ci: harden CI workflow and disable npm install scripts#290
Merged
Conversation
Security hardening for the public repo's CI, where any fork PR runs the build/test steps: - Add an explicit `permissions: contents: read` block. The workflow only reads the repo to lint, build, and test; it never writes. Previously it inherited the repo/org default token scopes, which can be read-write. Brings ci.yml in line with the other workflows, which all set permissions. - Set `persist-credentials: false` on all three checkouts. The default leaves GITHUB_TOKEN in .git/config, and later steps execute PR-authored code (npm scripts, build). The job never needs git auth after checkout. - Add .npmrc with `ignore-scripts=true` to block dependency lifecycle scripts (pre/install/post) on npm ci, neutralizing the compromised- transitive-dependency supply-chain vector. No dependency in the lockfile declares an install script and esbuild ships its binary via @esbuild/* optional packages, so this changes nothing functionally; explicitly invoked `npm run` scripts are unaffected.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Security hardening for the public repo's
CIworkflow. Because the repo is public andci.ymltriggers onpull_request, any fork PR runs the build/test steps on a runner. The workflow was also the only one in the repo without an explicitpermissions:block.These are hardening gaps, not active vulnerabilities. The workflow already uses the safe
pull_requesttrigger (notpull_request_target),npm ci(lockfile-pinned), and interpolates no PR-controlled data intorun:blocks (no script-injection vector).What
permissions: contents: readat the top level. The workflow only reads the repo to lint, build, and test; it never writes commits, comments, or releases. Previously it inherited the repo/org default token scopes, which can be read-write. This also bringsci.ymlin line with the other workflows, which all set explicit permissions.persist-credentials: falseon all threeactions/checkoutsteps. The default leavesGITHUB_TOKENin.git/config, and later steps execute PR-authored code (npm scripts, build). The job never needs git auth after checkout..npmrcwithignore-scripts=trueto block dependency lifecycle scripts (pre/install/post) onnpm ci, neutralizing the compromised-transitive-dependency supply-chain vector.Why
ignore-scriptsis safe herepackage-lock.jsondeclares an install script (hasInstallScriptappears nowhere).@esbuild/<platform>optional packages, not a postinstall download.npm runscripts; only pre/post/install lifecycle hooks are blocked.build,test:js,vendor:pixi, andtest:php:installare unaffected.The
.npmrcis repo-wide, so it also applies to contributors' localnpm ci/npm installas defense-in-depth (a no-op functionally given the above).Out of scope
SHA-pinning the actions (currently
@v6/@v1) plus a Dependabot config forgithub-actionswas identified as a lower-priority follow-up and intentionally left out to keep this diff focused.