🔒 Aisle Security Analysis

We found 1 potential security issue(s) in this PR:

1. 🟡 Unpinned GitHub Action reference (supply-chain risk) in CI workflow

Description

The CI workflow executes a third-party GitHub Action using only a mutable major-version tag:

• The newly added steps use actions/download-artifact@​v8.
• Major-version tags (e.g., v8) can be moved to a different commit by the action publisher.
• If the upstream action release process or account is compromised, a malicious update could execute arbitrary code on CI runners (RCE), potentially exfiltrating secrets or altering build outputs.

Vulnerable code (newly added):

- name: Download dist artifact
  if: github.event_name == 'push' && matrix.task == 'test'
  uses: actions/download-artifact@​v8

This is especially relevant because these steps run on push to main, where workflows often have higher privileges than PR workflows.

Recommendation

Pin GitHub Actions to an immutable commit SHA (and optionally keep the human-readable tag as a comment), then use automation (e.g., Dependabot) to update.

Example:

- name: Download dist artifact
  uses: actions/download-artifact@<FULL_COMMIT_SHA> # v8
  with:
    name: dist-build
    path: dist/

Apply the same pinning strategy to other uses: actions/...@​v* references in workflows to reduce CI supply-chain risk.

Analyzed PR: #52279 at commit 1667865

_{Last updated on: 2026-03-22T14:15:54Z}

Greptile Summary

This PR fixes a missing dist/ directory error that caused macOS TS test failures (src/plugin-sdk/subpaths.test.ts) by inserting a pnpm build step immediately before the TS test step in the macos job. It also aligns the checks (Linux) and checks-windows jobs with the same artifact-sharing pattern already present in build-smoke: on push events these jobs download the pre-built dist-build artifact; on PR events they build locally.

Key changes:

• macos job: adds an unconditional Build dist (macOS) step before TS tests (macOS) — correct since the macOS job is already gated to pull_request events only, so there is never a pre-built artifact to download
• checks job: adds build-artifacts to needs, always() guard, and download-or-build-locally steps scoped to matrix.task == 'test'
• checks-windows job: same pattern as Linux checks, without the matrix.runtime == 'node' filter (safe, since the Windows matrix is node-only)
• All three jobs correctly handle the scenario where build-artifacts is skipped on PRs via always() + github.event_name != 'push' short-circuit

Confidence Score: 5/5

• Safe to merge — targeted, minimal CI fix with correct logic across all three platforms.
• The change is a narrow CI configuration fix: one new step in the macOS job and consistent guard/dependency alignment for Linux and Windows. The artifact download vs. local build branching logic (event_name == 'push' vs. not) is correct and follows the existing build-smoke pattern already live in the file. No application code is touched. The macOS job's always-build-locally approach is the right call given the job is unconditionally gated to pull_request events.
• No files require special attention.

_{Reviews (1): Last reviewed commit: "ci: build dist before macos tests" | Re-trigger Greptile}