Skip to content

strictDepBuilds=true、他サプライチェーン攻撃への対策の追加 #61 #62

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ano333333 merged 5 commits into from
May 24, 2026
Merged

strictDepBuilds=true、他サプライチェーン攻撃への対策の追加 #61 #62

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
4917d07
chore: pnpmのアップデート
ano333333 May 23, 2026
a810898
ci: pnpm-workspace.yaml
ano333333 May 23, 2026
d6d517a
ci: ciのpnpmのアップデート
ano333333 May 23, 2026
ebf19ef
ci: GitHub Actions用のイメージでpnpmを使用する
ano333333 May 24, 2026
c3058a9
ci: gcp側のイメージでのpnpm使用
ano333333 May 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 5 additions & 6 deletions .github/workflows/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ GitHub Actionsの実行時間短縮を目的として、Node.jsとPlaywrightが
**基盤**: Ubuntu 24.04 LTS
**Node.js**: v24 (flake.nixの`nodejs_24`に準拠)
**追加パッケージ**: curl, unzip, git, google-cloud-cli(gcloud / gsutil)
**パッケージ管理**: pnpm 10.10.0(corepack経由)
**パッケージ管理**: pnpm(corepack経由)

**用途**:

Expand All @@ -39,13 +39,13 @@ GitHub Actionsの実行時間短縮を目的として、Node.jsとPlaywrightが
**Node.js**: v24 (flake.nixの`nodejs_24`に準拠)
**Playwright**: プリインストール(ブラウザ込み)
**追加パッケージ**: curl, git
**パッケージ管理**: pnpm 10.10.0(corepack経由)
**パッケージ管理**: pnpm(corepack経由)

**特徴**:

- Playwright関連依存関係を事前インストール
- ブラウザバイナリ(Chromium)を含有
- `npx playwright install --with-deps`実行済み
- `pnpm exec playwright install --with-deps`実行済み

**用途**:

Expand All @@ -62,12 +62,11 @@ GitHub Actionsの実行時間短縮を目的として、Node.jsとPlaywrightが

```bash
# Node.jsイメージのビルド
cd .github/workflows/images
docker build -f Dockerfile.node -t ghcr.io/ano333333/ongeki-score-fetch/node:24.04 .
docker build -f .github/workflows/images/Dockerfile.node -t ghcr.io/ano333333/ongeki-score-fetch/node:24.04 .
docker push ghcr.io/ano333333/ongeki-score-fetch/node:24.04

# Playwrightイメージのビルド
docker build -f Dockerfile.playwright -t ghcr.io/ano333333/ongeki-score-fetch/playwright:24.04 .
docker build -f .github/workflows/images/Dockerfile.playwright -t ghcr.io/ano333333/ongeki-score-fetch/playwright:24.04 .
docker push ghcr.io/ano333333/ongeki-score-fetch/playwright:24.04
```

Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/build-chromeex/action.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,15 +27,15 @@ runs:
working-directory: ./chrome-extension
shell: bash
run: |
npm install
pnpm install --frozen-lockfile

- name: Build
id: build
working-directory: ./chrome-extension
shell: bash
continue-on-error: true
run: |
npm run build
pnpm run build

- name: Set result
id: set-result
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/images/Dockerfile.node
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,4 +26,4 @@ RUN echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.
&& rm -rf /var/lib/apt/lists/*

# flake.nix/devShellと揃えるため、pnpmを有効化
RUN corepack enable && corepack prepare pnpm@10.10.0 --activate
RUN corepack enable && corepack prepare pnpm@11.1.2 --activate
23 changes: 7 additions & 16 deletions .github/workflows/images/Dockerfile.playwright
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,32 +15,23 @@ RUN curl -fsSL https://deb.nodesource.com/setup_24.x -o nodesource_setup.sh \
&& rm -rf /var/lib/apt/lists/*

# flake.nix/devShellと揃えるため、pnpmを有効化
RUN corepack enable && corepack prepare pnpm@10.10.0 --activate
RUN corepack enable && corepack prepare pnpm@11.1.2 --activate

# Playwright環境変数の設定
ENV PLAYWRIGHT_BROWSERS_PATH=/ms-playwright

# 最小限のNodeプロジェクトを作成
# chrome-extension の依存関係を使って Playwright をインストール
WORKDIR /opt/playwright-project

# package.jsonを作成
RUN echo '{\
"name": "playwright-container",\
"version": "1.0.0",\
"type": "module",\
"devDependencies": {\
"@vitest/browser": "^3.1.4",\
"playwright": "^1.52.0",\
"vitest": "^3.1.4",\
"vitest-browser-vue": "^0.2.0"\
}\
}' > package.json
COPY chrome-extension/package.json ./
COPY chrome-extension/pnpm-lock.yaml ./
COPY chrome-extension/pnpm-workspace.yaml ./

# 依存関係のインストール
RUN npm install
RUN pnpm install --frozen-lockfile

# Playwrightブラウザのインストール(chromiumを明示的に指定)
RUN npx playwright install chromium --with-deps
RUN pnpm exec playwright install chromium --with-deps

# プロジェクトディレクトリを削除(ブラウザはグローバルにインストール済み)
RUN rm -rf /opt/playwright-project
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/test-chromeex/action.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,15 +27,15 @@ runs:
working-directory: ./chrome-extension
shell: bash
run: |
npm install
pnpm install --frozen-lockfile

- name: Test
id: test
working-directory: ./chrome-extension
shell: bash
continue-on-error: true
run: |
npm run test:ci
pnpm run test:ci

- name: Set result
id: set-result
Expand Down
1 change: 1 addition & 0 deletions chrome-extension/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
"private": true,
"version": "0.0.0",
"type": "module",
"packageManager": "pnpm@11.1.2",
"scripts": {
"dev": "vite",
"build": "vue-tsc && vite build",
Expand Down
4 changes: 4 additions & 0 deletions chrome-extension/pnpm-workspace.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
allowBuilds:
esbuild: true

trustPolicy: no-downgrade
6 changes: 3 additions & 3 deletions flake.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion flake.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
default = pkgs.mkShell {
packages = with pkgs; [
nodejs_24
nodePackages.pnpm
pnpm

@coderabbitai coderabbitai Bot May 24, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Nixのpnpmパッケージ情報を確認

# pnpmパッケージの存在確認
if command -v nix &> /dev/null; then
  echo "=== Checking pnpm package in nixpkgs-unstable ==="
  nix eval nixpkgs#pnpm.version --raw 2>/dev/null || echo "pkgs.pnpm not found"
  echo ""
  echo "=== Checking nodePackages.pnpm package ==="
  nix eval nixpkgs#nodePackages.pnpm.version --raw 2>/dev/null || echo "nodePackages.pnpm not found"
else
  echo "Nix is not available in this environment"
fi

Repository: ano333333/ongeki-score-fetch

Length of output: 113

🌐 Web query:

nixpkgs unstable pnpm package availability

💡 Result:

In nixpkgs unstable (2026-05-24), pnpm is available in multiple versioned packages, notably pnpm_8, pnpm_9, and pnpm_10 (with additional variant labels like pnpm_10_29_2) via pkgs.development.tools.pnpm.default.nix [1][2]. The top-level pnpm attribute is also set to pnpm_9 in the nixpkgs tree (i.e., pnpm aliases pnpm_9) [3]. Concrete availability in nixpkgs (unstable) based on the current pnpm packaging definitions: - pnpm_8 exists, pinned to a specific pnpm 8.x version in the nixpkgs pnpm default.nix variant table [1]. - pnpm_9 exists, pinned to a specific pnpm 9.x version in the nixpkgs pnpm default.nix variant table [1]. - pnpm_10 exists, pinned to a specific pnpm 10.x version in the nixpkgs pnpm default.nix variant table [1]. - Additional pnpm_10_* variants can exist to handle known breaking changes (example comment/variant for 10.29.2) [1]. Related build tooling availability (how pnpm is intended to be used in nixpkgs builds): - nixpkgs provides fetchPnpmDeps and pnpmConfigHook infrastructure for building pnpm-based JS projects reproducibly [4][5]. Notes on package name changes / aliases: - Older nixpkgs guidance used nodePackages.pnpm; however, nixpkgs has been deprecating/removing “nodePackages.*” usage in favor of other patterns (e.g., overlays/overrides), and there are documented issues about pnpm being wrapped with an unintended nodejs version when using the aliasing approach [6][7]. How to check quickly in your local nixpkgs-unstable checkout: - Look under pkgs.development.tools.pnpm (it defines pnpm_8, pnpm_9, pnpm_10, etc.) [1]. - In that same tree, check that pnpm = pnpm_9 is exported at the top-level all-packages layer [3].

