .github/workflows/release.yml | Adds tag-based release pipeline with security+test prerequisites, npm publish w/ provenance, and GitHub Release creation. |
| .github/workflows/labeler.yml | Adds PR label automation workflow. |
| .github/labeler.yml | Defines path-based label mappings. |
| .github/dependabot.yml | Configures weekly grouped Dependabot updates for npm and GitHub Actions. |
| .github/workflows/dependabot-auto-merge.yml | Auto-approves/merges Dependabot npm patch/minor PRs. |
| .github/codeql/codeql-config.yml | Sets CodeQL paths to ignore build/test artifacts. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 3b9bd12344
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
…ease workflow - Pin node-version to 22.5 across all workflows to match engines.node >=22.5 - Replace curl-based actionlint install with pinned rhysd/actionlint action - Add exit-code: "1" to Trivy for hard failure on HIGH/CRITICAL findings - Add secrets: inherit to security job in release workflow - Dereference annotated tags before ancestry check - Validate tag version matches package.json before publish
Member
Author
|
Redundant — this work was merged as PR #53. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
checkjob into 5 parallel jobs (typecheck, lint+actionlint, test+coverage, build+verify, dependency-review)workflow_callv*tag → security + test gates →npm publish --provenance+ GitHub Release; idempotency guard, pre-release tag detectionmain/types/exports/filesfields,build/clean/prepublishOnly/checkscripts, typescript → devDependencies,openclaw.extensions→./dist/index.jsTest plan
npm run typecheck— cleannpm test— 1151 passed, 65 filesnpm run build—dist/index.js+dist/index.d.tspresentnpm pack --dry-run— onlydist/+openclaw.plugin.json+ README