From 806d6e073f28b1e4e0314ef903eeb99151bb5031 Mon Sep 17 00:00:00 2001 From: David Stone Date: Mon, 8 Jun 2026 07:41:34 -0700 Subject: [PATCH 1/2] chore(pnpm): switch to corepack and pin pnpm 11.5.2 Replace languages.javascript.pnpm.enable with corepack.enable in devenv.nix and add packageManager "pnpm@11.5.2" to the root package.json so pnpm 11 is used consistently locally and in CI. Lockfile remains lockfileVersion 9.0. Co-Authored-By: Claude Opus 4.8 (1M context) --- devenv.nix | 2 +- package.json | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/devenv.nix b/devenv.nix index dfe60e23..93ae5459 100644 --- a/devenv.nix +++ b/devenv.nix @@ -14,7 +14,7 @@ languages.javascript.enable = true; languages.javascript.package = pkgs.nodejs_24; - languages.javascript.pnpm.enable = true; + languages.javascript.corepack.enable = true; packages = [ pkgs.rustup # not actually using rustup, but the cdk builder expects it diff --git a/package.json b/package.json index f7ec7fc7..5d9482f3 100644 --- a/package.json +++ b/package.json @@ -3,6 +3,7 @@ "private": true, "version": "1.0.0", "description": "", + "packageManager": "pnpm@11.5.2", "scripts": { "deploy": "pnpm --filter trashcal-cdk run deploy", "smoke": "pnpm --filter trashcal-cdk run smoke" From 17cfcfd39cdac710d8dc5019c1e756bb0fa0e1a6 Mon Sep 17 00:00:00 2001 From: David Stone Date: Mon, 8 Jun 2026 07:42:37 -0700 Subject: [PATCH 2/2] ci: harden workflows with SHA-pinned actions, concurrency, and timeouts Pin every action to a commit SHA with a version comment, add job timeout-minutes, and add a standard concurrency group to the Rust workflow. The deploy workflow keeps its dedicated serialized "deploy" concurrency group (cancel-in-progress: false) and remains gated to push/main + workflow_dispatch, so it does not run on pull requests. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/deploy.yml | 9 +++++---- .github/workflows/rust.yml | 11 ++++++++--- 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 4189e732..e1bc6a0e 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -16,6 +16,7 @@ concurrency: jobs: run-cdk-deploy: runs-on: ubuntu-latest + timeout-minutes: 30 defaults: run: @@ -23,13 +24,13 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install Nix - uses: cachix/install-nix-action@v31 + uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6 - name: Set up devenv cache - uses: cachix/cachix-action@v16 + uses: cachix/cachix-action@3ba601ff5bbb07c7220846facfa2cd81eeee15a1 # v16 with: name: devenv @@ -38,7 +39,7 @@ jobs: run: nix profile add nixpkgs#devenv - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v6 + uses: aws-actions/configure-aws-credentials@e7f100cf4c008499ea8adda475de1042d6975c7b # v6.2.0 with: role-to-assume: ${{ secrets.ASSUME_ROLE }} aws-region: us-west-2 diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml index 3465be0a..f67d2369 100644 --- a/.github/workflows/rust.yml +++ b/.github/workflows/rust.yml @@ -11,9 +11,14 @@ on: env: CARGO_TERM_COLOR: always +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ github.event_name == 'pull_request' }} + jobs: build: runs-on: ubuntu-latest + timeout-minutes: 30 defaults: run: @@ -21,13 +26,13 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install Nix - uses: cachix/install-nix-action@v31 + uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6 - name: Set up devenv cache - uses: cachix/cachix-action@v16 + uses: cachix/cachix-action@3ba601ff5bbb07c7220846facfa2cd81eeee15a1 # v16 with: name: devenv