build(security): apply install-script allowlist to Dockerfile npm ci (#69) #90
No reviewers
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol!90
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "69-dockerfile-allow-scripts"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Closes #69. Resolves the Dockerfile is exempt caveat carried by ADR-0014 since #16.
What lands
Dockerfile—depsstage now runsnpm ci --ignore-scripts && CI=true npx allow-scripts, mirroring the PR-workflow pattern from #46 / ADR-0010 verbatim. Both paths share one allowlist (package.jsonlavamoat.allowScripts).docs/ci.md— Install scripts (allowlisted) section extended to cover both PR-time and release-build gates, including theCI=truedetail for lefthook's short-circuit.Why
CI=trueis scoped to theallow-scriptsinvocation onlylefthook's postinstall callslefthook install -f, which short-circuits whenCI=true. Inside the Docker build there is no.gitand noCI=truefrom the runner, so without that env scoping the lefthook script would try (and fail) to wire up git hooks. SettingCI=trueonly on the single command line keeps the variable out of thebuilderandruntimestages, which set their own env.Verification (podman)
Positive path — full multi-stage build succeeds end-to-end. The
depsstage log shows:All four allowlisted scripts ran; no errors or warnings. Lefthook's postinstall short-circuited silently.
Destructive proof the gate fires inside the container — temporarily dropped
vitest>vite>esbuildfromlavamoat.allowScripts, rebuilt thedepsstage, observed:Build aborted at the exact step we hardened. Allowlist restored.
Acceptance criteria
docker build .(run aspodman build) produces an image whose runtime stage is unchanged in shape — only thedepsinstall layer's contents differ.docs/ci.mdInstall scripts (allowlisted).Composes with
Test plan
pr.ymljobs (the workflow paths are unchanged; only the Dockerfile path moved).image_scanrun rebuilds the image with the newdepsstage and reports clean.