7066c895f6
* chore: harden npm supply chain — pin overrides, enforce npm ci, add ignore-scripts Replace open-ended >= version overrides with exact pins matching lockfile versions across all 6 package.json files. Remove dead overrides for packages not present in lockfiles. Switch CI and devcontainer from npm install to npm ci for deterministic lockfile-based installs. Add .npmrc to all 7 JS project directories with ignore-scripts=true (blocks postinstall RAT vectors like the axios@1.14.1 supply chain attack) and min-release-age=3d (refuses packages published <3 days ago, requires npm >=11.10). Remove Yarn-only resolutions field from docs/my-website. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore: bump sharp to 0.33.5 in docs, add docs .npmrc sharp 0.32.x uses postinstall to download native binaries, which breaks with ignore-scripts=true. sharp 0.33+ distributes via optionalDependencies instead, making it compatible with the new .npmrc hardening. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore: remove docs .npmrc to fix Vercel deploy Vercel's build for docs/my-website uses npm install which needs sharp 0.32.6's postinstall script. Since we don't control Vercel's build process, remove the .npmrc from docs rather than fight it. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore: Dockerfile npm ci + nvm checksum verification - Replace npm install with npm ci in Dockerfile.non_root, Dockerfile.custom_ui, and spend-logs/Dockerfile for deterministic lockfile-based installs - Replace curl-pipe-bash nvm install with download-then-verify pattern in build_admin_ui.sh, build_ui.sh, and build_ui_custom_path.sh - Update nvm from v0.38.0 (2021) to v0.40.4 (Jan 2026) with SHA256 checksum verification before execution Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: macOS sha256sum compat + clarify min-release-age scope - Use shasum -a 256 fallback on macOS where sha256sum is unavailable - Clarify in .npmrc comments that min-release-age only protects local npm install, not npm ci (used in CI) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
35 lines
766 B
YAML
35 lines
766 B
YAML
name: UI Build Check
|
|
permissions:
|
|
contents: read
|
|
|
|
on:
|
|
pull_request:
|
|
branches: [main]
|
|
|
|
jobs:
|
|
build-ui:
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 10
|
|
defaults:
|
|
run:
|
|
working-directory: ui/litellm-dashboard
|
|
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Setup Node.js
|
|
uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0
|
|
with:
|
|
node-version: "20"
|
|
cache: "npm"
|
|
cache-dependency-path: ui/litellm-dashboard/package-lock.json
|
|
|
|
- name: Install dependencies
|
|
run: npm ci
|
|
|
|
- name: Build
|
|
run: npm run build
|