mirror of
https://github.com/pnpm/pnpm.git
synced 2026-06-28 09:55:39 -04:00
3d50680eda
Follow-up to #12292 (which verifies the **package-manager** binary). This closes the same class of gap for the **Node.js runtime**. When a repository requests a Node.js runtime — `devEngines.runtime: node@X` (with `onFail: download`, the default) or `useNodeVersion` — pnpm downloads and then executes a Node binary (it's used to run lifecycle / `run` / `exec` scripts). The download **mirror is repository-configurable** via `node-mirror:<channel>` (`nodeDownloadMirrors`) in project `.npmrc`, and the integrity comes from `SHASUMS256.txt` fetched **from that same mirror**. That's a circular check: a malicious mirror serves a tampered `node` tarball **and** a matching `SHASUMS256.txt`, the sha256 check passes, and pnpm runs the binary. Drive-by on a normal command in a cloned repo. ## Fix pnpm now fetches `SHASUMS256.txt.sig` and verifies its **detached OpenPGP signature** against the **Node.js release team's public keys, embedded in the pnpm CLI**, before trusting the hashes. A mirror that serves a tampered binary cannot also produce a valid signature, so verification fails. Any faithful mirror (one that proxies the real signed SHASUMS) keeps working. - `@pnpm/crypto.shasums-file`: new `fetchVerifiedNodeShasums` / `fetchVerifiedNodeShasumsFile` verify the signature via `openpgp` against the embedded keys. - The keys live in a generated file (`src/nodeReleaseKeys.ts`, 28 keys) mirrored from the canonical `nodejs/release-keys` list. `crypto/shasums-file/scripts/update-node-release-keys.mjs` keeps them current (`pnpm check:node-release-keys` / `--update`), and the **create-release-pr** workflow runs the check as a gate so a new release signer can't silently break verification. - `@pnpm/engine.runtime.node-resolver` verifies the **configurable-mirror** SHASUMS. The hardcoded `unofficial-builds.nodejs.org` musl mirror is **not** repo-configurable and is signed by a different key, so it stays trusted over TLS. ## Scope - **Pre-release channels (rc, nightly, …) are not verified** — Node only signs the `release` channel (no `SHASUMS256.txt.sig` exists for them, even on nodejs.org), so they remain unverifiable. Verification is gated on the `release` channel. - **Bun / Deno are unaffected** — their download/SHASUMS URLs are hardcoded to canonical GitHub (`github.com/oven-sh/bun`, `api.github.com/repos/denoland/deno`), not mirror-configurable, so a repo can't redirect them. - **Pacquet parity:** `pacquet/crates/engine-runtime-node-resolver` has the same mirror-configurable SHASUMS logic and needs the equivalent Rust port — tracked as a follow-up (per the repo's parity rule, opening the TS side first).
120 lines
4.8 KiB
YAML
120 lines
4.8 KiB
YAML
name: Create Release PR
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
target:
|
|
description: Branch to release (the PR base; e.g. main or release/11.1).
|
|
default: main
|
|
required: true
|
|
|
|
permissions:
|
|
contents: write
|
|
pull-requests: write
|
|
|
|
# Serialize per target so two dispatches for the same branch can't race on the
|
|
# force-pushed release-pr/<target> branch.
|
|
concurrency:
|
|
group: create-release-pr-${{ github.event.inputs.target }}
|
|
cancel-in-progress: false
|
|
|
|
jobs:
|
|
create-release-pr:
|
|
if: github.repository == 'pnpm/pnpm' # Only run on the main repository, not forks
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
# Don't persist the write-scoped token in .git/config; the install below
|
|
# runs third-party lifecycle scripts. Pushing is done with an explicit,
|
|
# single-use remote URL in the "Commit and push" step.
|
|
persist-credentials: false
|
|
|
|
- name: Install pnpm and Node
|
|
uses: pnpm/setup@b1cac37306e39c21283b9dd6cb0ac288fb35ba6b
|
|
with:
