Skip to content

ci: update egress policies, apply zizmor recommendations#792

Open
flakey5 wants to merge 1 commit into
mainfrom
flakey5/20260513/harden-runner
Open

ci: update egress policies, apply zizmor recommendations#792
flakey5 wants to merge 1 commit into
mainfrom
flakey5/20260513/harden-runner

Conversation

@flakey5
Copy link
Copy Markdown
Member

@flakey5 flakey5 commented May 13, 2026

Description

Validation

Related Issues

Check List

  • I have read the Contributing Guidelines and made commit messages that follow the guideline.
  • I have run node --run test and all tests passed.
  • I have check code formatting with node --run format & node --run lint.
  • I've covered new added functionality with unit tests if necessary.

@flakey5 flakey5 requested a review from a team as a code owner May 13, 2026 22:23
@cursor
Copy link
Copy Markdown

cursor Bot commented May 13, 2026
edited
Loading

PR Summary

Medium Risk
Tightens GitHub Actions network egress across multiple workflows and changes the dependency review trigger, which may break CI/CD runs if any required outbound endpoints are missing.

Overview
Hardens GitHub Actions execution by switching step-security/harden-runner from egress-policy: audit to block and adding explicit allowed-endpoints allowlists across CI, CodeQL, publishing, and maintenance workflows.

Reduces credential and trigger exposure by setting actions/checkout persist-credentials: false broadly, changing dependency-review from pull_request_target to pull_request, and moving npm OIDC id-token: write permission to only the publish job.

Adds a new zizmor workflow to run GitHub Actions security analysis on push/pull_request, and increases Dependabot cooldown.default-days from 3 to 7 for both GitHub Actions and npm updates.

Reviewed by Cursor Bugbot for commit 7de39fe. Bugbot is set up for automated code reviews on this repo. Configure here.

@vercel
Copy link
Copy Markdown

vercel Bot commented May 13, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
api-docs-tooling Ready Ready Preview May 15, 2026 0:17am

Request Review

@codecov
Copy link
Copy Markdown

codecov Bot commented May 13, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 77.95%. Comparing base (6bc834d) to head (7de39fe).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #792   +/-   ##
=======================================
  Coverage   77.95%   77.95%           
=======================================
  Files         159      159           
  Lines       14056    14056           
  Branches     1152     1152           
=======================================
  Hits        10957    10957           
  Misses       3094     3094           
  Partials        5        5

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 13, 2026
edited
Loading

api-links Generator

apilinks.json 
Expected values to be strictly deep-equal:
+ actual - expected
... Skipped lines

