Skip to content

ci: migrate PMG to v1 server-mode proxy#23

Merged
abhisek merged 2 commits into
mainfrom
chore/pmg-server-mode-ci
Jun 30, 2026
Merged

ci: migrate PMG to v1 server-mode proxy#23
abhisek merged 2 commits into
mainfrom
chore/pmg-server-mode-ci

Conversation

@Sahilb315

@Sahilb315 Sahilb315 commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

What

Migrates the SafeDep PMG GitHub Action usage in both workflows to the v1 server-mode proxy pattern.

  • Pin safedep/pmg to the v1 action tag (SHA-pinned). v1 is the action's major-version pointer following GitHub Actions convention. The repo's GitHub Releases are the PMG CLI (v0.x), so the action line is pinned to v1, not to a CLI release tag.
  • Add server-mode: true to both the ci.yml release-preflight job and the goreleaser.yml release job. The proxy runs as a daemon and routes every package install through it.
  • Replace the job-end pmg cloud sync with pmg proxy stop --fail-on-violation. In server mode the proxy daemon owns event delivery, so stopping it both flushes cloud events and fails the job on any blocked package.
  • Remove continue-on-error: true from the goreleaser stop step so a blocked package fails the job instead of passing silently.

Note on versioning

The action's version input is left at its default (latest), so the installed PMG binary floats to the newest release (checksum-verified by the action). This matches the prior v0.14.0 behavior and is generally desirable for a security tool. Only the action definition is pinned (to v1).

Known limitation (documented in-line)

In goreleaser.yml the stop step runs after the publish step, so it alerts but cannot prevent a release:

  • A blocked required dependency already fails the earlier Install dependencies step, before publish runs.
  • The gap is an optional dependency: PMG still blocks it, but pnpm skips the failed optional install and exits 0, so the job reaches publish. The stop step then fails the job, but after the release has shipped.

To gate the release itself on a violation, the stop step would need to move before the publish step (or split build/publish into separate jobs). Left as a follow-up.

🤖 Generated with Claude Code

Bump safedep/pmg to v0.21.2 (SHA-pinned) and switch both the ci.yml
release-preflight job and the goreleaser.yml release job to server-mode.
In server mode the proxy daemon owns event delivery, so the job-end
`pmg cloud sync` is replaced with `pmg proxy stop --fail-on-violation`,
which flushes events and fails the job on any blocked package.

Drop continue-on-error from the goreleaser stop step so a blocked
package fails the job instead of passing silently. Note the limitation:
the step runs after publish, so it alerts but cannot stop a release.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@safedep

safedep Bot commented Jun 30, 2026

Copy link
Copy Markdown

SafeDep Report Summary

Green Malicious Packages Badge Green Vulnerable Packages Badge Green Risky License Badge

No dependency changes detected. Nothing to scan.

View complete scan results →

This report is generated by SafeDep Github App

arunanshub
arunanshub previously approved these changes Jun 30, 2026
Bump safedep/pmg to the v1 action tag (SHA-pinned) and switch both the
ci.yml release-preflight job and the goreleaser.yml release job to
server-mode. v1 is the action's major-version tag (the CLI ships its own
v0.x releases), so we pin the action line to v1 rather than a CLI tag.

In server mode the proxy daemon owns event delivery, so the job-end
`pmg cloud sync` is replaced with `pmg proxy stop --fail-on-violation`,
which flushes events and fails the job on any blocked package.

Drop continue-on-error from the goreleaser stop step so a blocked
package fails the job instead of passing silently. Note the limitation:
the step runs after publish, so it alerts but cannot stop a release.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@abhisek abhisek merged commit 657780f into main Jun 30, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants