chore(repo): supply-chain and CI/CD hardening -- part 2 [PLT-103649]

.claude/skills/harden-github-action/SKILL.md

@@ -22,7 +22,7 @@ Do **not** use this skill for:
 
 ## Repo Context
 
-- **Package manager**: pnpm 10.x
+- **Package manager**: pnpm 11.x
 - **Node version**: 22
 - **Workspaces**: Turborepo monorepo (`packages/`, `web-packages/`, `apps/`)
 - **Dual registry**: npm public + GitHub Packages (`@uipath` scope at `https://npm.pkg.github.com`)

.github/actions/install-node-deps/action.yml

@@ -27,5 +27,5 @@ runs:
     - name: Install dependencies
       shell: bash
       env:
-        NODE_AUTH_TOKEN: ${{ inputs.registry-token }}
+        GH_NPM_REGISTRY_TOKEN: ${{ inputs.registry-token }}
       run: pnpm install --frozen-lockfile

.github/dependabot.yml

@@ -16,9 +16,12 @@ updates:
       prefix: chore(deps)
       prefix-development: chore(deps-dev)
       include: scope
+    # Major version bumps handled manually — Dependabot only opens minor/patch PRs.
+    ignore:
+      - dependency-name: "*"
+        update-types:
+          - version-update:semver-major
     groups:
-      # Routine non-major updates bundled by dependency-type.
-      # Majors fall through and open individual PRs unless captured by a major-only group below.
       production-minor-patch:
         dependency-type: production
         update-types:
@@ -30,47 +33,15 @@ updates:
           - minor
           - patch
 
-      # Majors that MUST move together across the family (one PR per family).
-      mui-major:
-        patterns:
-          - "@mui/*"
-          - "@emotion/*"
-        update-types:
-          - major
-      lingui-major:
-        patterns:
-          - "@lingui/*"
-        update-types:
-          - major
-      tiptap-major:
-        patterns:
-          - "@tiptap/*"
-        update-types:
-          - major
-      storybook-major:
-        patterns:
-          - "storybook"
-          - "@storybook/*"
-        update-types:
-          - major
-      radix-ui-major:
-        patterns:
-          - "@radix-ui/*"
-        update-types:
-          - major
-      tanstack-major:
-        patterns:
-          - "@tanstack/*"
-        update-types:
-          - major
-
       # Bundle security PRs (otherwise each alert opens an individual PR).
       security:
         applies-to: security-updates
         patterns:
           - "*"
 
   # GitHub Actions — pinned by SHA, so updates come through as SHA bumps with tag-comment hints.
+  # Major version bumps are ignored here — handle manually one major at a time to avoid
+  # skipping intermediate releases and missing breaking changes or security fixes.
   - package-ecosystem: github-actions
     directory: /
     schedule:
@@ -85,6 +56,10 @@ updates:
     commit-message:
       prefix: chore(ci)
       include: scope
+    ignore:
+      - dependency-name: "*"
+        update-types:
+          - version-update:semver-major
     groups:
       actions-minor-patch:
         update-types:

.github/scripts/test-registry/pnpm-workspace-registry-test.yaml

@@ -0,0 +1,30 @@
+# pnpm workspace settings for isolated registry component test directories.
+# Copied verbatim into each temp dir by test-registry.ts and the prepare job in
+# apollo-vertex-registry-check.yml. Keep in sync with the relevant sections of
+# the root pnpm-workspace.yaml (overrides, packageExtensions, allowBuilds).
+#
+# Intentionally excludes: packages:, minimumReleaseAge*, blockExoticSubdeps,
+# auditConfig — those are irrelevant or break isolated installs.
+minimumReleaseAgeIgnoreMissingTime: true
+blockExoticSubdeps: true
+
+overrides:
+  shadcn: "4.4.0"       # pin to match pnpm dlx shadcn@4.4.0 — shadcn init calls pnpm add shadcn@latest internally
+
+# Link @standard-schema/spec@1.1.0 only into @tanstack/ai — NOT as a global override.
+# A global override would force @tanstack/react-db onto 1.1.0 too, changing its Context
+# generic constraint in a way that breaks Group/GroupMember from @uipath/vs-core.
+packageExtensions:
+  "@tanstack/ai":
+    dependencies:
+      "@standard-schema/spec": "^1.1.0"
+
+allowBuilds:
+  '@biomejs/biome': true
+  '@parcel/watcher': true
+  core-js: true
+  es5-ext: true
+  esbuild: true
+  msw: true
+  sharp: true
+  unrs-resolver: true   # native Rust resolver, required by Next.js 16