|
|
runtime: node@26.3.0
|
|
|
|
# Base the release on the tip of the target branch, fetched explicitly so the
|
|
# run is correct even when dispatched from another ref. The release-pr/<target>
|
|
# name is the convention `pnpm bump` reads to key the .changeset-released ledger
|
|
# by the target branch instead of this ephemeral PR branch. A force-push reuses
|
|
# an already-open release PR for the same target rather than opening a second.
|
|
- name: Prepare release branch
|
|
env:
|
|
TARGET: ${{ github.event.inputs.target }}
|
|
run: |
|
|
git config user.name "github-actions[bot]"
|
|
git config user.email "github-actions[bot]@users.noreply.github.com"
|
|
git fetch origin "$TARGET"
|
|
git checkout -B "release-pr/$TARGET" FETCH_HEAD
|
|
|
|
# Fail the release if the npm registry signing keys embedded in
|
|
# @pnpm/deps.security.signatures have drifted from what npm advertises. pnpm
|
|
# verifies package-manager binaries (pacquet, the version-switch pnpm) against
|
|
# these keys, so a stale set could break verification after a key rotation.
|
|
- name: Check embedded npm signing keys are up to date
|
|
run: node deps/security/signatures/scripts/update-npm-signing-keys.mjs
|
|
|
|
# Fail the release if the embedded Node.js release keys (used to verify the
|
|
# signature of a downloaded runtime's SHASUMS256.txt) have drifted from the
|
|
# canonical nodejs/release-keys list, so a new release signer cannot silently
|
|
# break Node.js runtime verification.
|
|
- name: Check embedded Node.js release keys are up to date
|
|
run: node crypto/shasums-file/scripts/update-node-release-keys.mjs
|
|
|
|
# Consumes the pending changesets: bumps versions, writes changelogs, updates
|
|
# the ledger, and syncs manifests. A no-op (no pending changesets) leaves the
|
|
# tree clean and the steps below skip.
|
|
- name: Bump versions
|
|
run: pnpm bump
|
|
|
|
- name: Check for changes
|
|
id: changes
|
|
run: |
|
|
if [ -z "$(git status --porcelain)" ]; then
|
|
echo "changed=false" >> "$GITHUB_OUTPUT"
|
|
else
|
|
echo "changed=true" >> "$GITHUB_OUTPUT"
|
|
fi
|
|
|
|
- name: Read new pnpm version
|
|
id: version
|
|
if: steps.changes.outputs.changed == 'true'
|
|
run: echo "version=$(node -p "require('./pnpm/package.json').version")" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Commit and push
|
|
if: steps.changes.outputs.changed == 'true'
|
|
env:
|
|
GH_TOKEN: ${{ secrets.UPDATE_LOCKFILE_TOKEN }}
|
|
TARGET: ${{ github.event.inputs.target }}
|
|
VERSION: ${{ steps.version.outputs.version }}
|
|
run: |
|
|
git add -A
|
|
git commit -m "chore(release): ${VERSION}"
|
|
git push -f "https://x-access-token:${GH_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" "release-pr/$TARGET"
|
|
|
|
- name: Create PR if needed
|
|
if: steps.changes.outputs.changed == 'true'
|
|
env:
|
|
GH_TOKEN: ${{ secrets.UPDATE_LOCKFILE_TOKEN }}
|
|
TARGET: ${{ github.event.inputs.target }}
|
|
VERSION: ${{ steps.version.outputs.version }}
|
|
run: |
|
|
BRANCH="release-pr/$TARGET"
|
|
|
|
# An already-open PR now points at the freshly force-pushed branch, so
|
|
# there is nothing more to do.
|
|
if [ -n "$(gh pr list --head "$BRANCH" --state open --json number --jq '.[].number')" ]; then
|
|
echo "PR already exists; the new versions were force-pushed to it"
|
|
else
|
|
gh pr create \
|
|
--title "chore(release): ${VERSION}" \
|
|
--body "Automated release PR created by the create-release-pr workflow.
|
|
|
|
Releasing \`${TARGET}\` as pnpm v${VERSION}. Merging this PR consumes the pending changesets and records them in the \`.changeset-released\` ledger under \`${TARGET}\`." \
|
|
--base "$TARGET" \
|
|
--head "$BRANCH"
|
|
fi
|