Skip to content

fix(deno): lock reward script dependencies and narrow run permission#1

Open
luojiyin1987 wants to merge 3 commits into
mainfrom
fix/supply-chain-lock-deno-deps
Open

fix(deno): lock reward script dependencies and narrow run permission#1
luojiyin1987 wants to merge 3 commits into
mainfrom
fix/supply-chain-lock-deno-deps

Conversation

@luojiyin1987

@luojiyin1987 luojiyin1987 commented Jul 1, 2026

Copy link
Copy Markdown

本项目主体是 Node/VitePress,Deno lock 仅作用于 GitHub Actions 中的奖励统计脚本。

背景

.github/workflows/statistic-member-reward.yml 中的 Deno 脚本通过 npm: 协议引入了 web-utilityzx 两个第三方包,但没有锁定依赖版本,且权限过大。

问题

  • CI 每次运行都从 npm registry 解析 npm:web-utility@*npm:zx@*,存在供应链投毒风险
  • 脚本拥有 --allow-run(可执行任意命令)和 GH_TOKENcontents: write),一旦被投毒后果严重
  • 此前 web-utility@4.6.6 因 Parcel 编译产物不兼容 Deno ESM 解析导致脚本报错

改动

文件 改动
.github/scripts/count-reward.ts 导入路径改为 npm:web-utility@4.6.6/source/datenpm:zx@8.8.5,显式 pin 版本
.github/scripts/count-reward.deno.lock 新增,仅锁定 Deno 脚本依赖(42 行),置于脚本同目录
.github/workflows/statistic-member-reward.yml 显式指定 --lock=.github/scripts/count-reward.deno.lock --no-config,权限收窄为 --allow-run=git,gh
deno.json 删除,项目不是 Deno 项目
deno.lock 删除(移到了 .github/scripts/ 下)

后续建议

  • 配置 Dependabot 定期更新 count-reward.deno.lock
  • 考虑升级 web-utility 到非 deprecated 版本

@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

This change adds the --frozen flag to the Deno command in the "Statistic rewards" GitHub Actions workflow step and introduces a new count-reward task in deno.json that runs the same script with frozen dependencies and restricted permission flags.

Changes

Frozen Deno Execution Updates

Layer / File(s) Summary
Workflow and task configuration for frozen Deno run
.github/workflows/statistic-member-reward.yml, deno.json
Workflow step adds --frozen to its Deno invocation; deno.json adds a count-reward task running the same script with --frozen and --allow-* permission flags.

Estimated code review effort: 1 (Trivial) | ~3 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly reflects the main change: locking the Deno reward script workflow and tightening permissions.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/supply-chain-lock-deno-deps

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@luojiyin1987 luojiyin1987 changed the title feat(deno): 添加 deno.lock 锁定依赖,启用 --frozen 防止供应链攻击 fix(deno): lock reward script dependencies and narrow run permission Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant