From 57c354cd9d43e1428496a7289af7b098dc121527 Mon Sep 17 00:00:00 2001
From: Alec Larson <1925840+aleclarson@users.noreply.github.com>
Date: Tue, 25 Jun 2024 18:24:32 -0400
Subject: [PATCH] chore: use --ignore-scripts when publishing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

…to avoid malicious npm scripts running where NODE_AUTH_TOKEN is exposed.
---
 .github/workflows/publish-beta.yml | 4 +++-
 .github/workflows/publish-pr.yml   | 3 ++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/publish-beta.yml b/.github/workflows/publish-beta.yml
index 95ad8423..cbb7d5c8 100644
--- a/.github/workflows/publish-beta.yml
+++ b/.github/workflows/publish-beta.yml
@@ -99,9 +99,11 @@ jobs:
           node-version: '22.x'
           cache: pnpm
       - run: pnpm install
+      - run: pnpm build
+
       - run: |
           npm version ${{ needs.prepare-version.outputs.version }} --no-git-tag-version
-          npm publish --tag beta
+          npm publish --tag beta --ignore-scripts
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
diff --git a/.github/workflows/publish-pr.yml b/.github/workflows/publish-pr.yml
index fdb3afb0..a5e2c2b0 100644
--- a/.github/workflows/publish-pr.yml
+++ b/.github/workflows/publish-pr.yml
@@ -33,6 +33,7 @@ jobs:
           node-version: '22.x'
           cache: pnpm
       - run: pnpm install
+      - run: pnpm build
 
       - name: Calculate version
         id: get-version
@@ -41,7 +42,7 @@ jobs:
       - name: Update package version
         run: npm version ${{ steps.get-version.outputs.version }} --no-git-tag-version
       - name: Publish to NPM
-        run: npm publish --tag pr${{ github.event.issue.number }}
+        run: npm publish --tag pr${{ github.event.issue.number }} --ignore-scripts
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}