  {
    'Agent.defaultMaxSockets': 'https://github.com/nodejs/node/blob/HEAD/lib/_http_agent.js#L227',
    'Buffer.alloc': 'https://github.com/nodejs/node/blob/HEAD/lib/buffer.js#L436',
    'Buffer.allocUnsafe': 'https://github.com/nodejs/node/blob/HEAD/lib/buffer.js#L450',
    'Buffer.allocUnsafeSlow': 'https://github.com/nodejs/node/blob/HEAD/lib/buffer.js#L462',
...
    'agent.addRequest': 'https://github.com/nodejs/node/blob/HEAD/lib/_http_agent.js#L292',
+   'agent.createConnection': 'https://github.com/nodejs/node/blob/HEAD/lib/_http_agent.js#L231',
-   'agent.createConnection': 'https://github.com/nodejs/node/blob/HEAD/lib/https.js#L326',
    'agent.createSocket': 'https://github.com/nodejs/node/blob/HEAD/lib/_http_agent.js#L363',
    'agent.destroy': 'https://github.com/nodejs/node/blob/HEAD/lib/_http_agent.js#L595',
+   'agent.getName': 'https://github.com/nodejs/node/blob/HEAD/lib/_http_agent.js#L261',
-   'agent.getName': 'https://github.com/nodejs/node/blob/HEAD/lib/https.js#L484',
    'agent.keepSocketAlive': 'https://github.com/nodejs/node/blob/HEAD/lib/_http_agent.js#L552',
    'agent.removeSocket': 'https://github.com/nodejs/node/blob/HEAD/lib/_http_agent.js#L491',
    'agent.reuseSocket': 'https://github.com/nodejs/node/blob/HEAD/lib/_http_agent.js#L588',
    'assert.assert': 'https://github.com/nodejs/node/blob/HEAD/lib/assert.js#L185',
    'asyncResource.asyncId': 'https://github.com/nodejs/node/blob/HEAD/lib/async_hooks.js#L242',
...
    'server.address': 'https://github.com/nodejs/node/blob/HEAD/lib/net.js#L2289',
+   'server.close': 'https://github.com/nodejs/node/blob/HEAD/lib/_http_server.js#L614',
+   'server.closeAllConnections': 'https://github.com/nodejs/node/blob/HEAD/lib/_http_server.js#L624',
+   'server.closeIdleConnections': 'https://github.com/nodejs/node/blob/HEAD/lib/_http_server.js#L636',
-   'server.close': 'https://github.com/nodejs/node/blob/HEAD/lib/net.js#L2422',
-   'server.closeAllConnections': 'https://github.com/nodejs/node/blob/HEAD/lib/https.js#L120',
-   'server.closeIdleConnections': 'https://github.com/nodejs/node/blob/HEAD/lib/https.js#L122',
    'server.getConnections': 'https://github.com/nodejs/node/blob/HEAD/lib/net.js#L2384',
    'server.listen': 'https://github.com/nodejs/node/blob/HEAD/lib/net.js#L2106',
    'server.ref': 'https://github.com/nodejs/node/blob/HEAD/lib/net.js#L2527',
+   'server.setTimeout': 'https://github.com/nodejs/node/blob/HEAD/lib/_http_server.js#L652',
-   'server.setTimeout': 'https://github.com/nodejs/node/blob/HEAD/lib/https.js#L124',
    'server.unref': 'https://github.com/nodejs/node/blob/HEAD/lib/net.js#L2536',
+   'server[SymbolAsyncDispose]': 'https://github.com/nodejs/node/blob/HEAD/lib/_http_server.js#L620',
+   'server[undefined]': 'https://github.com/nodejs/node/blob/HEAD/lib/_http_server.js#L659',
-   'server[SymbolAsyncDispose]': 'https://github.com/nodejs/node/blob/HEAD/lib/net.js#L2462',
-   'server[undefined]': 'https://github.com/nodejs/node/blob/HEAD/lib/net.js#L2491',
    'serverresponse._finish': 'https://github.com/nodejs/node/blob/HEAD/lib/_http_server.js#L246',
    'serverresponse._implicitHeader': 'https://github.com/nodejs/node/blob/HEAD/lib/_http_server.js#L360',
    'serverresponse.assignSocket': 'https://github.com/nodejs/node/blob/HEAD/lib/_http_server.js#L296',
    'serverresponse.detachSocket': 'https://github.com/nodejs/node/blob/HEAD/lib/_http_server.js#L307',
    'serverresponse.statusCode': 'https://github.com/nodejs/node/blob/HEAD/lib/_http_server.js#L269',

cursor[bot]
cursor Bot reviewed May 13, 2026
View reviewed changes
Comment thread .github/workflows/scorecard.yml Outdated
Comment thread .github/workflows/scorecard.yml Outdated
@flakey5 flakey5 force-pushed the flakey5/20260513/harden-runner branch from ed3ba1b to 8a05720 Compare May 13, 2026 22:37
cursor[bot]
cursor Bot reviewed May 13, 2026
View reviewed changes
Comment thread .github/workflows/dependency-review.yml
Comment thread .github/workflows/update-type-map.yml
@flakey5 flakey5 force-pushed the flakey5/20260513/harden-runner branch from ad452f9 to 7de39fe Compare May 15, 2026 00:16
@flakey5 flakey5 changed the title ci: update egress policies ci: update egress policies, apply zizmor recommendations May 15, 2026
cursor[bot]
cursor Bot reviewed May 15, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 7de39fe. Configure here.

Comment thread .github/workflows/publish.yml
if: needs.prepare.outputs.should_publish == 'true'
permissions:
# For npm OIDC (https://docs.npmjs.com/trusted-publishers)
id-token: write
Copy link
Copy Markdown

@cursor cursor Bot May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Publish job loses contents: read from permission override

High Severity

The publish job defines job-level permissions with only id-token: write. In GitHub Actions, job-level permissions completely replace (not merge with) workflow-level permissions. This means the publish job loses the workflow-level contents: read permission. Without contents: read, the nodejs/web-team/actions/setup-environment action won't be able to check out the repository, and npm publish will have no package to publish. The contents: read permission needs to be included alongside id-token: write in the job-level permissions block.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 7de39fe. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@flakey5