chore: restrict npm release workflow

[Danil42Russia]

Summary by CodeRabbit

• Chores
  • Enhanced security for the release workflow with improved permissions scoping and repository gating.

[coderabbitai]

📝 Walkthrough

Walkthrough

The release workflow adds a default empty permissions block, introduces repository gating conditions on both quality-gates and publish jobs, scopes job-level permissions to contents: read for quality checks and contents: read plus id-token: write for OIDC-authenticated publishing, and sets the publish job to target a deploy environment.

Changes

GitHub Actions Release Workflow Security Hardening

Layer / File(s)	Summary
Quality-gates job with scoped permissions and repository gating .github/workflows/release.yml	Quality-gates job receives an if repository gating condition and job-level contents: read permission scope, with all quality steps (checkout, format, typecheck, test) remaining unchanged.
Publish job with deploy environment and OIDC permissions .github/workflows/release.yml	Publish job receives an if repository gating condition, targets the deploy environment, and has scoped job permissions for contents: read and id-token: write (OIDC), with build prerequisites remaining unchanged.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A workflow secured, with permissions so tight,
Two jobs now gated to run just right,
OIDC tokens for publish flow,
Repository checks will guard the show.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: restricting the npm release workflow by adding permissions, repository gating, and environment targeting.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch danil42russia/update_deploy

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

.github/workflows/release.yml (2)

23-23: 💤 Low value

Consider adding persist-credentials: false to checkout.

Static analysis (zizmor) flags that credentials may persist through artifacts. Since this workflow has scoped permissions and repo gating, the risk is low, but setting persist-credentials: false is defense in depth.

Suggested fix

     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml at line 23, The checkout step using
actions/checkout@v4 should explicitly disable credential persistence to avoid
leaking tokens to subsequent steps; update the checkout step (the action
reference "actions/checkout@v4") to include the input persist-credentials: false
(i.e., add a persist-credentials: false key under that step) so credentials are
not persisted to the workspace or artifacts.

---

58-58: 💤 Low value

Consider adding persist-credentials: false to checkout.

Same as the quality-gates job. In the publish job this is slightly more relevant since id-token: write is granted, though the tight permission scope already limits exposure.

Suggested fix

     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml at line 58, Update the checkout step in the
release job to add persist-credentials: false to the actions/checkout@v4
invocation; locate the checkout step (uses: actions/checkout@v4) in the release
workflow and set persist-credentials: false under that step to prevent the
action from persisting GITHUB_TOKEN credentials to the workspace while keeping
id-token: write behavior as-is.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release.yml:
- Line 23: Update the workflow steps that reference actions/checkout@v4 and
actions/setup-node@v4 to use the specific commit SHAs instead of tag names:
replace actions/checkout@v4 with
actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 and
actions/setup-node@v4 with
actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 so the release
workflow pins those actions to immutable SHAs.

---

Nitpick comments:
In @.github/workflows/release.yml:
- Line 23: The checkout step using actions/checkout@v4 should explicitly disable
credential persistence to avoid leaking tokens to subsequent steps; update the
checkout step (the action reference "actions/checkout@v4") to include the input
persist-credentials: false (i.e., add a persist-credentials: false key under
that step) so credentials are not persisted to the workspace or artifacts.
- Line 58: Update the checkout step in the release job to add
persist-credentials: false to the actions/checkout@v4 invocation; locate the
checkout step (uses: actions/checkout@v4) in the release workflow and set
persist-credentials: false under that step to prevent the action from persisting
GITHUB_TOKEN credentials to the workspace while keeping id-token: write behavior
as-is.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 300f2a73-94fa-4ebc-841e-cac65748ec5f

📥 Commits

Reviewing files that changed from the base of the PR and between af9a10c and 004905f.

📒 Files selected for processing (1)

• .github/workflows/release.yml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Get the latest commit SHA for the v4 tags of the actions used

echo "=== actions/checkout@v4 ==="
gh api repos/actions/checkout/git/refs/tags/v4 --jq '.object.sha' 2>/dev/null || echo "Could not fetch SHA"

echo ""
echo "=== actions/setup-node@v4 ==="
gh api repos/actions/setup-node/git/refs/tags/v4 --jq '.object.sha' 2>/dev/null || echo "Could not fetch SHA"

Repository: ton-org/ton

Length of output: 196

---

Pin actions/checkout@v4 and actions/setup-node@v4 to SHAs

In .github/workflows/release.yml, both actions/checkout@v4 and actions/setup-node@v4 are used and are currently tag-based. Pinning them to commit SHAs hardens the workflow against tag movement/hijacking (current v4 tag SHAs: actions/checkout@v4 → 34e114876b0b11c390a56381ad16ebd13914f8d5, actions/setup-node@v4 → 49933ea5288caeca8642d1e84afbd3f7d6820020).

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 23-23: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 23-23: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml at line 23, Update the workflow steps that
reference actions/checkout@v4 and actions/setup-node@v4 to use the specific
commit SHAs instead of tag names: replace actions/checkout@v4 with
actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 and
actions/setup-node@v4 with
actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 so the release
workflow pins those actions to immutable SHAs.

[novusnota]

We might also need to eventually pin all action versions as suggested by CodeRabbitAI in https://github.com/ton-org/ton/pull/193/changes#r3337493863