ci: harden workflow install boundaries

- run non-test workflow installs with npm ci --ignore-scripts where lifecycle scripts are not needed\n- reject plain npm ci in workflows with write permissions\n- reject actions/cache in id-token: write workflows to reduce OIDC publish cache-poisoning risk
2026-05-14 00:23:04 +08:00 · 2026-05-12 21:55:36 -04:00
parent 33db548be3
commit daf0355531
4 changed files with 52 additions and 2 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -261,7 +261,7 @@ jobs:
          node-version: '20.x'

      - name: Install dependencies
-        run: npm ci
+        run: npm ci --ignore-scripts

      - name: Run ESLint
        run: npx eslint scripts/**/*.js tests/**/*.js
--- a/.github/workflows/maintenance.yml
+++ b/.github/workflows/maintenance.yml
@@ -33,7 +33,7 @@ jobs:
      - name: Run security audit
        run: |
          if [ -f package-lock.json ]; then
-            npm ci
+            npm ci --ignore-scripts
            npm audit --audit-level=high
          else
            echo "No package-lock.json found; skipping npm audit"