The npm-package-blacklist security gate (scan the installed dependency tree for known-malicious packages) is currently duplicated inline in consumer repos. raindex PR #2739 (rainlanguage/raindex#2739) keeps it as an inline npm-blacklist: job and explicitly notes it is "intentionally kept out of the reusable" — but that rationale only justifies it being a separate job from the vercel-deploy reusable, not it living inline in every consumer.
Current state
- The blacklist data is already shared:
rainlanguage/github-chore/.github/actions/npm-blacklist bundles blacklist.txt and exposes a composite action (working-directory, additional-blacklist-file, additional-blacklist-pkgs, override-blacklist).
- The job that wires it up (checkout → nix-quick-install → cachix → cache-nix-action → install deps → call the action once per workspace package) is copy-pasted into each consumer. In raindex that is:
nix develop .#wasm-shell -c npm install --no-check, then the action for ., packages/raindex, packages/ui-components.
Goal
Add a rainix-npm-blacklist.yaml reusable workflow (on: workflow_call) that owns the job boilerplate and is parameterized by the only consumer-specific bits:
install-command (string) — how to install deps (e.g. nix develop .#wasm-shell -c npm install --no-check).working-directories — the list of NPM project dirs to scan (default .).- secret
CACHIX_AUTH_TOKEN for the nix store cache.
The reusable does checkout + nix setup + cachix + nix-store cache + run install-command + run the github-chore npm-blacklist action across the given directories. Consumers then replace the entire inline job with a 4-line uses: rainlanguage/rainix/.github/workflows/rainix-npm-blacklist.yaml@main call.
This matches the "rainix owns shared CI (reusable workflows)" principle — the inline copy is exactly the drift the reusables exist to eliminate.
First consumer
Wire raindex #2739 (both vercel-prod.yaml and vercel-preview.yaml) to the new reusable, dropping the inline npm-blacklist job, once the reusable is on main.
Tracking PR: the rainix reusable, then the raindex wiring.
The npm-package-blacklist security gate (scan the installed dependency tree for known-malicious packages) is currently duplicated inline in consumer repos. raindex PR #2739 (rainlanguage/raindex#2739) keeps it as an inline
npm-blacklist:job and explicitly notes it is "intentionally kept out of the reusable" — but that rationale only justifies it being a separate job from the vercel-deploy reusable, not it living inline in every consumer.Current state
rainlanguage/github-chore/.github/actions/npm-blacklistbundlesblacklist.txtand exposes a composite action (working-directory,additional-blacklist-file,additional-blacklist-pkgs,override-blacklist).nix develop .#wasm-shell -c npm install --no-check, then the action for.,packages/raindex,packages/ui-components.Goal
Add a
rainix-npm-blacklist.yamlreusable workflow (on: workflow_call) that owns the job boilerplate and is parameterized by the only consumer-specific bits:install-command(string) — how to install deps (e.g.nix develop .#wasm-shell -c npm install --no-check).working-directories— the list of NPM project dirs to scan (default.).CACHIX_AUTH_TOKENfor the nix store cache.The reusable does checkout + nix setup + cachix + nix-store cache + run
install-command+ run the github-chorenpm-blacklistaction across the given directories. Consumers then replace the entire inline job with a 4-lineuses: rainlanguage/rainix/.github/workflows/rainix-npm-blacklist.yaml@maincall.This matches the "rainix owns shared CI (reusable workflows)" principle — the inline copy is exactly the drift the reusables exist to eliminate.
First consumer
Wire raindex #2739 (both
vercel-prod.yamlandvercel-preview.yaml) to the new reusable, dropping the inlinenpm-blacklistjob, once the reusable is onmain.Tracking PR: the rainix reusable, then the raindex wiring.