ci: add pnpm lockfile supply-chain audit gate

[educlopez]

What

Adds a Lockfile Audit CI job that fails if pnpm-lock.yaml contains:

• insecure http:// resolutions, or
• exotic git / tarball / directory sources (registry-bypass).

Why

Closes the lockfile-validation gap (practices #6–8 of the supply-chain baseline). lockfile-lint only supports npm/yarn lockfiles — it errors on pnpm with Unable to find relevant lockfile parser for type "pnpm" — so this asserts the same invariants directly. Package integrity (SHA-512) and lockfile/manifest drift are already enforced by pnpm install --frozen-lockfile in the existing jobs.

Verification

Ran the gate locally against the current lockfile: pnpm-lock.yaml OK (0 insecure, 0 exotic), exit 0. YAML lints clean.

Summary by CodeRabbit

• Chores
  • Strengthened CI/build pipeline with additional lockfile validation checks to ensure proper dependency management and security standards across the project.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
smoothui	Ignored		Jun 1, 2026 9:34am

[coderabbitai]

Walkthrough

A new lockfile-audit CI job validates pnpm-lock.yaml before other workflow jobs run. It uses inline shell script checks to fail the build if any dependency resolution uses insecure http:// URLs or non-registry sources like tarball, git, or directory.

Changes

Lockfile audit CI validation

Layer / File(s)	Summary
Lockfile audit job .github/workflows/test.yml	New lockfile-audit job added to the workflow that runs before other jobs and validates pnpm-lock.yaml for insecure http:// resolutions and non-registry resolution types (tarball, git, directory), failing CI if either check finds matches.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• educlopez/smoothui#79: Migrates pnpm.overrides which affects lockfile resolution entries that the new lockfile-audit job validates.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'ci: add pnpm lockfile supply-chain audit gate' accurately and concisely describes the main change: adding a CI job for supply-chain auditing of pnpm lockfiles.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/lockfile-audit

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (3)

.github/workflows/test.yml (3)

18-19: ⚖️ Poor tradeoff

Consider pinning checkout action and disabling credential persistence.

Static analysis flags two concerns:

1. Action not pinned to a commit SHA (supply-chain risk)
2. persist-credentials: false not set

However, these apply to all checkout steps in this file. For a security-focused audit job, pinning is more defensible, but changing just this job would be inconsistent with the rest of the workflow.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/test.yml around lines 18 - 19, Update the Checkout step
that currently uses actions/checkout@v4 to use a pinned commit SHA instead of a
floating tag and add persist-credentials: false to the step; find the step with
name "Checkout" and the uses value "actions/checkout@v4" and replace the tag
with the specific commit SHA for actions/checkout and add the
persist-credentials: false input to the step, and then apply the same
pin+persist-credentials change consistently to all other checkout steps in the
workflow to avoid inconsistency.

---

14-16: ⚡ Quick win

Consider adding needs: [lockfile-audit] to downstream jobs for a true supply-chain gate.

Currently, lint, test, and build run in parallel with lockfile-audit. If the lockfile contains a malicious exotic/http source, those jobs may execute pnpm install before the audit fails. Adding needs: [lockfile-audit] to downstream jobs ensures no installs occur until the lockfile passes validation.

If parallel execution is intentional (since the workflow ultimately fails either way), this is fine as-is.

🔗 Proposed fix to gate downstream jobs

   lint:
     name: Lint
     runs-on: ubuntu-latest
+    needs: [lockfile-audit]
     steps:

Apply similarly to test and build jobs.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/test.yml around lines 14 - 16, Add an explicit dependency
on the lockfile-audit job so downstream jobs don’t run installs before the audit
completes: update the lint, test, and build job definitions to include needs:
[lockfile-audit] so the workflow ensures lockfile-audit finishes (and fails
early on invalid/malicious lockfile) before running the lint, test, or build
jobs.

---

14-14: ⚡ Quick win

Add explicit permissions for the supply-chain audit job.

Static analysis flags missing permissions. For a security-focused job, declaring minimal permissions reduces blast radius if the job were compromised.

🔒 Proposed fix to add permissions

   lockfile-audit:
     name: Lockfile Audit
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/test.yml at line 14, The lockfile-audit job is missing an
explicit permissions block; add a minimal permissions: mapping under the job
named "lockfile-audit" to declare least-privilege access for the supply-chain
audit (e.g., at minimum give contents: read and any tool-specific scopes
required such as security-events: write or id-token: write), ensuring you only
include the exact scopes the audit action needs; update the workflow so the
lockfile-audit job contains a top-level permissions: section with those minimal
entries.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/test.yml:
- Around line 18-19: Update the Checkout step that currently uses
actions/checkout@v4 to use a pinned commit SHA instead of a floating tag and add
persist-credentials: false to the step; find the step with name "Checkout" and
the uses value "actions/checkout@v4" and replace the tag with the specific
commit SHA for actions/checkout and add the persist-credentials: false input to
the step, and then apply the same pin+persist-credentials change consistently to
all other checkout steps in the workflow to avoid inconsistency.
- Around line 14-16: Add an explicit dependency on the lockfile-audit job so
downstream jobs don’t run installs before the audit completes: update the lint,
test, and build job definitions to include needs: [lockfile-audit] so the
workflow ensures lockfile-audit finishes (and fails early on invalid/malicious
lockfile) before running the lint, test, or build jobs.
- Line 14: The lockfile-audit job is missing an explicit permissions block; add
a minimal permissions: mapping under the job named "lockfile-audit" to declare
least-privilege access for the supply-chain audit (e.g., at minimum give
contents: read and any tool-specific scopes required such as security-events:
write or id-token: write), ensuring you only include the exact scopes the audit
action needs; update the workflow so the lockfile-audit job contains a top-level
permissions: section with those minimal entries.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6ad47968-30b9-44a9-b606-2ca8e66f8edb

📥 Commits

Reviewing files that changed from the base of the PR and between 6928c0f and f31c929.

📒 Files selected for processing (1)

• .github/workflows/test.yml