CI: ignore install scripts, run only the allowlisted ones (#46) #63
No reviewers
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol!63
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "46-ignore-scripts-allowlist"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Closes #46.
Summary
npm ciin.forgejo/workflows/pr.ymlnow runs with--ignore-scripts; an explicitnpx allow-scriptsstep then executes only the lifecycle scripts listed inpackage.jsonunderlavamoat.allowScripts.@lavamoat/allow-scriptsas a devDependency. Chose Lavamoat over a manualnpm rebuildwrapper because the ticket asks adding a new native-build dep to be a deliberate review step — Lavamoat fails CI on any un-configured install script, manual rebuild silently skips them.vitest>vite>esbuild→true(esbuild's binary-link postinstall)next>sharp→true(libvips bindings install/build check; needed for Next.js prod image optimization)eslint-config-next>eslint-import-resolver-typescript>unrs-resolver→true(native Rust resolver, needed for theimport/no-unresolvedlint rule)CLAUDE.mdunder Working in this repo, sibling to the SHA-pin convention from #45. Includes the workflow for extending the allowlist (npx allow-scripts auto, inspect, commit) and the gotcha that Lavamoat v2 requires fully-qualified parent>child paths, not leaf names.Acceptance criteria
grep -n 'npm ci' .forgejo/workflows/pr.ymlshows every invocation paired with--ignore-scripts.package.json(lavamoat.allowScripts).npm testpasses locally with the new install flow — 61 tests pass, native bindings (unrs-resolver,sharp,esbuild) all functional afterallow-scripts.Test plan
unrs-resolver), build (needssharp+esbuild).grep "npm ci" .forgejo/workflows/pr.yml— every line ends in--ignore-scripts.lavamoat.allowScripts, re-runnpx allow-scripts— should fail with "missing configuration".Notes for reviewers
@lavamoat/allow-scriptspulls innpmlog/gauge/etc. — npm warns several of them are deprecated. They're dev-only and don't ship in the runtime image, so thenpm_audit --omit=devgate won't surface them. If you'd rather avoid those transitives, the alternative is the manualnpm rebuild <pkgs>approach (zero new deps, weaker enforcement) — happy to switch.bbb,evil_dep,good_depwith install scripts (they live inside other packages'test/directories, not as real edges). Lavamoat correctly skips them; no allowlist entries needed.ae96c5646f9b8cbdc975