🔒 Aisle Security Analysis

We found 1 potential security issue(s) in this PR:

1. 🟡 GitHub Actions workflow uses unpinned third-party action tag (actions/download-artifact@​v8)

Description

The CI workflow introduces additional uses of actions/download-artifact@​v8 pinned only to a mutable tag, not an immutable commit SHA.

• GitHub Action tags (e.g., @​v8) can be moved/retagged.
• If the action’s repository or release tag is ever compromised, the attacker can execute arbitrary code in this repo’s CI context.
• These new steps run on push to main (where repository secrets and elevated permissions are commonly available), increasing supply-chain impact.

Vulnerable code (newly added):

- name: Download dist artifact
  if: github.event_name == 'push' && matrix.task == 'test'
  uses: actions/download-artifact@​v8
  with:
    name: dist-build
    path: dist/

Recommendation

Pin GitHub Actions to an immutable commit SHA (and optionally keep the tag in a comment for readability), e.g.:

- name: Download dist artifact
  if: github.event_name == 'push' && matrix.task == 'test'
  uses: actions/download-artifact@<FULL_COMMIT_SHA> # v8
  with:
    name: dist-build
    path: dist/

Also consider:

• Enabling Dependabot version updates for GitHub Actions to keep pinned SHAs current.
• Reviewing workflow/job permissions: to follow least privilege, limiting blast radius if an action is compromised.

Analyzed PR: #52267 at commit 6ae1582

_{Last updated on: 2026-03-22T13:48:56Z}

Greptile Summary

This PR fixes a recurring CI failure where plugin-sdk subpath tests fail because the dist/ directory isn't populated before the test runner resolves package exports. It builds dist once in a shared build-artifacts job on push (downloading it into downstream test jobs), and falls back to a local pnpm build on PR events where no shared artifact is produced. The pattern is applied consistently to both Linux/Bun (checks) and Windows (checks-windows) test lanes.

Issues found:

• The new "Build dist" step in checks (line 274) is conditioned only on github.event_name != 'push' && matrix.task == 'test', which evaluates to true on PR events for the bun+test matrix entry. Every other substantive step in that job carries an additional matrix.runtime != 'bun' guard for PR events (because the bun lane is intentionally push-only), but the new step does not. This means pnpm build would be attempted without a checkout or pnpm environment, likely failing the bun shard on every PR and blocking CI.
• The Windows job and the compat-node22 matrix entry are not affected by this issue.

Confidence Score: 3/5

• One concrete bug would break the checks job on every PR; a one-line condition fix is needed before merging.
• The overall approach is correct and well-structured. The single P1 issue — the missing bun runtime guard on the new "Build dist" step — would cause the bun matrix shard to fail for every PR (checkout and pnpm setup are skipped for that entry, so pnpm build runs against an empty workspace). This is a straightforward one-line fix, but it would regress CI on all PRs until resolved.
• .github/workflows/ci.yml — specifically the "Build dist" step condition at line 274 in the checks job.

This is a comment left during a code review.
Path: .github/workflows/ci.yml
Line: 273-275

Comment:
**"Build dist" runs for `bun+test` on PR without checkout or pnpm setup**

The condition `github.event_name != 'push' && matrix.task == 'test'` evaluates to `true` on PR events for the `bun+test` matrix entry. However, both the `Checkout` step (line 237) and the `Setup Node environment` step (line 243) are guarded by `if: github.event_name != 'pull_request' || (matrix.runtime != 'bun' ...)`, so they are **skipped** for `bun+PR`. This means `pnpm build` fires against an empty workspace with no `package.json` and no `pnpm` in PATH, causing the matrix shard to fail.

The `Run` step on line 278 already carries the correct bun guard:
```
if: github.event_name != 'pull_request' || (matrix.runtime != 'bun' && matrix.task != 'compat-node22')
```

The `Build dist` step needs the same guard for the `bun` runtime:

```suggestion
      - name: Build dist
        if: github.event_name != 'push' && matrix.task == 'test' && (github.event_name != 'pull_request' || matrix.runtime != 'bun')
        run: pnpm build
```

(`compat-node22` doesn't need explicit coverage here because its `matrix.task` is `'compat-node22'`, not `'test'`, so the `matrix.task == 'test'` guard already excludes it.)

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (1): Last reviewed commit: "ci: skip bun-only dist build on PRs" | Re-trigger Greptile}

🔒 Aisle Security Analysis

We found 1 potential security issue(s) in this PR:

1. 🟡 GitHub Actions dependency not pinned to a commit SHA (actions/download-artifact@​v8)

Description

The workflow references a third-party GitHub Action by a mutable version tag (@​v8) instead of pinning to an immutable commit SHA.

• If the referenced tag is ever moved (whether by compromise or unexpected upstream change), attacker-controlled code could execute in CI.
• This commit adds additional uses of actions/download-artifact@​v8 in test jobs, increasing exposure.

Vulnerable code (added):

- name: Download dist artifact
  if: github.event_name == 'push' && matrix.task == 'test'
  uses: actions/download-artifact@​v8

Recommendation

Pin GitHub Actions to a full commit SHA (optionally with an inline comment indicating the intended version tag), and rely on Dependabot to update the SHA.

Example:

- name: Download dist artifact
  uses: actions/download-artifact@<FULL_LENGTH_COMMIT_SHA> # v8
  with:
    name: dist-build
    path: dist/

Also consider applying the same SHA pinning policy to other uses: entries (e.g., actions/checkout, actions/cache, etc.) for consistency.

Analyzed PR: #52267 at commit 0d636f8

_{Last updated on: 2026-03-22T14:01:21Z}