chore(security): harden shared publish workflow vs Mini Shai-Hulud#7
Merged
Conversation
…shai-hulud) Mitigations vs the Mini Shai-Hulud npm supply-chain campaign (2026-05-11) that hijacked TanStack/Mistral/UiPath/OpenSearch publish runners mid-OIDC flow and forged signed provenance attestations. - Pin actions/checkout, actions/setup-node, step-security/harden-runner to SHAs to defeat tag-rewrite attacks. - Add step-security/harden-runner with egress allowlist (blocks getsession.org, IMDS 169.254.169.254, vault.svc.cluster.local). - Pass --ignore-scripts to npm ci to block transitive postinstall scripts (the worm's vector). Our own publish lifecycle (prepublishOnly/prepack) still runs via npm publish. - Scope job permissions to contents: read + id-token: write only. - Drop redundant 'npm install' after 'npm ci'. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This was referenced May 12, 2026
Merged
This was referenced May 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Hardens the org-wide reusable publish workflow against the Mini Shai-Hulud npm supply-chain campaign (2026-05-11), which compromised TanStack/Mistral/UiPath/OpenSearch/Squawk by hijacking publish runners mid-OIDC and forging signed Sigstore provenance.
Audit on
~/.openclaw/workspace/.agents/STATE_mini_shai_hulud_audit_20260512150800.md. We are not breached — last brickhouse-tech publish (2026-04-04) predates the campaign by 5 weeks. This PR is preemptive hardening for the next publish.Changes
actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683(v4.2.2)actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e(v6.4.0)step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450(v2.19.1)step-security/harden-runnerwithegress-policy: block— denies exfil togetsession.org, IMDS169.254.169.254,vault.svc.cluster.local. Allowlist limited to npm registry, GitHub, sigstore, nodejs.org.npm ci --ignore-scripts— blocks transitive postinstall scripts (the worm's payload delivery). Our own publish lifecycle (prepublishOnly/prepack) still runs vianpm publishsince those are our package.json scripts, not deps'.contents: read+id-token: writeonly.npm installafternpm ci.Downstream
Callers
brickhouse-tech/angular.jsandbrickhouse-tech/json-schemacurrently pin@main→ SHA3c0bca8(the pre-hardening tip). After this PR merges, bump those pins to the new main SHA to inherit hardening.Test plan
workflow_dispatchtest) to verify the egress allowlist isn't too tightnpm ci --ignore-scriptsstill resolves our deps cleanly (no native build deps require lifecycle in current LTS packages)Sources
🤖 Generated with Claude Code