[PR #113] [MERGED] harden CI workflows: frozen-lockfile, checksum verification #321

New issue

Closed

opened 2026-05-06 12:39:11 +02:00 by BreizhHardware · 0 comments

BreizhHardware commented

2026-05-06 12:39:11 +02:00

Owner

📋 Pull Request Information

Original PR: https://github.com/cloudflare/vinext/pull/113
Author: @threepointone
Created: 2/26/2026
Status: ✅ Merged
Merged: 2/26/2026
Merged by: @threepointone

Base: main ← Head: fix/ci-supply-chain-hardening

📝 Commits (1)

5f0ad75 harden CI workflows: frozen-lockfile, checksum verification

📊 Changes

4 files changed (+9 additions, -8 deletions)

View changed files

📝 .github/workflows/benchmarks.yml (+2 -1)
📝 .github/workflows/ci.yml (+5 -5)
📝 .github/workflows/deploy-examples.yml (+1 -1)
📝 .github/workflows/preview-release.yml (+1 -1)

📄 Description

Supply-chain hardening for CI workflows

Add --frozen-lockfile to all pnpm install calls in ci.yml, deploy-examples.yml, benchmarks.yml, preview-release.yml — ensures reproducible builds and prevents silent dependency drift between runs
Add SHA256 checksum verification for the hyperfine .deb download in benchmarks.yml — defense-in-depth against tampered binaries

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/cloudflare/vinext/pull/113 **Author:** [@threepointone](https://github.com/threepointone) **Created:** 2/26/2026 **Status:** ✅ Merged **Merged:** 2/26/2026 **Merged by:** [@threepointone](https://github.com/threepointone) **Base:** `main` ← **Head:** `fix/ci-supply-chain-hardening` --- ### 📝 Commits (1) - [`5f0ad75`](https://github.com/cloudflare/vinext/commit/5f0ad7549c6ca831603692d8c1a5bb477cbf81c2) harden CI workflows: frozen-lockfile, checksum verification ### 📊 Changes **4 files changed** (+9 additions, -8 deletions) <details> <summary>View changed files</summary> 📝 `.github/workflows/benchmarks.yml` (+2 -1) 📝 `.github/workflows/ci.yml` (+5 -5) 📝 `.github/workflows/deploy-examples.yml` (+1 -1) 📝 `.github/workflows/preview-release.yml` (+1 -1) </details> ### 📄 Description ## Supply-chain hardening for CI workflows - **Add `--frozen-lockfile`** to all `pnpm install` calls in `ci.yml`, `deploy-examples.yml`, `benchmarks.yml`, `preview-release.yml` — ensures reproducible builds and prevents silent dependency drift between runs - **Add SHA256 checksum verification** for the hyperfine `.deb` download in `benchmarks.yml` — defense-in-depth against tampered binaries --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>