Release v2.0.0
🔒 Security Enhancement: Supply Chain Scanning Enabled by Default
BREAKING CHANGE: Supply chain scanning is now enabled by default (supply_scan: true). This change prioritizes security by automatically protecting against supply chain attacks, typosquatting, and malicious packages.
What Changed
supply_scandefault changed fromfalsetotrue- Supply chain scanning now runs automatically unless explicitly disabled
- No additional configuration required - scanning happens during
npm ci - Documentation updated to strongly discourage disabling supply chain scanning
Why This Change?
Supply chain attacks are critical security threats that should be caught by default. The scanning:
- Blocks known malicious packages and supply chain attacks
- Protects against typosquatting and suspicious install scripts
- Has minimal overhead (runs during existing npm commands)
- Aligns with our security-first approach alongside
dep_scan: warn
Migration Guide
If you want to keep the previous behavior (disable supply chain scanning), explicitly set supply_scan: false:
- uses: bcgov/action-test-and-analyse@v2.0.0
with:
commands: |
npm ci
npm run test:cov
dir: frontend
node_version: "20"
supply_scan: false # ⚠️ Explicitly disable if needed (not recommended)
If you're already using supply_scan: true or not specifying it, no changes needed - you'll continue to get supply chain protection automatically.
If you were relying on the previous default (false), you'll now get supply chain scanning automatically. This is recommended for security, but you can disable it if you encounter issues.
🎯 Enhanced Dependency Analysis with Knip
NEW FEATURE: Comprehensive dependency and export analysis using Knip with flexible configuration options.
What's New
- Flexible
dep_scanmodes:off(skip),warn(default, show issues),error(fail on issues) - GitHub Actions annotations: Inline code annotations for unused files, dependencies, and exports
- Step summary: Detailed markdown summary with issue counts and full output
- Default Knip configuration: Sensible defaults with common exclusions (TypeScript, testing libraries)
- Custom configuration support: Provide your own
.knip.jsonviaknip_configinput
Usage
- uses: bcgov/action-test-and-analyse@v2.0.0
with:
commands: |
npm ci
npm run test:cov
dir: frontend
node_version: "20"
dep_scan: warn # Default: show issues without failing
# dep_scan: error # Fail workflow if issues found
# dep_scan: off # Skip dependency analysis
Benefits
- Catch unused dependencies and exports early
- Reduce bundle size and maintenance burden
- Visual annotations in PR checks for easy review
- Non-blocking by default (
warnmode) to encourage adoption
🔧 Technical Improvements
Dependency Management
- Replaced
jqwith Node.js: All JSON parsing now uses Node.js (no external dependencies) - Dynamic version detection: Knip and safe-chain versions read from
package-lock.json - Updated
action-diff-triggers: Upgraded from v0.2.0 to v1.0.0 for improved reliability
Testing & Reliability
- Simplified test matrix: Reduced duplication while maintaining comprehensive coverage
- Improved test scenarios: Better coverage of trigger and non-trigger cases
- Branch-based testing: Enhanced action testing infrastructure
📚 Documentation Improvements
- Updated README with clear guidance on supply chain scanning defaults and security warnings
- Added comprehensive Knip usage examples and configuration options
- Improved copilot instructions for maintainers
- Updated all usage examples to reflect new defaults and best practices
- Added warnings about disabling security features
Full Changelog
Breaking Changes
- ✅ Changed
supply_scandefault fromfalsetotrue(security-first approach)
Features
- ✅ Added Knip dependency and export analysis with flexible modes (
off,warn,error) - ✅ Added GitHub Actions annotations for unused files, dependencies, and exports
- ✅ Added step summary with detailed Knip analysis results
- ✅ Added default Knip configuration with common exclusions
- ✅ Added support for custom Knip configuration via
knip_configinput - ✅ Dynamic version detection for Knip and safe-chain from
package-lock.json
Improvements
- ✅ Replaced
jqdependency with Node.js for JSON parsing - ✅ Updated
action-diff-triggersfrom v0.2.0 to v1.0.0 - ✅ Simplified test matrix and improved test coverage
- ✅ Enhanced action testing infrastructure
Documentation
- ✅ Updated README with security warnings and supply chain scanning guidance
- ✅ Added comprehensive Knip usage examples
- ✅ Updated copilot instructions for maintainers
- ✅ Improved documentation for all new features
Dependencies
- ✅ Updated
bcgov/action-diff-triggersto v1.0.0 - ✅ Regular lockfile maintenance updates
What's Changed
- feat: default Knip config, flexible dep_scan modes by @DerekRoberts in #97
- feat: manage Knip and safe-chain versions via package.json with dynamic Node.js version by @Copilot in #99
- feat: Knip annotations, summary, improved error handling by @DerekRoberts in #100
- docs: update copilot instructions for v1.7.0 by @DerekRoberts in #101
- docs: cleanup, remove unimplemented synonyms by @DerekRoberts in #102
- chore(ci): add to knip exceptions by @DerekRoberts in #103
- feat: enable supply chain scanning by default by @DerekRoberts in #104
- chore(deps): lock file maintenance by @DerekRoberts in #105
- fix: use node instead of jq to read package.json versions by @DerekRoberts in #106
- chore(test): branch-based action testing with github.action_path by @DerekRoberts in #107
- fix: restore test step and fix Knip JSON validation by @DerekRoberts in #109
- fix: Knip JSON validation by @DerekRoberts in #110
- fix: trigger logic, error handling, simplify tests, security defaults by @DerekRoberts in #112
- chore(deps): update bcgov/action-diff-triggers action to v1 by @DerekRoberts in #113
- chore(deps): lock file maintenance by @DerekRoberts in #114
- fix: trigger, param by @DerekRoberts in #116
Full Changelog: v1.6.0...v2.0.0
Note: This is a major version release due to the breaking change in default behavior. Existing workflows that did not explicitly set supply_scan will now have supply chain scanning enabled automatically.