From 8b53341fa6669846f3d6b923f4dada726553d25e Mon Sep 17 00:00:00 2001 From: sapphi-red <49056869+sapphi-red@users.noreply.github.com> Date: Fri, 19 Sep 2025 13:50:53 +0900 Subject: [PATCH 1/5] ci: disable pnpm cache when publishing --- .github/workflows/publish.yml | 2 ++ .github/workflows/release-continuous.yml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index d76cbcd3..10d6698c 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -24,6 +24,8 @@ jobs: with: node-version: 22 registry-url: https://registry.npmjs.org/ + # disable cache, to avoid cache poisoning (https://docs.zizmor.sh/audits/#cache-poisoning) + package-manager-cache: false - name: Install deps run: pnpm install diff --git a/.github/workflows/release-continuous.yml b/.github/workflows/release-continuous.yml index cd384694..06759dea 100644 --- a/.github/workflows/release-continuous.yml +++ b/.github/workflows/release-continuous.yml @@ -26,6 +26,8 @@ jobs: - uses: actions/setup-node@v5 with: node-version: lts/* + # disable cache, to avoid cache poisoning (https://docs.zizmor.sh/audits/#cache-poisoning) + package-manager-cache: false - name: Install dependencies run: pnpm install From fbd64c52c8de779a30af85087faa214cdc434005 Mon Sep 17 00:00:00 2001 From: sapphi-red <49056869+sapphi-red@users.noreply.github.com> Date: Fri, 19 Sep 2025 13:51:51 +0900 Subject: [PATCH 2/5] ci: pin yyx990803/release-tag --- .github/workflows/publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 10d6698c..42af9ff5 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -61,7 +61,7 @@ jobs: tag-name: ${{ github.ref_name }} - if: steps.tag.outputs.isAlpha == 'false' && steps.tag.outputs.pkgName == 'plugin-rsc' - uses: yyx990803/release-tag@master + uses: yyx990803/release-tag@8cccf7c5aa332d71d222df46677f70f77a8d2dc0 # v1.0.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: From 3e3af0c9768d407a391e6c445467d1fb9b04cd9a Mon Sep 17 00:00:00 2001 From: sapphi-red <49056869+sapphi-red@users.noreply.github.com> Date: Fri, 19 Sep 2025 14:08:27 +0900 Subject: [PATCH 3/5] ci: avoid interpolation --- .github/workflows/ci-rsc.yml | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci-rsc.yml b/.github/workflows/ci-rsc.yml index e9b5b934..fce3897e 100644 --- a/.github/workflows/ci-rsc.yml +++ b/.github/workflows/ci-rsc.yml @@ -65,18 +65,24 @@ jobs: - name: install react if: ${{ matrix.react_version }} run: | - sed -i "/^overrides:/a\ react: \"${{ matrix.react_version }}\"" pnpm-workspace.yaml - sed -i "/^overrides:/a\ react-dom: \"${{ matrix.react_version }}\"" pnpm-workspace.yaml - sed -i "/^overrides:/a\ react-server-dom-webpack: \"${{ matrix.react_version }}\"" pnpm-workspace.yaml + sed -i "/^overrides:/a\ react: \"$REACT_VERSION\"" pnpm-workspace.yaml + sed -i "/^overrides:/a\ react-dom: \"$REACT_VERSION\"" pnpm-workspace.yaml + sed -i "/^overrides:/a\ react-server-dom-webpack: \"$REACT_VERSION\"" pnpm-workspace.yaml pnpm i --no-frozen-lockfile + env: + REACT_VERSION: ${{ matrix.react_version }} - run: pnpm build - name: install rolldown if: ${{ matrix.rolldown }} run: | sed -i '/^overrides:/a\ vite: "npm:rolldown-vite@latest"' pnpm-workspace.yaml pnpm i --no-frozen-lockfile - - run: pnpm -C packages/plugin-rsc exec playwright install ${{ matrix.browser }} - - run: pnpm -C packages/plugin-rsc test-e2e-ci --project=${{ matrix.browser }} + - run: pnpm -C packages/plugin-rsc exec playwright install "$BROWSER_NAME" + env: + BROWSER_NAME: ${{ matrix.browser }} + - run: pnpm -C packages/plugin-rsc test-e2e-ci --project="$BROWSER_NAME" + env: + BROWSER_NAME: ${{ matrix.browser }} - uses: actions/upload-artifact@v4 if: always() with: From 3d829e3d990f72e4a7297ea8fa4adec00fe3a560 Mon Sep 17 00:00:00 2001 From: sapphi-red <49056869+sapphi-red@users.noreply.github.com> Date: Fri, 19 Sep 2025 14:12:53 +0900 Subject: [PATCH 4/5] ci: disallow installation scripts before publish --- .github/workflows/publish.yml | 3 +++ .github/workflows/release-continuous.yml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 42af9ff5..d5f03c74 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -27,6 +27,9 @@ jobs: # disable cache, to avoid cache poisoning (https://docs.zizmor.sh/audits/#cache-poisoning) package-manager-cache: false + - name: Disallow installation scripts + run: yq '.onlyBuiltDependencies = []' -i pnpm-workspace.yaml + - name: Install deps run: pnpm install env: diff --git a/.github/workflows/release-continuous.yml b/.github/workflows/release-continuous.yml index 06759dea..a56e5066 100644 --- a/.github/workflows/release-continuous.yml +++ b/.github/workflows/release-continuous.yml @@ -29,6 +29,9 @@ jobs: # disable cache, to avoid cache poisoning (https://docs.zizmor.sh/audits/#cache-poisoning) package-manager-cache: false + - name: Disallow installation scripts + run: yq '.onlyBuiltDependencies = []' -i pnpm-workspace.yaml + - name: Install dependencies run: pnpm install From aca257cd7b1226decab0c865c5cd6391566b82cb Mon Sep 17 00:00:00 2001 From: sapphi-red <49056869+sapphi-red@users.noreply.github.com> Date: Fri, 19 Sep 2025 14:29:09 +0900 Subject: [PATCH 5/5] ci: fix use bash on windows --- .github/workflows/ci-rsc.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci-rsc.yml b/.github/workflows/ci-rsc.yml index fce3897e..7a76c023 100644 --- a/.github/workflows/ci-rsc.yml +++ b/.github/workflows/ci-rsc.yml @@ -78,9 +78,11 @@ jobs: sed -i '/^overrides:/a\ vite: "npm:rolldown-vite@latest"' pnpm-workspace.yaml pnpm i --no-frozen-lockfile - run: pnpm -C packages/plugin-rsc exec playwright install "$BROWSER_NAME" + shell: bash env: BROWSER_NAME: ${{ matrix.browser }} - run: pnpm -C packages/plugin-rsc test-e2e-ci --project="$BROWSER_NAME" + shell: bash env: BROWSER_NAME: ${{ matrix.browser }} - uses: actions/upload-artifact@v4