-
Notifications
You must be signed in to change notification settings - Fork 3
ci: add rainix-npm-blacklist reusable workflow #230
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
thedavidmeister
wants to merge
6
commits into
main
Choose a base branch
from
2026-06-15-npm-blacklist-reusable
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
6 commits
Select commit
Hold shift + click to select a range
f60519f
ci: add rainix-npm-blacklist reusable workflow
thedavidmeister d64b5bb
Merge branch 'main' into 2026-06-15-npm-blacklist-reusable
thedavidmeister 56a241e
style: yamlfmt-normalize composite-action and reusable descriptions
thedavidmeister cd1fe3a
fix(ci): npm-blacklist working-directory param [3b-attempt]
thedavidmeister 01a2bd1
Merge remote-tracking branch 'origin/main' into 2026-06-15-npm-blackl…
thedavidmeister c184ad1
merge(main): resolve conflicts [merge-update]
thedavidmeister File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| ## | ||
| ## Self-test for the `rainix-npm-blacklist.yaml` reusable workflow. | ||
| ## | ||
| ## Exercises the reusable end to end against a real npm project in this repo's | ||
| ## fixture: it installs the fixture's dependency tree and runs the blacklist | ||
| ## scan over it, exactly as a downstream consumer does. The install command | ||
| ## populates `node_modules` under `test/fixture/subgraph`, and that same | ||
| ## directory is the one scanned. | ||
| ## | ||
| name: npm-blacklist-self-test | ||
| on: [push] | ||
| jobs: | ||
| npm-blacklist: | ||
| uses: ./.github/workflows/rainix-npm-blacklist.yaml | ||
| with: | ||
| install-command: nix develop .#wasm-shell -c bash -c "cd test/fixture/subgraph && npm ci" | ||
| working-directories: test/fixture/subgraph | ||
| secrets: | ||
| CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,60 @@ | ||
| ## | ||
| ## Reusable npm-package blacklist security gate for rainlanguage repos. | ||
| ## | ||
| ## Scans the INSTALLED npm dependency tree of one or more workspace packages for | ||
| ## known-malicious packages, using the shared blacklist data in the | ||
| ## `rainlanguage/github-chore` `npm-blacklist` composite action. The check reads | ||
| ## `npm ls --all`, so it must run AFTER dependencies are installed — this | ||
| ## workflow installs once via the caller's `install-command`, then scans every | ||
| ## listed directory from that single installed tree. | ||
| ## | ||
| ## Consumers replace an inline blacklist job with a short caller that supplies | ||
| ## the `install-command` and the `working-directories` to scan. | ||
| ## | ||
| name: rainix-npm-blacklist | ||
| on: | ||
| workflow_call: | ||
| inputs: | ||
| install-command: | ||
| description: >- | ||
| Command that installs the npm dependency tree before the scan, e.g. `nix develop .#wasm-shell -c npm install --no-check`. The blacklist checker runs `npm ls --all`, so every directory in `working-directories` must have its `node_modules` populated by this command. | ||
| required: true | ||
| type: string | ||
| working-directories: | ||
| description: >- | ||
| Whitespace-separated list of NPM project directories to scan, e.g. a YAML multiline of ". packages/raindex packages/ui-components". Each must contain a `package.json` and installed `node_modules` after `install-command` runs. Defaults to the repository root. | ||
| required: false | ||
| default: '.' | ||
| type: string | ||
| cachix-name: | ||
| description: Cachix binary cache name to substitute from / push to. | ||
| required: false | ||
| default: rainlanguage | ||
| type: string | ||
| secrets: | ||
| CACHIX_AUTH_TOKEN: | ||
| required: false | ||
| jobs: | ||
| npm-blacklist: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| steps: | ||
| # Shared nix + cachix CI preamble (checkout, nix-quick-install, Cachix, | ||
| # cache-nix-action). The pinned third-party action SHAs live ONCE in the | ||
| # composite; this reusable references it fully qualified at | ||
| # `rainlanguage/rainix/...@main`, exactly as downstream consumers do. | ||
| - uses: rainlanguage/rainix/.github/actions/nix-cachix-setup@main | ||
| with: | ||
| cachix-auth-token: ${{ secrets.CACHIX_AUTH_TOKEN }} | ||
| cachix-name: ${{ inputs.cachix-name }} | ||
| # Install the dependency tree once; the blacklist checker inspects it but | ||
| # never installs, so a single install feeds every directory scanned below. | ||
| - name: Install npm dependencies | ||
| run: ${{ inputs.install-command }} | ||
| # One call scans every directory from the single installed tree | ||
| # (`working-directories` is whitespace-separated). The check fails if any | ||
| # listed directory resolves a blacklisted package. | ||
| - uses: rainlanguage/github-chore/.github/actions/npm-blacklist@main | ||
| with: | ||
| working-directory: ${{ inputs.working-directories }} | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🧩 Analysis chain
🏁 Script executed:
Repository: rainlanguage/rainix
Length of output: 212
🏁 Script executed:
Repository: rainlanguage/rainix
Length of output: 2693
🏁 Script executed:
Repository: rainlanguage/rainix
Length of output: 2025
Command injection risk via template expansion in
runstep.The
install-commandinput is expanded directly into therunstep without validation. Whileworkflow_calllimits callers to workflows within the same repository, an attacker with repository write access could modify calling workflows to inject arbitrary shell commands through this input.Since the input is defined as a required string with no validation constraints, consider restricting it to a predefined set of safe commands or validating against a pattern. The self-test caller currently uses a hardcoded trusted input, but this pattern should not be assumed for future callers.
🧰 Tools
🪛 zizmor (1.25.2)
[error] 54-54: code injection via template expansion (template-injection): may expand into attacker-controllable code
(template-injection)
🤖 Prompt for AI Agents
Source: Linters/SAST tools