Skip to content

feat: modernize build and harden CI#10

Merged
kelsos merged 5 commits intomainfrom
feat/modernize-build
Apr 9, 2026
Merged

feat: modernize build and harden CI#10
kelsos merged 5 commits intomainfrom
feat/modernize-build

Conversation

@kelsos
Copy link
Copy Markdown
Member

@kelsos kelsos commented Apr 9, 2026

Summary

  • CI hardening: Pin all GitHub Actions to SHA digests, add least-privilege permissions, concurrency groups, and simplify caching via setup-node's built-in pnpm cache
  • pnpm workspace hardening: Add pnpm-workspace.yaml with blockExoticSubdeps, strictDepBuilds, trustPolicy, saveExact
  • Renovate: Add :pinAllExceptPeerDependencies, helpers:pinGitHubActionDigests, and 7-day minimum release age
  • Drop eslint-plugin-github: Browser-oriented rules not applicable to a Node action, and causes exotic subdep issues with pnpm hardening
  • Upgrade to @rotki/eslint-config v5 and @rotki/eslint-plugin 1.3.2
  • Modernize build: Replace @vercel/ncc (webpack) with Rollup, ESM output, ES2022 target, Bundler module resolution
  • Upgrade @actions/core to v3
  • Update all patch/minor deps and bump bumpp to v11, pnpm to 10.33.0

Test plan

  • pnpm run all passes (build, lint, package, test)
  • CI workflows run successfully
  • uses: ./ integration test passes in CI

@kelsos
ci: harden and modernize GitHub Actions workflows
ace6efc 
Pin all actions to commit SHAs, update pnpm/action-setup to v5 and
upload-artifact to v7, add least-privilege permissions, concurrency
groups, and simplify caching via setup-node's built-in pnpm cache.
Also pin changelogithub to v14.0.0 and enable pinGitHubActionDigests
in Renovate.
@kelsos kelsos requested a review from a team as a code owner April 9, 2026 12:06
@github-advanced-security
Copy link
Copy Markdown

github-advanced-security AI commented Apr 9, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@kelsos kelsos force-pushed the feat/modernize-build branch 2 times, most recently from e713362 to 79c4e21 Compare April 9, 2026 12:21
kelsos added 4 commits April 9, 2026 14:26
@kelsos
chore: add pnpm workspace hardening and update renovate config
f24dceb 
Add pnpm-workspace.yaml with security hardening (blockExoticSubdeps,
strictDepBuilds, trustPolicy, saveExact) and update Renovate to pin
all dependencies and enforce 7-day minimum release age.
@kelsos
chore: upgrade to @rotki/eslint-config v5 and drop eslint-plugin-github
1127a52
@kelsos
chore: update dependencies
1c6cba7
@kelsos
feat: modernize build from ncc to Rollup with ESM output
3adfda9 
Replace @vercel/ncc (webpack) with Rollup for bundling. Switch to ESM
with "type": "module", update tsconfig to ES2022 target with Bundler
module resolution, and upgrade @actions/core to v3. Remove intermediate
lib/ build step — Rollup bundles directly from TypeScript source.
@kelsos kelsos force-pushed the feat/modernize-build branch from 79c4e21 to 3adfda9 Compare April 9, 2026 12:27
@kelsos kelsos merged commit 3adfda9 into main Apr 9, 2026
7 checks passed
@kelsos kelsos deleted the feat/modernize-build branch April 9, 2026 12:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kelsos @github-advanced-security