@bleedingdev/modern-js-create 3.2.0-ultramodern.17 → 3.2.0-ultramodern.18

package/dist/index.js

@@ -1855,6 +1855,7 @@ function createTemplateManifest(modernVersion, packageSource) {
             targetRoot: 'generated-project-root',
             allowedPaths: [
                 '.agents/**',
+                '.github/**',
                 '.modernjs/**',
                 'AGENTS.md',
                 'README.md',
@@ -1871,7 +1872,6 @@ function createTemplateManifest(modernVersion, packageSource) {
             ],
             deniedPaths: [
                 '.git/**',
-                '.github/**',
                 '.npmrc',
                 '.yarnrc',
                 '.env',
@@ -1919,6 +1919,7 @@ function createTemplateManifest(modernVersion, packageSource) {
             ],
             postMaterializationValidation: [
                 'ultramodern-workspace-contract-check',
+                'github-workflow-security-enforced',
                 'pnpm-11-policy-enforced',
                 'template-manifest-retained'
             ],
@@ -2259,6 +2260,7 @@ function createBuiltinTemplateManifest(version) {
             postMaterializationValidation: [
                 'ultramodern-contract-check',
                 'dependency-install-with-lifecycle-deny',
+                'github-workflow-security-enforced',
                 'package-source-retained',
                 'pnpm-11-policy-enforced',
                 'rstest-smoke-tests',

package/package.json

@@ -21,7 +21,7 @@
   "engines": {
     "node": ">=20"
   },
-  "version": "3.2.0-ultramodern.17",
+  "version": "3.2.0-ultramodern.18",
   "types": "./dist/types/index.d.ts",
   "main": "./dist/index.js",
   "bin": {

package/template/.github/renovate.json

@@ -0,0 +1,53 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended",
+    "helpers:pinGitHubActionDigests"
+  ],
+  "dependencyDashboard": true,
+  "minimumReleaseAge": "1 day",
+  "prConcurrentLimit": 5,
+  "prHourlyLimit": 2,
+  "rangeStrategy": "bump",
+  "schedule": [
+    "before 5am on monday"
+  ],
+  "timezone": "Etc/UTC",
+  "packageRules": [
+    {
+      "matchManagers": [
+        "github-actions"
+      ],
+      "groupName": "github-actions",
+      "labels": [
+        "dependencies",
+        "github-actions",
+        "security"
+      ]
+    },
+    {
+      "matchManagers": [
+        "npm"
+      ],
+      "matchUpdateTypes": [
+        "patch",
+        "minor"
+      ],
+      "groupName": "npm minor and patch updates",
+      "labels": [
+        "dependencies",
+        "npm"
+      ]
+    },
+    {
+      "matchUpdateTypes": [
+        "major"
+      ],
+      "dependencyDashboardApproval": true,
+      "labels": [
+        "dependencies",
+        "major"
+      ]
+    }
+  ]
+}

package/template/.github/workflows/ultramodern-gates.yml.handlebars

@@ -4,27 +4,49 @@ on:
   push:
   pull_request:
 
+permissions:
+  contents: read
+
+defaults:
+  run:
+    shell: bash
+
+concurrency:
+  group: ultramodern-gates-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   ultramodern-gates:
     runs-on: ubuntu-latest
+    timeout-minutes: 20
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2
+        with:
+          egress-policy: audit
+
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          fetch-depth: 1
+          persist-credentials: false
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: 20
           cache: pnpm
 
       - name: Install Dependencies
-        run: pnpm install
+        run: pnpm install --frozen-lockfile
 
       - name: Validate Ultramodern Contract
         run: pnpm run ultramodern:check
 
       - name: Build
+        env:
+          MODERN_PUBLIC_SITE_URL: http://localhost:8080
         run: pnpm run build

package/template/README.md

@@ -36,9 +36,13 @@ MODERN_BASELINE_ENABLE_BFF_REQUEST_ID=false
 MODERN_BASELINE_ENABLE_TELEMETRY_EXPORTERS=false
 ```
 
-The generated starter also includes `.github/workflows/ultramodern-gates.yml`.
-That workflow runs `pnpm run ultramodern:check` and `pnpm run build` on every
-push and pull request so the `presetUltramodern(...)` contract stays explicit.
+The generated starter also includes `.github/workflows/ultramodern-gates.yml`
+and `.github/renovate.json`. The workflow runs `pnpm run ultramodern:check` and
+`pnpm run build` on every push and pull request with read-only permissions,
+commit-pinned actions, frozen installs, and StepSecurity audit-mode runner
+hardening. Renovate is configured for dependency dashboard review, one-day
+release age, grouped updates, action digest pinning, and manual approval for
+major upgrades.
 
 ## Micro Vertical Workspaces
 

package/template/scripts/validate-ultramodern.mjs.handlebars

@@ -52,6 +52,7 @@ const requiredDeniedPaths = [
 const requiredPostMaterialization = [
   'ultramodern-contract-check',
   'dependency-install-with-lifecycle-deny',
+  'github-workflow-security-enforced',
   'package-source-retained',
   'pnpm-11-policy-enforced',
   'rstest-smoke-tests',
@@ -61,6 +62,7 @@ const requiredPaths = [
 {{#unless isSubproject}}
   'AGENTS.md',
   '.agents/skills-lock.json',
+  '.github/renovate.json',
   '.github/workflows/ultramodern-gates.yml',
   'oxlint.config.ts',
   'oxfmt.config.ts',
@@ -90,6 +92,53 @@ if (fs.existsSync(path.resolve(process.cwd(), 'src/routes/page.tsx'))) {
   process.exit(1);
 }
 
+{{#unless isSubproject}}
+const workflowContent = fs.readFileSync(
+  path.resolve(process.cwd(), '.github/workflows/ultramodern-gates.yml'),
+  'utf-8',
+);
+const renovateConfig = JSON.parse(
+  fs.readFileSync(path.resolve(process.cwd(), '.github/renovate.json'), 'utf-8'),
+);
+for (const requiredSnippet of [
+  'permissions:\n  contents: read',
+  'pull_request:',
+  'persist-credentials: false',
+  'pnpm install --frozen-lockfile',
+  'MODERN_PUBLIC_SITE_URL: http://localhost:8080',
+  'timeout-minutes:',
+  'egress-policy: audit',
+]) {
+  if (!workflowContent.includes(requiredSnippet)) {
+    console.error(`Generated workflow must retain ${requiredSnippet.split('\n')[0]}`);
+    process.exit(1);
+  }
+}
+if (workflowContent.includes('pull_request_target')) {
+  console.error('Generated workflow must not use pull_request_target');
+  process.exit(1);
+}
+for (const match of workflowContent.matchAll(/^\s*uses:\s*([^@\s]+)@([^\s#]+)/gmu)) {
+  const [, actionName, actionRef] = match;
+  if (!/^[a-f0-9]{40}$/u.test(actionRef)) {
+    console.error(`Generated workflow must pin ${actionName}@${actionRef} to a commit SHA`);
+    process.exit(1);
+  }
+}
+if (
+  renovateConfig.dependencyDashboard !== true ||
+  renovateConfig.minimumReleaseAge !== '1 day' ||
+  !renovateConfig.extends?.includes('helpers:pinGitHubActionDigests') ||
+  !renovateConfig.packageRules?.some(
+    (rule) =>
+      rule.dependencyDashboardApproval === true && rule.matchUpdateTypes?.includes('major'),
+  )
+) {
+  console.error('Generated Renovate config must retain dashboard, release-age, action pinning, and major-approval policy');
+  process.exit(1);
+}
+{{/unless}}
+
 const pageContent = fs.readFileSync(
   path.resolve(process.cwd(), 'src/routes/[lang]/page.tsx'),
   'utf-8',

package/template-workspace/.github/renovate.json

@@ -0,0 +1,29 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": ["config:recommended", "helpers:pinGitHubActionDigests"],
+  "dependencyDashboard": true,
+  "minimumReleaseAge": "1 day",
+  "prConcurrentLimit": 5,
+  "prHourlyLimit": 2,
+  "rangeStrategy": "bump",
+  "schedule": ["before 5am on monday"],
+  "timezone": "Etc/UTC",
+  "packageRules": [
+    {
+      "matchManagers": ["github-actions"],
+      "groupName": "github-actions",
+      "labels": ["dependencies", "github-actions", "security"]
+    },
+    {
+      "matchManagers": ["npm"],
+      "matchUpdateTypes": ["patch", "minor"],
+      "groupName": "npm minor and patch updates",
+      "labels": ["dependencies", "npm"]
+    },
+    {
+      "matchUpdateTypes": ["major"],
+      "dependencyDashboardApproval": true,
+      "labels": ["dependencies", "major"]
+    }
+  ]
+}

package/template-workspace/.github/workflows/ultramodern-workspace-gates.yml.handlebars

@@ -0,0 +1,52 @@
+name: Ultramodern Workspace Gates
+
+on:
+  push:
+  pull_request:
+
+permissions:
+  contents: read
+
+defaults:
+  run:
+    shell: bash
+
+concurrency:
+  group: ultramodern-workspace-gates-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  ultramodern-workspace-gates:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          fetch-depth: 1
+          persist-credentials: false
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        with:
+          node-version: 20
+          cache: pnpm
+
+      - name: Install Dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Validate Ultramodern Workspace Contract
+        run: pnpm run ultramodern:check
+
+      - name: Build Workspace Apps
+        env:
+          MODERN_PUBLIC_SITE_URL: http://localhost:8080
+        run: pnpm -r --filter "./apps/**" run build

package/template-workspace/README.md.handlebars

@@ -19,7 +19,12 @@ Run the scaffold validator before adding business code:
 pnpm ultramodern:check
 ```
 
-The topology and ownership metadata are generated under `topology/`.
+The topology and ownership metadata are generated under `topology/`. The
+workspace also ships `.github/workflows/ultramodern-workspace-gates.yml` and
+`.github/renovate.json` with read-only workflow permissions, commit-pinned
+actions, frozen installs, StepSecurity audit-mode runner hardening, dependency
+dashboard review, one-day release age, grouped updates, and manual approval for
+major upgrades.
 
 Package source metadata is generated at
 `.modernjs/ultramodern-package-source.json`. The default strategy keeps

package/template-workspace/scripts/validate-ultramodern-workspace.mjs.handlebars

@@ -41,6 +41,8 @@ const requiredPaths = [
   'tsconfig.base.json',
   'oxlint.config.ts',
   'oxfmt.config.ts',
+  '.github/renovate.json',
+  '.github/workflows/ultramodern-workspace-gates.yml',
   '.agents/skills-lock.json',
   '.agents/rstackjs-agent-skills-LICENSE',
   '.agents/skills/rsbuild-best-practices/SKILL.md',
@@ -121,6 +123,8 @@ const rootPackage = readJson('package.json');
 const packageSource = readJson('.modernjs/ultramodern-package-source.json');
 const skillsLock = readJson('.agents/skills-lock.json');
 const pnpmWorkspace = readText('pnpm-workspace.yaml');
+const workflowContent = readText('.github/workflows/ultramodern-workspace-gates.yml');
+const renovateConfig = readJson('.github/renovate.json');
 const deprecatedTanstackRuntime = '@modern-js/runtime/' + 'tanstack-router';
 const expectedModernSpecifier =
   packageSource.strategy === 'install' ? packageSource.modernPackages?.specifier : 'workspace:*';
@@ -164,6 +168,42 @@ assert(
   !pnpmWorkspace.includes('onlyBuiltDependencies'),
   'pnpm-workspace.yaml must use pnpm 11 allowBuilds instead of onlyBuiltDependencies',
 );
+for (const requiredSnippet of [
+  'permissions:\n  contents: read',
+  'pull_request:',
+  'persist-credentials: false',
+  'pnpm install --frozen-lockfile',
+  'pnpm -r --filter "./apps/**" run build',
+  'MODERN_PUBLIC_SITE_URL: http://localhost:8080',
+  'timeout-minutes:',
+  'egress-policy: audit',
+]) {
+  assert(
+    workflowContent.includes(requiredSnippet),
+    `Generated workspace workflow must retain ${requiredSnippet.split('\n')[0]}`,
+  );
+}
+assert(
+  !workflowContent.includes('pull_request_target'),
+  'Generated workspace workflow must not use pull_request_target',
+);
+for (const match of workflowContent.matchAll(/^\s*uses:\s*([^@\s]+)@([^\s#]+)/gmu)) {
+  const [, actionName, actionRef] = match;
+  assert(
+    /^[a-f0-9]{40}$/u.test(actionRef),
+    `Generated workspace workflow must pin ${actionName}@${actionRef} to a commit SHA`,
+  );
+}
+assert(
+  renovateConfig.dependencyDashboard === true &&
+    renovateConfig.minimumReleaseAge === '1 day' &&
+    renovateConfig.extends?.includes('helpers:pinGitHubActionDigests') &&
+    renovateConfig.packageRules?.some(
+      (rule) =>
+        rule.dependencyDashboardApproval === true && rule.matchUpdateTypes?.includes('major'),
+    ),
+  'Generated workspace Renovate config must retain dashboard, release-age, action pinning, and major-approval policy',
+);
 assert(
   rootPackage.modernjs?.packageSource?.config === './.modernjs/ultramodern-package-source.json',
   'Root must point to the UltraModern package source metadata',
@@ -506,5 +546,9 @@ assert(
   manifest.validation?.postMaterializationValidation?.includes('pnpm-11-policy-enforced'),
   'Template manifest must document pnpm 11 policy validation',
 );
+assert(
+  manifest.validation?.postMaterializationValidation?.includes('github-workflow-security-enforced'),
+  'Template manifest must document generated workflow security validation',
+);
 
 console.log('UltraModern workspace scaffold validated');