fix(ci): Replace npm install -g @go-task/cli with go-task/setup-task action to eliminate npm supply-chain risk; Use reusable CI actions from yscope-dev-utils; Bump actions/checkout to v6.0.2.#147
Conversation
…sk` action to eliminate npm supply-chain risk.
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 29 minutes and 27 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (3)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
junhaoliao
changed the title
npm install -g @go-task/cli with go-task/setup-task action to eliminate npm supply-chain risknpm install -g @go-task/cli with go-task/setup-task action to eliminate npm supply-chain risk.
…ns/checkout` to v6.0.2. - Replace `actions/setup-python` and `go-task/setup-task` in lint.yml with reusable actions from `tools/yscope-dev-utils/exports/github/actions/`. - The `install-go-task` action also handles coreutils installation on macOS, so the standalone brew step is removed. - Pin `actions/checkout` to SHA for v6.0.2 across all workflows. - Update `tools/yscope-dev-utils` submodule to 38bf51e.
junhaoliao
changed the title
npm install -g @go-task/cli with go-task/setup-task action to eliminate npm supply-chain risk.npm install -g @go-task/cli with go-task/setup-task action to eliminate npm supply-chain risk; Use reusable CI actions from yscope-dev-utils; Bump actions/checkout to v6.0.2.
2 participants
Description
Replace
npm install -g @go-task/cliwithgo-task/setup-taskAll CI workflows previously installed the Task runner via
npm install -g @go-task/cli.@go-task/clideclares a transitive dependency onaxios: ^1.8.2, and because global npm installshave no lock file, npm resolves to whatever the latest semver-compatible version is at install time.
During the axios supply-chain compromise on 2026-03-31, this caused CI runners to
pull in the malicious
axios@1.14.1package, which executed a post-install script that connected toan attacker-controlled C2 server.
The first commit replaces all occurrences of
npm install -g @go-task/cliwith the officialgo-task/setup-taskGitHub Action, pinned by commit SHA. The action downloads the Taskbinary directly from GitHub Releases without involving npm, eliminating the transitive dependency on
axios and the broader npm supply-chain attack surface.
Use reusable CI actions from
yscope-dev-utils; Bumpactions/checkoutto v6.0.2The second commit:
tools/yscope-dev-utilssubmodule to38bf51e, whichprovides reusable GitHub Actions for CI setup.
actions/setup-pythonandgo-task/setup-taskinlint.ymlwith the correspondingreusable actions from
tools/yscope-dev-utils/exports/github/actions/(install-pythonandinstall-go-task).install-go-taskaction also handlescoreutilsinstallation on macOS (formd5sum), so thestandalone
brew install coreutilsstep is removed.actions/checkoutto the commit SHA for v6.0.2 across all workflows (build_wheels.ymlandlint.yml).Checklist
breaking change.
Validation performed
npm install -gcommands remain in any workflow file.3be4020d41929789a01026e0e427a4321ce0ad44corresponds togo-task/setup-taskv2.0.0.actions/checkout,actions/setup-python, orgo-task/setup-taskreferences remain in any workflow file.
install-go-taskreusable action includes thecoreutilsmacOS installation step.