.github/scripts/test-registry/test-registry.ts

@@ -1,5 +1,5 @@
 import { execFileSync } from 'node:child_process';
-import { cpSync, mkdtempSync, readFileSync, rmSync } from 'node:fs';
+import { cpSync, mkdtempSync, readFileSync, rmSync, writeFileSync } from 'node:fs';
 import { tmpdir } from 'node:os';
 import { join } from 'node:path';
 
@@ -19,6 +19,14 @@ function testComponent(component: string, baseAppPath: string): TestResult {
       filter: (src) => !src.includes('node_modules'),
     });
 
+    // Copy the repo's pnpm-workspace.yaml so isolated test dirs resolve packages
+    // identically to the main workspace (overrides, packageExtensions, allowBuilds).
+    const testWorkspaceConfig = readFileSync(
+      new URL('pnpm-workspace-registry-test.yaml', import.meta.url),
+      'utf-8',
+    );
+    writeFileSync(join(testDir, 'pnpm-workspace.yaml'), testWorkspaceConfig);
+
     // Install dependencies in the temp directory.
     // No --frozen-lockfile: the shadcn-initialised app has no committed lockfile by design —
     // this test simulates a fresh consumer install to verify components resolve correctly.

.github/workflows/apollo-vertex-registry-check.yml

@@ -76,13 +76,17 @@ jobs:
           echo "result=${MATRIX}" >> "${GITHUB_OUTPUT}"
 
       - name: Create base shadcn app
-        run: cd ${{ runner.temp }} && pnpm dlx shadcn@4.4.0 init --preset a0 --template next --name minimal-app
+        run: |
+          cp .github/scripts/test-registry/pnpm-workspace-registry-test.yaml "$RUNNER_TEMP/pnpm-workspace.yaml"
+          cd "$RUNNER_TEMP" && pnpm dlx shadcn@4.4.0 init --preset a0 --template next --name minimal-app
 
       - name: Configure @uipath registry
         working-directory: ${{ runner.temp }}/minimal-app
         env:
           REGISTRY_URL: http://localhost:3000
-        run: ${{ github.workspace }}/node_modules/.bin/tsx ${{ github.workspace }}/.github/scripts/test-registry/configure-registry.ts
+        run: |
+          # shellcheck disable=SC2086
+          $GITHUB_WORKSPACE/node_modules/.bin/tsx $GITHUB_WORKSPACE/.github/scripts/test-registry/configure-registry.ts
 
       - name: Copy locales into base app
         run: cp -r apps/apollo-vertex/locales ${{ runner.temp }}/minimal-app/locales
@@ -124,6 +128,7 @@ jobs:
             .github/scripts/test-registry
             package.json
             pnpm-lock.yaml
+            pnpm-workspace.yaml
 
       - name: Setup pnpm
         uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4

.github/workflows/close-stale-prs.yml

@@ -26,13 +26,14 @@ jobs:
       pull-requests: write
     timeout-minutes: 10
     env:
-      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       GH_REPO: ${{ github.repository }}
       STALE_DAYS: '14'
       SKIP_LABEL: do-not-close
       DRY_RUN: ${{ inputs.dry_run }}
     steps:
       - name: Close PRs with no commits in 14+ days
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           # We roll our own instead of actions/stale because staleness must be
           # measured from the PR's last commit (committer.date). actions/stale

.github/workflows/codeql.yml

@@ -63,6 +63,13 @@ jobs:
           category: /language:${{ matrix.language }}
           output: sarif-results
 
+      # GOVERNANCE: This step auto-dismisses any CodeQL alert that has a
+      # corresponding inline suppression comment (// codeql[query-id]) in source.
+      # That means a merged PR adding such a comment will silently dismiss the alert
+      # without a separate security review. Before merging any PR that adds a
+      # // codeql[...] suppression, a member of @UiPath/Apollo must confirm the
+      # suppression is justified. CODEOWNERS enforces this for .github/ changes;
+      # for source-file suppressions, reviewers must manually check.
       - name: Dismiss suppressed alerts
         if: github.ref == 'refs/heads/main' && matrix.language == 'javascript-typescript'
         uses: advanced-security/dismiss-alerts@3478381bd53e9f9a9ea1c23bd25ef0ec236e0d06 # v2

.github/workflows/commit-lint.yml

@@ -4,6 +4,10 @@ on:
   pull_request:
     types: [opened, edited, synchronize, reopened]
 
+concurrency:
+  group: commit-lint-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
 permissions:
   contents: read
 

.github/workflows/dependency-review.yml

@@ -51,7 +51,7 @@ jobs:
 
       - name: Post or update PR comment
         if: github.event.pull_request.head.repo.fork == false
-        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         with:
           script: |
             const fs = require('fs');

.github/workflows/dev-cleanup.yml

@@ -58,17 +58,18 @@ jobs:
           PACKAGES=$(echo "$COMMENT" | grep -oE '\| `@uipath/[a-z0-9-]+@[0-9.]+-pr[0-9]+(\.[a-z0-9]+)?`' | sed 's/^| `//' | sed "s/\`\$//" | sort -u)
           # Use delimiter for GitHub output (newlines not supported)
           {
-            echo "packages<<EOF"
+            DELIM="PKGS_$(openssl rand -hex 8)"
+            echo "packages<<${DELIM}"
             echo "$PACKAGES"
-            echo "EOF"
+            echo "${DELIM}"
           } >> "$GITHUB_OUTPUT"
           echo "Found: $PACKAGES"
 
       - name: Cleanup dev packages
         if: steps.packages.outputs.packages != ''
         env:
           PACKAGES: ${{ steps.packages.outputs.packages }}
-          GH_NPM_REGISTRY_TOKEN: ${{ secrets.GH_NPM_REGISTRY_TOKEN }}
+          GH_NPM_REGISTRY_TOKEN: ${{ secrets.RELEASE_TOKEN }}
           NPM_AUTH_TOKEN: ${{ secrets.NPM_AUTH_TOKEN }}
         run: |
           echo "Cleaning up dev packages..."

.github/workflows/dev-publish.yml

@@ -85,9 +85,10 @@ jobs:
           else
             {
               echo "has_previous=true"
-              echo "packages<<EOF"
+              DELIM="PKGS_$(openssl rand -hex 8)"
+              echo "packages<<${DELIM}"
               echo "$PUBLISHED"
-              echo "EOF"
+              echo "${DELIM}"
             } >> "$GITHUB_OUTPUT"
             echo "Found previous versions: $PUBLISHED"
           fi
@@ -142,9 +143,10 @@ jobs:
       - name: Create matrix
         id: matrix
         if: steps.changed.outputs.has_changes == 'true'
+        env:
+          PACKAGES: ${{ steps.changed.outputs.packages }}
         run: |
           # Convert space-separated list to compact JSON array
-          PACKAGES="${{ steps.changed.outputs.packages }}"
           MATRIX_JSON=$(echo "$PACKAGES" | jq -Rc 'split(" ") | map(select(length > 0))')
           echo "matrix=$MATRIX_JSON" >> "$GITHUB_OUTPUT"
           echo "Matrix: $MATRIX_JSON"
@@ -174,7 +176,7 @@ jobs:
       - name: Cleanup previous version
         env:
           PACKAGE_VERSION: ${{ matrix.package_version }}
-          GH_NPM_REGISTRY_TOKEN: ${{ secrets.GH_NPM_REGISTRY_TOKEN }}
+          GH_NPM_REGISTRY_TOKEN: ${{ secrets.RELEASE_TOKEN }}
           NPM_AUTH_TOKEN: ${{ secrets.NPM_AUTH_TOKEN }}
         run: |
           if ! [[ "$PACKAGE_VERSION" =~ ^@uipath/[a-z0-9-]+@[0-9.]+-pr[0-9]+(\.[a-z0-9]+)?$ ]]; then
@@ -250,7 +252,7 @@ jobs:
         env:
           PACKAGE: ${{ matrix.package }}
           PR_NUMBER: ${{ github.event.pull_request.number }}
-          GH_NPM_REGISTRY_TOKEN: ${{ secrets.GH_NPM_REGISTRY_TOKEN }}
+          GH_NPM_REGISTRY_TOKEN: ${{ secrets.RELEASE_TOKEN }}
           NPM_AUTH_TOKEN: ${{ secrets.NPM_AUTH_TOKEN }}
         run: |
           SHORT_SHA="${GITHUB_SHA:0:7}"