chore: use --ignore-scripts when publishing

…to avoid malicious npm scripts running where NODE_AUTH_TOKEN is exposed.
radashi-org · Jun 25, 2024 · 57c354c · 57c354c
1 parent 49a0dc4
commit 57c354c
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 2 deletions.
diff --git a/.github/workflows/publish-beta.yml b/.github/workflows/publish-beta.yml
@@ -99,9 +99,11 @@ jobs:
           node-version: '22.x'
           cache: pnpm
       - run: pnpm install
+      - run: pnpm build
+
       - run: |
           npm version ${{ needs.prepare-version.outputs.version }} --no-git-tag-version
-          npm publish --tag beta
+          npm publish --tag beta --ignore-scripts
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 

diff --git a/.github/workflows/publish-pr.yml b/.github/workflows/publish-pr.yml
@@ -33,6 +33,7 @@ jobs:
           node-version: '22.x'
           cache: pnpm
       - run: pnpm install
+      - run: pnpm build
 
       - name: Calculate version
         id: get-version
@@ -41,7 +42,7 @@ jobs:
       - name: Update package version
         run: npm version ${{ steps.get-version.outputs.version }} --no-git-tag-version
       - name: Publish to NPM
-        run: npm publish --tag pr${{ github.event.issue.number }}
+        run: npm publish --tag pr${{ github.event.issue.number }} --ignore-scripts
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}