Skip to content

chore: pnpm hardening, catalog migration, and CI security#490

Merged
kelsos merged 4 commits intorotki:mainfrom
kelsos:chore/pnpm-hardening-and-catalog
Apr 7, 2026
Merged

chore: pnpm hardening, catalog migration, and CI security#490
kelsos merged 4 commits intorotki:mainfrom
kelsos:chore/pnpm-hardening-and-catalog

Conversation

@kelsos
Copy link
Copy Markdown
Member

@kelsos kelsos commented Apr 7, 2026

Summary

  • pnpm supply chain hardening: Added strictDepBuilds, blockExoticSubdeps, minimumReleaseAge (7 days), trustPolicy: no-downgrade, selective allowBuilds, and chokidar override to v5
  • Dependency catalog: Migrated all dependency versions to pnpm catalog: for single-source version management across all workspace packages
  • Dependency updates: Applied all pending minor/patch updates from the dependency dashboard (vitest 4.1.2, storybook 10.3.3, vue 3.5.31, vue-router 5.0.4, bumpp 11.0.1, and more)
  • GitHub Actions hardening: Pinned all actions to immutable commit SHAs, updated to latest versions (pnpm/action-setup v5, deploy-pages v5, codecov-action v6), disabled node cache in release workflow to prevent cache poisoning, pinned [email protected]
  • Renovate config: Added helpers:pinGitHubActionDigests preset and monorepo grouping rules (vitest, storybook, vue, commitlint, vueuse). Fixed tailwind-variants allowed version (0.x3.x)
  • Housekeeping: Moved shamefullyHoist from .npmrc to pnpm-workspace.yaml, added ESLint workaround for @stylistic/spaced-comment on YAML files (@stylistic/spaced-comment not disabled for YAML files (only style/spaced-comment is) eslint-config#80)

Test plan

  • pnpm install succeeds cleanly
  • pnpm run lint passes (0 errors)
  • pnpm run typecheck passes
  • pnpm run test:run passes (1012/1012 tests)
  • CI workflow runs successfully on this PR

kelsos added 3 commits April 7, 2026 15:50
Add supply chain hardening settings from rotki/rotki: strictDepBuilds,
blockExoticSubdeps, minimumReleaseAge (7 days), trustPolicy no-downgrade,
and selective allowBuilds. Migrate all dependency versions to pnpm catalog
for single-source version management. Apply minor/patch updates from the
dependency dashboard. Add Renovate grouping rules for monorepo packages.
- pnpm/action-setup v4 → v5
- actions/deploy-pages v4 → v5
- codecov/codecov-action v5 → v6
Pin all action references to immutable commit SHAs to prevent supply
chain attacks via mutable tags. Add helpers:pinGitHubActionDigests
preset in Renovate to keep SHAs updated automatically.

Disable node cache in release workflow to prevent cache poisoning.
Pin changelogithub to specific version.

Move shamefullyHoist from .npmrc to pnpm-workspace.yaml.

Work around @stylistic/spaced-comment false positive on YAML files
(rotki/eslint-config#80) to allow SHA comments in workflow files.
@kelsos kelsos requested a review from a team as a code owner April 7, 2026 14:30
Required by chokidar/storybook for file watching in CI.
@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Apr 7, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85.01%. Comparing base (ca1ef7d) to head (832fa8e).
⚠️ Report is 4 commits behind head on main.

Additional details and impacted files
@@           Coverage Diff           @@
##             main     #490   +/-   ##
=======================================
  Coverage   85.01%   85.01%           
=======================================
  Files         139      139           
  Lines        5024     5024           
  Branches     1509     1509           
=======================================
  Hits         4271     4271           
  Misses        753      753           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@kelsos kelsos merged commit 832fa8e into rotki:main Apr 7, 2026
5 checks passed
@kelsos kelsos deleted the chore/pnpm-hardening-and-catalog branch April 7, 2026 14:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants