pomerium / pomerium / 27160555638
52%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 705
Run time 3min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 52.188% (+0.02%) from 52.167%
27160555638

push

github

web-flow 
ci: harden JS dependency supply chain (#6227)

## Summary

Part of ENG-3808. Standardizes JS dependency supply-chain controls in
the core pomerium repo.

- Deterministic installs: `npm install` -> `npm ci` in the Makefile and
acceptance docker-compose; remove implicit `npm install` from
`ui/package.json` start script
- Package manager pinning: add `packageManager: npm@10.9.4` to the
acceptance test package roots
- Dependabot expansion: add npm ecosystem blocks for `/ui`,
`/internal/acceptance/browser`, and `/internal/acceptance/ws-server`
- PR gating: add `dependency-review-action`
- Registry verification: add `npm audit signatures` for all npm package
roots
- Workflow pin hygiene: annotate SHA-pinned GitHub Actions with
human-readable tags and refresh `actions/setup-node` to `v6.3.0`

All GitHub Actions remain SHA-pinned to match repo conventions.

AI-assisted: drafted by Claude, verified locally, reviewed by Codex.

Closes ENG-3811 (pomerium portion), ENG-3812 (pomerium portion),
ENG-3814 (pomerium), ENG-3815 (pomerium)

## Test plan

- [x] `npm ci` succeeds in `ui/`, `internal/acceptance/browser/`, and
`internal/acceptance/ws-server/`
- [x] `npm audit signatures` passes in all three npm package roots
- [x] `make npm-install` works with `npm ci`
- [x] Modified workflow YAML parses cleanly
- [x] GitHub Actions pass on this PR
- [ ] Dependabot opens npm update PRs for the new package roots

36783 of 70482 relevant lines covered (52.19%)

462.88 hits per line

Coverage Regressions

Lines Coverage File
9
80.34
 0.0% pkg/ssh/manager.go
4
88.52
 -0.88% pkg/storage/postgres/postgres.go
3
90.59
 2.97% config/config_source.go
3
84.71
 -1.18% pkg/storage/postgres/iterate.go
2
48.66
 0.0% internal/databroker/server_clustered_follower.go
2
94.55
 0.0% pkg/fanout/receive.go
1
75.15
 -0.3% internal/databroker/config_source.go
Jobs
ID Job ID Ran Files Coverage
1 27160555638.1 705
52.19
 GitHub Action Run
Source Files on build 27160555638