wip: feat: chainguard lock#9685
Open
KenLSM wants to merge 7 commits into
Open
Conversation
… context Defense-in-depth: Dockerfile.base supplies .npmrc via BuildKit secret mount (reads runner FS, unaffected by .dockerignore), and Dockerfile.production reuses base node_modules without installing. Excluding .npmrc from the build context ensures a token'd .npmrc can never enter a COPY layer. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Adds Chainguard (CGR) support to the repo’s dependency management by introducing a separate CGR-transformed lockfile flow and wiring CGR authentication into CI and Dependabot.
Changes:
- Add a composite GitHub Action to authenticate to Chainguard and swap in a CGR lockfile during CI jobs.
- Update CI to use the CGR setup action and enforce deterministic installs via
pnpm install --frozen-lockfile. - Configure Dependabot to use the Chainguard npm registry, and add a helper script to regenerate the CGR lockfile.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| scripts/cgr/regen-lockfile.sh | Adds a helper script to generate/update pnpm-lock.cgr.yaml from the public lockfile via chainctl. |
| .github/workflows/ci.yml | Adds OIDC permissions, runs CGR setup in multiple jobs, and switches installs to --frozen-lockfile. |
| .github/dependabot.yml | Configures Dependabot to use Chainguard’s npm registry as the base registry. |
| .github/actions/setup-cgr/action.yml | New composite action to install/configure chainctl, write .npmrc, and swap in the CGR lockfile. |
| .dockerignore | Excludes .npmrc from Docker build contexts. |
KenLSM
commented
Jul 1, 2026
| permissions: | ||
| contents: read | ||
| packages: write | ||
| id-token: write |
Contributor
Author
There was a problem hiding this comment.
This is opening something that we previously hardened.
Previous workflow was that only deploy requires privileged access, to reduce attack surface during build time where we're installing / processing from less-known sources.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Closes [insert issue #]
Solution
Breaking Changes
Features:
Improvements:
Bug Fixes:
Before & After Screenshots
BEFORE:
AFTER:
Tests
Deploy Notes
New environment variables:
env var: env var detailsNew scripts:
script: script detailsNew dependencies:
dependency: dependency detailsNew dev dependencies:
dependency: dependency details