Protect CI against supply chain attack on nodejs

2025-12-03 00:21:19 +01:00 · 2025-12-01 14:58:05 +01:00 · 2025-12-01 14:58:05 +01:00 · e15c11961f
commit e15c11961f
parent 042feacf3e
2 changed files with 15 additions and 2 deletions
--- a/.github/workflows/template-webui.yaml
+++ b/.github/workflows/template-webui.yaml
@ -1,6 +1,8 @@
 name: Build Web UI
 on:
  workflow_call: {}
+env:
+  SAFE_CHAIN_MINIMUM_PACKAGE_AGE_HOURS: 360  # 15 days
 jobs:

  build-webui:
@ -19,10 +21,16 @@ jobs:
          cache: yarn
          cache-dependency-path: webui/yarn.lock

+      - name: Setup safe-chain
+        working-directory: ./webui
+        run: |
+          npm i -g @aikidosec/safe-chain
+          safe-chain setup-ci
+
      - name: Build webui
        working-directory: ./webui
        run: |
-          yarn install
+          yarn install --ignore-scripts
          yarn build

      - name: Package webui
--- a/.github/workflows/test-unit.yaml
+++ b/.github/workflows/test-unit.yaml
@ -80,7 +80,12 @@ jobs:
          cache: 'yarn'
          cache-dependency-path: webui/yarn.lock

+      - name: Setup safe-chain
+        run: |
+          npm i -g @aikidosec/safe-chain
+          safe-chain setup-ci
+
      - name: UI unit tests
        run: |
-          yarn --cwd webui install
+          yarn --cwd webui install --ignore-scripts
          yarn --cwd webui test:unit:ci