[codex] Add Shai-Hulud hardening#1
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 3ae41fb808
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| - "**/package-lock.json" | ||
| - "**/yarn.lock" | ||
| - "**/pnpm-lock.yaml" | ||
| - "**/bun.lockb" |
There was a problem hiding this comment.
Include bun.lock in workflow path filters
The pull_request/push path filters only match **/bun.lockb, so dependency updates that touch Bun’s current default lockfile (bun.lock) will not trigger this security scan on PRs or branch merges. That creates a real detection gap where compromised transitive changes in bun.lock are only caught by the weekly schedule or manual runs instead of immediately during code review.
Useful? React with 👍 / 👎.
Adds a recurring Shai-Hulud security check workflow with least-privilege repository permissions.
Validation performed locally before publishing: