Skip to content

ci(deps): add lockfile-integrity gate (npm ci in node:22-alpine)#104

Merged
strausmann merged 1 commit into
mainfrom
ci/harden-lockfile-gate
Jul 17, 2026
Merged

ci(deps): add lockfile-integrity gate (npm ci in node:22-alpine)#104
strausmann merged 1 commit into
mainfrom
ci/harden-lockfile-gate

Conversation

@strausmann

Copy link
Copy Markdown
Owner

Why

The build job runs npm ci on the runner's npm, which happily validated a lockfile that the release image build (node:22-alpine, npm 10.9.8) then rejected with EUSAGE — so v1.8.0/1.8.1/1.8.2 tagged but produced no Docker image, invisible until release time.

What

New lockfile-integrity job: npm ci inside node:22-alpine (the exact prod npm), no layer cache, so an install/ci inconsistency fails on every PR instead of silently at release.

Part of the CI-hardening follow-up. Next: branch protection requiring build (22), docker, lockfile-integrity, GitGuardian.

Refs #69

The build job's `npm ci` runs on the runner's npm, which validated a
broken lockfile that the release image build (node:22-alpine, npm
10.9.8) then rejected — v1.8.0-1.8.2 tagged but shipped no image.

Add a dedicated job that runs `npm ci` inside node:22-alpine (the exact
prod npm) with no layer cache, so any install/ci lockfile inconsistency
fails on the PR instead of silently at release time.

Refs #69
Copilot AI review requested due to automatic review settings July 17, 2026 10:12
@gemini-code-assist

Copy link
Copy Markdown

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

@strausmann
strausmann merged commit 9f0da7c into main Jul 17, 2026
5 checks passed

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens CI by adding a dedicated gate that verifies package-lock.json is installable with the same npm/runtime environment used by the production Docker build (node:22-alpine), preventing “passes CI but fails during release image build” scenarios.

Changes:

  • Add a new lockfile-integrity job that runs npm ci inside node:22-alpine (no Docker layer cache involved).
  • Keep existing build and docker jobs intact while extending coverage to lockfile/prod-npm parity.

Comment thread .github/workflows/ci.yml
Comment on lines +73 to +74
- name: npm ci in production image (node:22-alpine)
run: docker run --rm -v "$PWD":/app -w /app node:22-alpine npm ci --no-audit --no-fund
@github-actions

Copy link
Copy Markdown
Contributor

🎉 This PR is included in version 1.9.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants