feat: integrate security scan CI workflow

[ThomasRalee]

Summary by CodeRabbit

• Chores
  • Refactored the publishing workflow to split dependency installation and build into separate steps and added an automated security scan during the build phase; release, publishing, and notification steps remain unchanged.

[linear]

I-1423

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 86d616c1-0262-46a1-aac4-57890c17349f

📥 Commits

Reviewing files that changed from the base of the PR and between c3fdf1c and f25d81f.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml, !pnpm-lock.yaml

📒 Files selected for processing (1)

• .github/workflows/publish.yaml

---

📝 Walkthrough

Walkthrough

The publish workflow's build phase was refactored to separate concerns. The prior single "Build dependencies" step combining environment setup, dependency installation, and compilation was split into three discrete steps: "Install dependencies" runs environment bootstrap and package installation, a new "Security scan" step runs the InjectiveLabs security-scan action with a 5-minute timeout, and "Build" runs the pnpm build command. The remainder of the publish job logic remains unchanged.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat: integrate security scan CI workflow' directly and accurately describes the main change: adding a security scan step to the CI/CD pipeline.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/I-1423-integrate-security-scan-CI-workflow

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/publish.yaml:
- Around line 197-199: The workflow step named "Security scan" currently pins
the external action to a mutable ref (`uses:
InjectiveLabs/github-fe/actions/security-scan@master`); replace that mutable ref
with an immutable commit SHA of the security-scan action (e.g., `uses:
InjectiveLabs/github-fe/actions/security-scan@<commit-sha>`) to prevent
supply-chain and reproducibility issues, by updating the `uses` value in the
publish YAML step for the "Security scan" action and committing the specific SHA
from the upstream repository; optionally add a comment or dependabot rule to
periodically refresh the pinned SHA.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: cde8407a-ec6b-4f3e-9678-9cb97e834633

📥 Commits

Reviewing files that changed from the base of the PR and between 2aadc2a and c3fdf1c.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml, !pnpm-lock.yaml

📒 Files selected for processing (1)

• .github/workflows/publish.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

cd /tmp && git clone https://github.com/InjectiveLabs/injective-ts 2>/dev/null || true
cd /tmp/injective-ts 2>/dev/null || cd . && cat -n .github/workflows/publish.yaml | head -210

Repository: InjectiveLabs/injective-ts

Length of output: 9348

---

🏁 Script executed:

cat -n .github/workflows/publish.yaml | grep -A 15 -B 15 "security-scan"

Repository: InjectiveLabs/injective-ts

Length of output: 1196

---

🏁 Script executed:

head -50 .github/workflows/publish.yaml

Repository: InjectiveLabs/injective-ts

Length of output: 1630

---

Pin the security-scan action to an immutable commit SHA.

Line 198 uses a mutable ref (@master) on an external action within a publish workflow that has contents: write and id-token: write permissions. This creates a supply-chain risk—the action code could change without notice, or the external repository could be compromised, allowing arbitrary code execution during package publishing and git operations. Additionally, this breaks reproducibility.

Suggested fix

      - name: Security scan
-       uses: InjectiveLabs/github-fe/actions/security-scan@master
+       uses: InjectiveLabs/github-fe/actions/security-scan@<commit_sha>
        timeout-minutes: 5

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish.yaml around lines 197 - 199, The workflow step
named "Security scan" currently pins the external action to a mutable ref
(`uses: InjectiveLabs/github-fe/actions/security-scan@master`); replace that
mutable ref with an immutable commit SHA of the security-scan action (e.g.,
`uses: InjectiveLabs/github-fe/actions/security-scan@<commit-sha>`) to prevent
supply-chain and reproducibility issues, by updating the `uses` value in the
publish YAML step for the "Security scan" action and committing the specific SHA
from the upstream repository; optionally add a comment or dependabot rule to
periodically refresh the pinned SHA.