ci+deps: pin actions to SHA, fix OSV scanner, fix Pages asset path, update Angular to v22#16
Merged
Conversation
Pin every action to a full-length commit SHA (with a version comment) and bump to the latest release, hardening the supply chain against tag-mutation: - actions/checkout v4 -> v6.0.3 - actions/setup-node v4 -> v6.4.0 - actions/configure-pages v5 -> v6.0.0 - actions/upload-pages-artifact v3 -> v5.0.0 - actions/deploy-pages v4 -> v5.0.0 - aquasecurity/trivy-action 0.28.0 -> v0.36.0 - github/codeql-action v3 -> v3.36.1 - google/osv-scanner-action v1.9.2 -> v2.3.8 Dependabot (github-actions ecosystem) will keep the SHAs current.
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
…b Pages /diff/ path)
Runs the official v22 migrations: adds explicit ChangeDetectionStrategy.Eager to the two components that relied on the implicit default, and the tsconfig extended-diagnostics opt-out. 91 tests pass; production build clean.
skynet2
changed the title
…HIGH/MEDIUM CVEs Transitive: lodash via @xml-tools/ast (CVE-2026-4800 HIGH), dompurify via monaco-editor (CVE-2026-0540 / CVE-2026-41238). npm overrides force the fixed versions; npm audit clean, 91 tests pass, build clean.
This was referenced Jun 3, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Hardens CI, fixes two failures/bugs, and updates Angular.
CI hardening
# vX.Y.Zcomments) at the latest release — supply-chain hardening against tag mutation. (checkout v6.0.3, setup-node v6.4.0, configure-pages v6.0.0, upload-pages-artifact v5.0.0, deploy-pages v5.0.0, trivy-action v0.36.0, codeql-action v3.36.1, osv v2.3.8.)action.yml(causedTop level 'runs:' section is required). Switched to OSV's recommended reusable workflow (osv-scanner-reusable.yml), pinned to SHA,fail-on-vuln: falseso it reports to the Security tab without blocking.Bug fix
/assets/monaco/vs(absolute from root), so on Pages (served under/diff/) it 404'd. Now resolved againstdocument.baseURI, so it works under any deploy path.Dependencies
ng update(official migrations: explicitChangeDetectionStrategy.Eageron the two components that used the implicit default; tsconfig diagnostics opt-out). Requires Node ≥ 22.22.3 (CI'snode-version: 22resolves to it).Test plan
/diff/assets/....🤖 Generated with Claude Code