chore: use npm ci --ignore-scripts in CI and scripts (#276)

Replaces various uses of `npm install` with `npm ci --ignore-scripts`. This should both be more hermetic (it'll always use the locked versions rather than re-resolving) and will partially mitigate some build-time code execution risk. There should be no breakage risk, as the current dependency footprint is small and shouldn't include anything that uses build scripts 🙂 Signed-off-by: William Woodruff <william@astral.sh>
2026-05-20 07:50:13 +02:00 · 2025-12-02 02:09:27 -05:00
parent 1e133b7ccc
commit 5960f93ec0
3 changed files with 3 additions and 3 deletions
@@ -10,7 +10,7 @@
    "package": "ncc build -o dist/ruff-action src/ruff-action.ts && ncc build -o dist/update-known-checksums src/update-known-checksums.ts",
    "act": "act pull_request -W .github/workflows/test.yml --container-architecture linux/amd64 -s GITHUB_TOKEN=\"$(gh auth token)\"",
    "update-known-checksums": "RUNNER_TEMP=known_checksums node dist/update-known-checksums/index.js src/download/checksum/known-checksums.ts \"$(gh auth token)\"",
-    "all": "npm install && npm run build && npm run check && npm run package"
+    "all": "npm ci --ignore-scripts && npm run build && npm run check && npm run package"
  },
  "repository": {
    "type": "git",