ci: harden workflow (#878)

sapphi-red · web-flow · commit 75e38ba11ce0 · 2025-09-19T14:57:10.000+09:00
diff --git a/.github/workflows/ci-rsc.yml b/.github/workflows/ci-rsc.yml
@@ -65,18 +65,26 @@ jobs:
       - name: install react
         if: ${{ matrix.react_version }}
         run: |
-          sed -i "/^overrides:/a\  react: \"${{ matrix.react_version }}\"" pnpm-workspace.yaml
-          sed -i "/^overrides:/a\  react-dom: \"${{ matrix.react_version }}\"" pnpm-workspace.yaml
-          sed -i "/^overrides:/a\  react-server-dom-webpack: \"${{ matrix.react_version }}\"" pnpm-workspace.yaml
+          sed -i "/^overrides:/a\  react: \"$REACT_VERSION\"" pnpm-workspace.yaml
+          sed -i "/^overrides:/a\  react-dom: \"$REACT_VERSION\"" pnpm-workspace.yaml
+          sed -i "/^overrides:/a\  react-server-dom-webpack: \"$REACT_VERSION\"" pnpm-workspace.yaml
           pnpm i --no-frozen-lockfile
+        env:
+          REACT_VERSION: ${{ matrix.react_version }}
       - run: pnpm build
       - name: install rolldown
         if: ${{ matrix.rolldown }}
         run: |
           sed -i '/^overrides:/a\  vite: "npm:rolldown-vite@latest"' pnpm-workspace.yaml
           pnpm i --no-frozen-lockfile
-      - run: pnpm -C packages/plugin-rsc exec playwright install ${{ matrix.browser }}
-      - run: pnpm -C packages/plugin-rsc test-e2e-ci --project=${{ matrix.browser }}
+      - run: pnpm -C packages/plugin-rsc exec playwright install "$BROWSER_NAME"
+        shell: bash
+        env:
+          BROWSER_NAME: ${{ matrix.browser }}
+      - run: pnpm -C packages/plugin-rsc test-e2e-ci --project="$BROWSER_NAME"
+        shell: bash
+        env:
+          BROWSER_NAME: ${{ matrix.browser }}
       - uses: actions/upload-artifact@v4
         if: always()
         with:
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -24,6 +24,11 @@ jobs:
         with:
           node-version: 22
           registry-url: https://registry.npmjs.org/
+          # disable cache, to avoid cache poisoning (https://docs.zizmor.sh/audits/#cache-poisoning)
+          package-manager-cache: false
+
+      - name: Disallow installation scripts
+        run: yq '.onlyBuiltDependencies = []' -i pnpm-workspace.yaml
 
       - name: Install deps
         run: pnpm install
@@ -59,7 +64,7 @@ jobs:
           tag-name: ${{ github.ref_name }}
 
       - if: steps.tag.outputs.isAlpha == 'false' && steps.tag.outputs.pkgName == 'plugin-rsc'
-        uses: yyx990803/release-tag@master
+        uses: yyx990803/release-tag@8cccf7c5aa332d71d222df46677f70f77a8d2dc0 # v1.0.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
diff --git a/.github/workflows/release-continuous.yml b/.github/workflows/release-continuous.yml
@@ -26,6 +26,11 @@ jobs:
       - uses: actions/setup-node@v5
         with:
           node-version: lts/*
+          # disable cache, to avoid cache poisoning (https://docs.zizmor.sh/audits/#cache-poisoning)
+          package-manager-cache: false
+
+      - name: Disallow installation scripts
+        run: yq '.onlyBuiltDependencies = []' -i pnpm-workspace.yaml
 
       - name: Install dependencies
         run: pnpm install
