GitHub Actions Update

[coliff]

This pull request makes several improvements to the project's GitHub Actions workflows, focusing on enhanced security, up-to-date dependencies, and improved supply chain analysis. The main changes include updating action versions to specific commit SHAs for better security, adding a new workflow for OSSF Scorecard analysis, and making minor configuration improvements across workflows.

Security and Dependency Updates:

• Updated all occurrences of actions/checkout, actions/setup-node, and other major GitHub Actions to reference specific commit SHAs instead of floating version tags, improving supply chain security and build reproducibility. (.github/workflows/build.yml, .github/workflows/codeql-analysis.yml, .github/workflows/dependency-review.yml, .github/workflows/npm-publish.yml, .github/workflows/super-linter.yml, .github/workflows/test.yml) [1] [2] [3] [4] [5] [6] [7]

• Set persist-credentials: false for all actions/checkout steps to reduce the risk of leaking repository credentials in workflow runs. [1] [2] [3] [4] [5] [6] [7]

Supply Chain Security:

• Added a new .github/workflows/ossf-scorecard.yml workflow to automatically run OSSF Scorecard supply chain security analysis on the repository, with results uploaded as SARIF files and published to GitHub code scanning.

Linter and Quality Tooling:

• Upgraded super-linter to a specific commit SHA, and disabled Biome and other unneeded validators for more focused linting.

Workflow File Improvements:

• Renamed .github/workflows/npmpublish.yml to .github/workflows/npm-publish.yml for consistency and clarity. [1] [2]

[Copilot]

Pull Request Overview

This pull request enhances GitHub Actions workflows with improved security practices and supply chain analysis capabilities. The main focus is on pinning action versions to specific commit SHAs and adding credential protection across all workflows.

• Updated all GitHub Actions references to use commit SHAs instead of version tags for better supply chain security
• Added persist-credentials: false to all checkout steps to prevent credential leakage
• Introduced OSSF Scorecard workflow for automated supply chain security analysis

Reviewed Changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
.github/workflows/test.yml	Updated checkout and setup-node actions to pinned SHA versions
.github/workflows/super-linter.yml	Pinned actions to SHAs, added persist-credentials, disabled Biome validators
.github/workflows/ossf-scorecard.yml	New workflow for OSSF Scorecard supply-chain security analysis
.github/workflows/npm-publish.yml	Pinned actions to SHAs and added persist-credentials for both build and publish jobs
.github/workflows/dependency-review.yml	Updated actions to SHA pins and added persist-credentials
.github/workflows/codeql-analysis.yml	Upgraded CodeQL actions to v4 with SHA pinning and added persist-credentials
.github/workflows/build.yml	Pinned actions to SHAs and added persist-credentials

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The actions/cache step is referencing the cache before the repository is checked out. The actions/checkout step should be executed before the cache step, as the cache relies on the repository being available to hash package-lock.json. Please move the checkout step (line 26) to before line 23.

[coliff]

cc @roblarsen - take a look at this...