Skip to content

verify-action-build: add node_modules verification for vendored deps#652

Merged
raboof merged 1 commit intomainfrom
verify-node-modules
Apr 5, 2026
Merged

verify-action-build: add node_modules verification for vendored deps#652
raboof merged 1 commit intomainfrom
verify-node-modules

Conversation

@potiuk
Copy link
Copy Markdown
Member

@potiuk potiuk commented Apr 2, 2026

Summary

  • Adds verification of committed node_modules/ for actions that ship source JS directly instead of bundling into dist/ (e.g. leafo/gh-actions-luarocks)
  • Previously the script detected this pattern but returned success without actually verifying anything — a security gap
  • The Docker build now saves original node_modules/, does a fresh npm install --production (or yarn/pnpm equivalent), and compares the two trees by SHA256 hash
  • Package.json install metadata fields (_resolved, _integrity, etc.) are filtered to avoid false positives

Test plan

  • Tested with leafo/gh-actions-luarocks@97053c556d6ce2c8e26eb7ac93743437c7af7248 — 269 files in 6 packages all match
  • Tested with actions/checkout (dist-based action) — existing flow unaffected

Generated with Claude Code

@potiuk potiuk requested review from dave2wave and raboof April 2, 2026 09:31
raboof
raboof reviewed Apr 2, 2026
View reviewed changes
@potiuk potiuk mentioned this pull request Apr 2, 2026
Merged
raboof
raboof reviewed Apr 2, 2026
View reviewed changes
utils/verify-action-build.py
)
)
all_match = True
else:
Copy link
Copy Markdown
Member

@raboof raboof Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok, then for consistency this should also be a else if has_node_modules:, I guess?

Copy link
Copy Markdown
Member Author

@potiuk potiuk Apr 2, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, not really - the if above is for non-js actions. (docker/composite). JS actions can have either:

  • node_modules + (index.js /main.js)
  • dist (main.js / index.js)

Copy link
Copy Markdown
Member

@raboof raboof Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the current code calls both diff_js_files and diff_node_modules if has_node_modules, but it should call only diff_node_modules, right?

to clarify, I'm not concerned about performance or 'purity' or anything here, but I do think it's helpful to keep the code as easy to understand as possible - otherwise it'll get harder to evolve (even with help from agents) and trust its output.

Copy link
Copy Markdown
Member

@dave2wave dave2wave Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since the prior if block is long maybe add a comment then to describe what falls through into the else. Maybe put each portion into functions?

Copy link
Copy Markdown
Member Author

@potiuk potiuk Apr 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will refactor it to make it easier to understand and reason and add tests after I maerge that one. Would that be ok ?

Copy link
Copy Markdown
Member Author

@potiuk potiuk Apr 4, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My plan is to split it into smaller better reusable methods - and have clear logic outside of those methods and almost not have conditiona logic inside the methods.

That should make it much easier to reason about.

@potiuk
verify-action-build: add node_modules verification for vendored deps
2b030cb 
Some GitHub Actions ship source JS directly with committed node_modules/
instead of bundling into dist/ (e.g. leafo/gh-actions-luarocks). Previously
the script detected this pattern but skipped verification entirely.

Now when committed node_modules/ is detected, the script saves the original,
does a fresh production install, and compares the two trees by SHA256 hash.
Package.json install metadata fields are filtered to avoid false positives.

Generated-by: Claude
@potiuk potiuk force-pushed the verify-node-modules branch from f01fc86 to 2b030cb Compare April 4, 2026 16:50
@potiuk
Copy link
Copy Markdown
Member Author

potiuk commented Apr 4, 2026

I will wait with resolving and approving the above - before refactoring

dave2wave
dave2wave approved these changes Apr 4, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@dave2wave dave2wave left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If @raboof agrees then go ahead and refactor in a new PR.

raboof
raboof approved these changes Apr 5, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@raboof raboof left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok

@raboof raboof merged commit 3b27f21 into main Apr 5, 2026
9 checks passed
@raboof raboof deleted the verify-node-modules branch April 5, 2026 10:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@raboof raboof raboof approved these changes

@dave2wave dave2wave dave2wave approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@potiuk @raboof @dave2wave