Skip to content

wip: feat: chainguard lock#9685

Open
KenLSM wants to merge 7 commits into
developfrom
feat/chainguard-lock
Open

wip: feat: chainguard lock#9685
KenLSM wants to merge 7 commits into
developfrom
feat/chainguard-lock

Conversation

@KenLSM

@KenLSM KenLSM commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Problem

Closes [insert issue #]

Solution

Breaking Changes

  • Yes - this PR contains breaking changes
    • Details ...
  • No - this PR is backwards compatible

Features:

  • Details ...

Improvements:

  • Details ...

Bug Fixes:

  • Details ...

Before & After Screenshots

BEFORE:

AFTER:

Tests

Deploy Notes

New environment variables:

  • env var : env var details

New scripts:

  • script : script details

New dependencies:

  • dependency : dependency details

New dev dependencies:

  • dependency : dependency details

KenLSM and others added 5 commits June 30, 2026 17:38
… context

Defense-in-depth: Dockerfile.base supplies .npmrc via BuildKit secret mount
(reads runner FS, unaffected by .dockerignore), and Dockerfile.production
reuses base node_modules without installing. Excluding .npmrc from the build
context ensures a token'd .npmrc can never enter a COPY layer.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@KenLSM KenLSM requested review from a team and Copilot June 30, 2026 09:41
@KenLSM KenLSM changed the title feat: chainguard lock wip: feat: chainguard lock Jun 30, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds Chainguard (CGR) support to the repo’s dependency management by introducing a separate CGR-transformed lockfile flow and wiring CGR authentication into CI and Dependabot.

Changes:

  • Add a composite GitHub Action to authenticate to Chainguard and swap in a CGR lockfile during CI jobs.
  • Update CI to use the CGR setup action and enforce deterministic installs via pnpm install --frozen-lockfile.
  • Configure Dependabot to use the Chainguard npm registry, and add a helper script to regenerate the CGR lockfile.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
scripts/cgr/regen-lockfile.sh Adds a helper script to generate/update pnpm-lock.cgr.yaml from the public lockfile via chainctl.
.github/workflows/ci.yml Adds OIDC permissions, runs CGR setup in multiple jobs, and switches installs to --frozen-lockfile.
.github/dependabot.yml Configures Dependabot to use Chainguard’s npm registry as the base registry.
.github/actions/setup-cgr/action.yml New composite action to install/configure chainctl, write .npmrc, and swap in the CGR lockfile.
.dockerignore Excludes .npmrc from Docker build contexts.

Comment thread .github/actions/setup-cgr/action.yml
Comment thread .github/actions/setup-cgr/action.yml
permissions:
contents: read
packages: write
id-token: write

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is opening something that we previously hardened.

Previous workflow was that only deploy requires privileged access, to reduce attack surface during build time where we're installing / processing from less-known sources.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants