Skip to content

ci: add daily audit canary for the v5 stable release#14858

Open
pranavosu wants to merge 1 commit into
mainfrom
ci/v5-stable-audit-canary
Open

ci: add daily audit canary for the v5 stable release#14858
pranavosu wants to merge 1 commit into
mainfrom
ci/v5-stable-audit-canary

Conversation

@pranavosu

@pranavosu pranavosu commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Description

Adds a scheduled GitHub Actions workflow that installs the published
aws-amplify v5 LTS release (the stable-5 dist-tag) into a clean project and
runs npm audit once a day. The goal is to catch newly disclosed
vulnerabilities in the v5 dependency tree proactively, rather than learning
about them from consumer reports.

It asserts that a fresh aws-amplify@stable-5 install has a
clean production-dependency audit.

Behavior

  • Triggers: daily schedule (15:30 UTC) and manual workflow_dispatch.
  • Installs aws-amplify@stable-5 with --omit=dev --ignore-scripts in a temp
    project.
  • Prints a human-readable npm audit report, then fails the run if any advisory
    affects the production tree. The severity threshold can be tuned with
    --audit-level=<...> if low-severity noise becomes a problem on the LTS line.
  • On failure, the red scheduled run surfaces the regression; opening an issue
    automatically can be added later if desired.

Testing

  • Passes the repository's workflow format check (test:github-actions).
  • Action pinned to a commit SHA per repo policy.
  • workflow_dispatch allows a manual run to validate once merged.

Adds a scheduled workflow that installs the published aws-amplify `stable-5`
dist-tag into a clean project and runs `npm audit` daily, so newly disclosed
vulnerabilities in the v5 LTS dependency tree are surfaced proactively rather
than via consumer reports. Generic (not tied to any single advisory).

Scheduled workflows only run from the default branch, so this lives on main
while auditing the stable-5 line.
@pranavosu pranavosu requested a review from a team as a code owner July 3, 2026 07:58
@changeset-bot

changeset-bot Bot commented Jul 3, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: f8a025c

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant