From 5e89e1bdb81f115f640746838cfc0ce41f5d4f49 Mon Sep 17 00:00:00 2001 From: Claire Song Date: Thu, 21 May 2026 10:53:24 -0400 Subject: [PATCH] Add supply chain security defaults Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/label-merge-conflicts.yml | 1 + .github/workflows/sync.yaml | 2 ++ .npmrc | 1 + .travis.yml | 2 ++ 4 files changed, 6 insertions(+) create mode 100644 .npmrc diff --git a/.github/workflows/label-merge-conflicts.yml b/.github/workflows/label-merge-conflicts.yml index afbcda0a1e5d..ebb380a9adfc 100644 --- a/.github/workflows/label-merge-conflicts.yml +++ b/.github/workflows/label-merge-conflicts.yml @@ -7,6 +7,7 @@ on: push: branches: - main + # TODO(supply-chain-security): Human review: this workflow uses pull_request_target; keep permissions minimal and do not check out or run untrusted PR code here. pull_request_target: diff --git a/.github/workflows/sync.yaml b/.github/workflows/sync.yaml index 52a41a63cf64..6e50f218adb0 100644 --- a/.github/workflows/sync.yaml +++ b/.github/workflows/sync.yaml @@ -1,6 +1,7 @@ name: 'Upstream Sync' permissions: + # TODO(supply-chain-security): Human review: confirm this scheduled sync still requires contents: write and narrow if the sync action supports lower privileges. contents: write on: @@ -12,6 +13,7 @@ on: jobs: sync_latest_from_upstream: permissions: + # TODO(supply-chain-security): Human review: confirm this job still requires contents: write for upstream sync. contents: write runs-on: ubuntu-latest name: Sync latest commits from upstream repo diff --git a/.npmrc b/.npmrc new file mode 100644 index 000000000000..ec9e05d8a7bf --- /dev/null +++ b/.npmrc @@ -0,0 +1 @@ +min-release-age=3 diff --git a/.travis.yml b/.travis.yml index 259f683661a7..d4399bf7352c 100644 --- a/.travis.yml +++ b/.travis.yml @@ -5,4 +5,6 @@ cache: directories: - "node_modules" +install: npm ci + script: npm run-script build