From 91780347e0147af97d4a6e0062f45f94a99b1eec Mon Sep 17 00:00:00 2001 From: Aakash Hotchandani Date: Wed, 27 May 2026 16:13:04 +0530 Subject: [PATCH 1/2] =?UTF-8?q?fix(security):=20CI=20hardening=20=E2=80=94?= =?UTF-8?q?=20permissions,=20npm=20ci,=20Dependabot,=20CODEOWNERS=20(SDK-6?= =?UTF-8?q?067,=20SDK-6069,=20SDK-6071)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Batched mechanical CI/config hardening for the nightwatch sample repo: - SDK-6067 (CWE-732): add a least-privilege top-level `permissions:` block to reviewing_changes.yml (`contents: read`, `checks: write`). The job only reads the repo for checkout and writes check runs via github-script; previously it inherited broad default GITHUB_TOKEN scopes. - SDK-6069 (CWE-1357): add .github/dependabot.yml (weekly npm + github-actions updates) so transitive CVEs are surfaced automatically, and switch `npm install` -> `npm ci` for reproducible, lockfile-pinned CI installs. - SDK-6071 (CWE-284): widen CODEOWNERS `.github/*` -> `.github/**` so the recursive glob actually covers `.github/workflows/` (single-level `*` left workflow files without required Code Owner review). Verified: both YAML files parse (js-yaml); workflow `permissions` resolves to {contents: read, checks: write}; `npm ci` succeeds against the committed lockfile (so the install-command switch will not break CI). Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/CODEOWNERS | 2 +- .github/dependabot.yml | 19 +++++++++++++++++++ .github/workflows/reviewing_changes.yml | 8 +++++++- 3 files changed, 27 insertions(+), 2 deletions(-) create mode 100644 .github/dependabot.yml diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 09a587d..0700d50 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1,3 +1,3 @@ -.github/* @browserstack/asi-devs +.github/** @browserstack/asi-devs * @browserstack/automate-public-repos diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..a1c6b30 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,19 @@ +# Dependabot configuration (SDK-6069) — keeps npm dependencies patched and +# surfaces transitive CVEs (e.g. the braces ReDoS) automatically going forward. +version: 2 +updates: + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + open-pull-requests-limit: 10 + labels: + - "dependencies" + - "security" + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + labels: + - "dependencies" + - "github-actions" diff --git a/.github/workflows/reviewing_changes.yml b/.github/workflows/reviewing_changes.yml index eec51e3..7a90fba 100644 --- a/.github/workflows/reviewing_changes.yml +++ b/.github/workflows/reviewing_changes.yml @@ -3,6 +3,12 @@ name: NodeJS Test workflow on workflow_dispatch +# Least-privilege default token scopes (SDK-6067). The job only needs to read +# the repo (checkout) and write check runs via github-script. +permissions: + contents: read + checks: write + on: workflow_dispatch: inputs: @@ -53,7 +59,7 @@ jobs: node-version: ${{ matrix.node }} - name: Install dependencies - run: npm install + run: npm ci - name: Run sample tests run: npm run sample-test From 5bdebcfb12e181ed718a065739274930f16b7613 Mon Sep 17 00:00:00 2001 From: Aakash Hotchandani Date: Wed, 27 May 2026 16:19:57 +0530 Subject: [PATCH 2/2] =?UTF-8?q?fix(security):=20address=20review=20?= =?UTF-8?q?=E2=80=94=20CODEOWNERS=20rule=20order=20+=20Dependabot=20target?= =?UTF-8?q?-branch/grouping?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit pr-review on #83 flagged that CODEOWNERS uses last-match-wins, so the trailing catch-all '*' rule still won for .github/ files and SDK-6071's bypass was not actually closed by the glob widening alone. Reorder so '*' precedes '.github/**', making the .github/** rule the last (winning) match for workflow/config files. Also applied the two review nits: explicit target-branch: master on both Dependabot ecosystems, and a groups: block to batch github-actions bumps. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/CODEOWNERS | 7 +++++-- .github/dependabot.yml | 6 ++++++ 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 0700d50..2c30609 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1,3 +1,6 @@ -.github/** @browserstack/asi-devs - +# CODEOWNERS uses last-match-wins precedence, so least-specific rules must come +# first. The broad catch-all is listed before the .github/** rule so that the +# latter is the *last* (winning) match for workflow/config files (SDK-6071). * @browserstack/automate-public-repos + +.github/** @browserstack/asi-devs diff --git a/.github/dependabot.yml b/.github/dependabot.yml index a1c6b30..2df264a 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,6 +4,7 @@ version: 2 updates: - package-ecosystem: "npm" directory: "/" + target-branch: "master" schedule: interval: "weekly" open-pull-requests-limit: 10 @@ -12,8 +13,13 @@ updates: - "security" - package-ecosystem: "github-actions" directory: "/" + target-branch: "master" schedule: interval: "weekly" labels: - "dependencies" - "github-actions" + groups: + actions: + patterns: + - "*"