Citations:

🏁 Script executed:

#!/bin/bash
set -euo pipefail
# flake.nixの該当行(27)周辺を確認
if [ -f flake.nix ]; then
  nl -ba flake.nix | sed -n '15,45p'
else
  echo "flake.nix not found"
fi

Repository: ano333333/ongeki-score-fetch

Length of output: 115

🌐 Web query:

nixpkgs unstable pnpm_11 package

💡 Result:

As of May 24, 2026, the pnpm_11 package is actively being integrated into nixpkgs [1][2]. While development and testing are ongoing—including recent work to ensure deterministic builds for the pnpm v11 store index [3] and fixes for binary execution [4]—it is not yet part of the standard stable release or fully merged into the main nixpkgs-unstable branch as a finalized, widely available attribute [5]. Users tracking the progress of pnpm_11 can follow the primary development efforts in the nixpkgs repository, specifically through pull requests and commits related to its initialization and store reproducibility [1][3][2]. Because pnpm v11 introduced significant changes, such as using a SQLite database for the store index, the integration requires careful handling of build reproducibility and pnpmConfigHook compatibility [1][3]. If you need to use pnpm 11 before it is officially available in your channel, you may need to track the relevant pull requests or use a local overlay to pull in the work-in-progress definitions [1][6]. Once merged, it is expected to follow the established naming convention in nixpkgs, where pinned versions are exposed as pnpm_X (e.g., pnpm_10, pnpm_11) [7][8].

Citations:

🏁 Script executed:

#!/bin/bash
set -euo pipefail

if [ -f flake.nix ]; then
  echo "== flake.nix: lines 20-35 =="
  awk 'NR>=20 && NR<=35 {printf "%d:%s\n", NR, $0}' flake.nix
  echo
  echo "== flake.nix: all pnpm occurrences =="
  rg -n "pnpm" flake.nix
else
  echo "flake.nix not found"
fi

Repository: ano333333/ongeki-score-fetch

Length of output: 777

🏁 Script executed:

#!/bin/bash
set -euo pipefail
rg -n "pnpm@|packageManager|pnpm_11|11\.1\.2" . || true

Repository: ano333333/ongeki-score-fetch

Length of output: 312

flake.nix の pnpm バージョンが pnpm@11.1.2(packageManager/Dockerfile指定)と一致するよう調整してください(pnpm のままだと不一致の可能性)

  • flake.nixwith pkgs; [ ... pnpm ... ](pkgsのトップレベル pnpm 属性)を使っています。
  • 一方で chrome-extension/package.json / gcp/sheet-scraper/package.json / gcp/sheet-scraper/Dockerfile はすべて pnpm@11.1.2 を指定しています。
  • nixpkgs-unstable ではトップレベル pnpm は現状 pnpm_9 エイリアスで、pnpm_11 は統合途上になっているため、現在の flake.nix のままだとバージョン不一致リスクがあります。
  • pnpm_11 を明示的に使う/オーバーレイで pnpm@11.1.2 にピン止めするなど、開発環境の pnpm をプロジェクト指定に合わせてください。
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@flake.nix` at line 27, flake.nix currently pulls the top-level pkgs.pnpm
(which maps to pnpm_9) causing a version mismatch with packageManager/Dockerfile
and package.json files that require pnpm@11.1.2; update flake.nix to explicitly
use pnpm_11 from pkgs (pkgs.pnpm_11) or add an overlay that pins pnpm to 11.1.2
(matching the project’s package.json/Dockerfile), ensuring the symbol you change
is the pnpm entry in the top-level package list (the pnpm / pnpm_11 reference)
so the dev environment and chrome-extension/gcp/sheet-scraper
packageManager/Dockerfile versions are consistent.

@ano333333 ano333333 May 24, 2026

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nix flake updateのタイミングのみで上がるので、そのタイミングでバージョンを更新するだけなので、現段階で調節しておけばとりあえずOKと判断。

@coderabbitai coderabbitai Bot May 24, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ano333333、ご説明ありがとうございます。nix flake update のタイミングで flake.lock が更新されるため、その際に pnpm バージョンを合わせる運用であれば問題ない判断ですね。了解しました。

playwright-driver.browsers

terraform
Expand Down
2 changes: 1 addition & 1 deletion gcp/sheet-scraper/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,11 @@ RUN apt-get update
RUN apt-get install -y curl
RUN curl -fsSL https://deb.nodesource.com/setup_22.x -o nodesource_setup.sh
RUN bash nodesource_setup.sh
RUN corepack enable && corepack prepare pnpm@11.1.2 --activate
RUN mkdir /usr/src/app
WORKDIR /usr/src/app
COPY ./package.json ./
COPY ./pnpm-lock.yaml ./
RUN npm install -g pnpm
RUN pnpm i --frozen-lockfile

COPY ./codes ./codes
Expand Down
4 changes: 2 additions & 2 deletions gcp/sheet-scraper/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
"description": "",
"main": "codes/index.js",
"scripts": {
"build": "npx tsc",
"build": "tsc",
"dev": "node --env-file .env -r ts-node/register codes/index.ts",
"test": "jest"
},
Expand All @@ -13,7 +13,7 @@
"nodeVersion": "22.15.0"
}
},
"packageManager": "pnpm@10.10.0",
"packageManager": "pnpm@11.1.2",
"author": "",
"license": "ISC",
"devDependencies": {
Expand Down
Loading