voidzero-dev · fengmk2 · May 21, 2026 · May 20, 2026 · May 21, 2026 · May 21, 2026
diff --git a/.github/actions/build-upstream/action.yml b/.github/actions/build-upstream/action.yml
@@ -62,7 +62,6 @@ runs:
     - name: Build upstream TypeScript packages
       shell: bash
       run: |
-        pnpm --filter @rolldown/pluginutils build
         pnpm --filter rolldown build-node
         pnpm --filter vite build-types
         pnpm --filter "@voidzero-dev/*" build

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -20,5 +20,29 @@ jobs:
   security:
     name: Security Analysis
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
+      # Checkout self and clone upstream rolldown so the bundled cargo-deny check
+      # inside security-action can resolve workspace members that reference
+      # `rolldown/crates/*`. Then clear origin so security-action's nested
+      # taiki-e/checkout-action can re-add it without conflict.
+      - uses: taiki-e/checkout-action@7d1e50e93dc4fb3bba58f85018fadf77898aee8b # v1.4.2
+
+      - name: Output rolldown hash
+        id: upstream-versions
+        shell: bash
+        run: node -e "console.log('ROLLDOWN_HASH=' + require('./packages/tools/.upstream-versions.json').rolldown.hash)" >> $GITHUB_OUTPUT
+
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          repository: rolldown/rolldown
+          path: rolldown
+          ref: ${{ steps.upstream-versions.outputs.ROLLDOWN_HASH }}
+          persist-credentials: false
+
+      - name: Clear git origin for nested checkout
+        shell: bash
+        run: git remote remove origin
+
       - uses: oxc-project/security-action@77e230508eccbb400b23746dab6c573a8ea7483e # v1.0.5