Skip to content

v2.0.0

Latest

Choose a tag to compare

@DerekRoberts DerekRoberts released this 23 Jan 21:36
8f699e3

Release v2.0.0

🔒 Security Enhancement: Supply Chain Scanning Enabled by Default

BREAKING CHANGE: Supply chain scanning is now enabled by default (supply_scan: true). This change prioritizes security by automatically protecting against supply chain attacks, typosquatting, and malicious packages.

What Changed

  • supply_scan default changed from false to true
  • Supply chain scanning now runs automatically unless explicitly disabled
  • No additional configuration required - scanning happens during npm ci
  • Documentation updated to strongly discourage disabling supply chain scanning

Why This Change?

Supply chain attacks are critical security threats that should be caught by default. The scanning:

  • Blocks known malicious packages and supply chain attacks
  • Protects against typosquatting and suspicious install scripts
  • Has minimal overhead (runs during existing npm commands)
  • Aligns with our security-first approach alongside dep_scan: warn

Migration Guide

If you want to keep the previous behavior (disable supply chain scanning), explicitly set supply_scan: false:

- uses: bcgov/action-test-and-analyse@v2.0.0
  with:
    commands: |
      npm ci
      npm run test:cov
    dir: frontend
    node_version: "20"
    supply_scan: false  # ⚠️ Explicitly disable if needed (not recommended)

If you're already using supply_scan: true or not specifying it, no changes needed - you'll continue to get supply chain protection automatically.

If you were relying on the previous default (false), you'll now get supply chain scanning automatically. This is recommended for security, but you can disable it if you encounter issues.

🎯 Enhanced Dependency Analysis with Knip

NEW FEATURE: Comprehensive dependency and export analysis using Knip with flexible configuration options.

What's New

  • Flexible dep_scan modes: off (skip), warn (default, show issues), error (fail on issues)
  • GitHub Actions annotations: Inline code annotations for unused files, dependencies, and exports
  • Step summary: Detailed markdown summary with issue counts and full output
  • Default Knip configuration: Sensible defaults with common exclusions (TypeScript, testing libraries)
  • Custom configuration support: Provide your own .knip.json via knip_config input

Usage

- uses: bcgov/action-test-and-analyse@v2.0.0
  with:
    commands: |
      npm ci
      npm run test:cov
    dir: frontend
    node_version: "20"
    dep_scan: warn  # Default: show issues without failing
    # dep_scan: error  # Fail workflow if issues found
    # dep_scan: off    # Skip dependency analysis

Benefits

  • Catch unused dependencies and exports early
  • Reduce bundle size and maintenance burden
  • Visual annotations in PR checks for easy review
  • Non-blocking by default (warn mode) to encourage adoption

🔧 Technical Improvements

Dependency Management

  • Replaced jq with Node.js: All JSON parsing now uses Node.js (no external dependencies)
  • Dynamic version detection: Knip and safe-chain versions read from package-lock.json
  • Updated action-diff-triggers: Upgraded from v0.2.0 to v1.0.0 for improved reliability

Testing & Reliability

  • Simplified test matrix: Reduced duplication while maintaining comprehensive coverage
  • Improved test scenarios: Better coverage of trigger and non-trigger cases
  • Branch-based testing: Enhanced action testing infrastructure

📚 Documentation Improvements

  • Updated README with clear guidance on supply chain scanning defaults and security warnings
  • Added comprehensive Knip usage examples and configuration options
  • Improved copilot instructions for maintainers
  • Updated all usage examples to reflect new defaults and best practices
  • Added warnings about disabling security features

Full Changelog

Breaking Changes

  • ✅ Changed supply_scan default from false to true (security-first approach)

Features

  • ✅ Added Knip dependency and export analysis with flexible modes (off, warn, error)
  • ✅ Added GitHub Actions annotations for unused files, dependencies, and exports
  • ✅ Added step summary with detailed Knip analysis results
  • ✅ Added default Knip configuration with common exclusions
  • ✅ Added support for custom Knip configuration via knip_config input
  • ✅ Dynamic version detection for Knip and safe-chain from package-lock.json

Improvements

  • ✅ Replaced jq dependency with Node.js for JSON parsing
  • ✅ Updated action-diff-triggers from v0.2.0 to v1.0.0
  • ✅ Simplified test matrix and improved test coverage
  • ✅ Enhanced action testing infrastructure

Documentation

  • ✅ Updated README with security warnings and supply chain scanning guidance
  • ✅ Added comprehensive Knip usage examples
  • ✅ Updated copilot instructions for maintainers
  • ✅ Improved documentation for all new features

Dependencies

  • ✅ Updated bcgov/action-diff-triggers to v1.0.0
  • ✅ Regular lockfile maintenance updates

What's Changed

Full Changelog: v1.6.0...v2.0.0


Note: This is a major version release due to the breaking change in default behavior. Existing workflows that did not explicitly set supply_scan will now have supply chain scanning enabled automatically.