Skip to content

N
nebula
Commit 35cb5a8b authored by Will Cory's avatar Will Cory
Browse files
Options

🔒 feat: Improve security of CI by not running scripts

parent 631b6f48
Show whitespace changes
Inline Side-by-side
Showing with 19 additions and 17 deletions
.circleci/config.yml
View file @ 35cb5a8b
...@@ -155,7 +155,7 @@ jobs: ...@@ -155,7 +155,7 @@ jobs:
- "node_modules" - "node_modules"
- run: - run:
name: Install dependencies name: Install dependencies
command: pnpm install --frozen-lockfile --offline command: pnpm install:ci:offline
- run: - run:
name: print forge version name: print forge version
command: forge --version command: forge --version
...@@ -367,7 +367,7 @@ jobs: ...@@ -367,7 +367,7 @@ jobs:
# populate node modules from the cache # populate node modules from the cache
- run: - run:
name: Install dependencies name: Install dependencies
command: pnpm install --frozen-lockfile --prefer-offline command: pnpm install:ci
- run: - run:
name: print forge version name: print forge version
command: forge --version command: forge --version
...@@ -399,7 +399,7 @@ jobs: ...@@ -399,7 +399,7 @@ jobs:
# populate node modules from the cache # populate node modules from the cache
- run: - run:
name: Install dependencies name: Install dependencies
command: pnpm install --frozen-lockfile --prefer-offline command: pnpm install:ci
# Note: this step needs to come first because one of the later steps modifies the cache & forces a contracts rebuild # Note: this step needs to come first because one of the later steps modifies the cache & forces a contracts rebuild
- run: - run:
name: semver lock name: semver lock
...@@ -493,7 +493,7 @@ jobs: ...@@ -493,7 +493,7 @@ jobs:
- attach_workspace: { at: "." } - attach_workspace: { at: "." }
- run: - run:
name: Install dependencies name: Install dependencies
command: pnpm install --frozen-lockfile --prefer-offline command: pnpm install:ci
- check-changed: - check-changed:
patterns: contracts-bedrock patterns: contracts-bedrock
- run: - run:
...@@ -539,7 +539,7 @@ jobs: ...@@ -539,7 +539,7 @@ jobs:
# populate node modules from the cache # populate node modules from the cache
- run: - run:
name: Install dependencies name: Install dependencies
command: pnpm install --frozen-lockfile --prefer-offline command: pnpm install:ci
- run: - run:
name: Lint name: Lint
command: pnpm lint && git diff --exit-code command: pnpm lint && git diff --exit-code
...@@ -568,7 +568,7 @@ jobs: ...@@ -568,7 +568,7 @@ jobs:
# populate node modules from the cache # populate node modules from the cache
- run: - run:
name: Install dependencies name: Install dependencies
command: pnpm install --frozen-lockfile --prefer-offline command: pnpm install:ci
- run: - run:
name: Check generated and build name: Check generated and build
command: pnpm generate:check command: pnpm generate:check
...@@ -590,7 +590,7 @@ jobs: ...@@ -590,7 +590,7 @@ jobs:
# populate node modules from the cache # populate node modules from the cache
- run: - run:
name: Install dependencies name: Install dependencies
command: pnpm install --frozen-lockfile --prefer-offline command: pnpm install:ci
- run: - run:
name: anvil-l1 name: anvil-l1
background: true background: true
...@@ -654,7 +654,7 @@ jobs: ...@@ -654,7 +654,7 @@ jobs:
npm i pnpm --global npm i pnpm --global
- run: - run:
name: pnpm dev deps name: pnpm dev deps
command: pnpm install --frozen-lockfile --prefer-offline command: pnpm install:ci
- run: - run:
name: specs toc name: specs toc
command: pnpm lint:specs:toc && git diff --exit-code ./specs command: pnpm lint:specs:toc && git diff --exit-code ./specs
...@@ -674,7 +674,7 @@ jobs: ...@@ -674,7 +674,7 @@ jobs:
- run: - run:
name: Install node_modules name: Install node_modules
command: | command: |
pnpm install --frozen-lockfile --prefer-offline pnpm install:ci
- run: - run:
name: Lint check name: Lint check
command: | command: |
...@@ -951,7 +951,7 @@ jobs: ...@@ -951,7 +951,7 @@ jobs:
working_directory: indexer working_directory: indexer
- run: - run:
name: Install node_modules name: Install node_modules
command: pnpm install --frozen-lockfile --prefer-offline command: pnpm install:ci
working_directory: indexer/api-ts working_directory: indexer/api-ts
- run: - run:
name: Install tygo name: Install tygo
...@@ -1068,7 +1068,7 @@ jobs: ...@@ -1068,7 +1068,7 @@ jobs:
- run: - run:
name: Install and build name: Install and build
command: | command: |
pnpm install --frozen-lockfile --prefer-offline && pnpm build pnpm install:ci && pnpm build
- attach_workspace: - attach_workspace:
at: /tmp/workspace at: /tmp/workspace
- run: - run:
......
.github/actions/setup/action.yml
View file @ 35cb5a8b
...@@ -19,7 +19,7 @@ runs: ...@@ -19,7 +19,7 @@ runs:
- name: Install node dependencies - name: Install node dependencies
shell: bash shell: bash
run: pnpm install --frozen-lockfile run: pnpm install:ci
- name: Derive appropriate SHAs for base and head for `nx affected` commands - name: Derive appropriate SHAs for base and head for `nx affected` commands
uses: nrwl/nx-set-shas@v3 uses: nrwl/nx-set-shas@v3
with: with:
......
Makefile
View file @ 35cb5a8b
...@@ -20,7 +20,7 @@ build-ts: submodules ...@@ -20,7 +20,7 @@ build-ts: submodules
if [ -n "$$NVM_DIR" ]; then \ if [ -n "$$NVM_DIR" ]; then \
. $$NVM_DIR/nvm.sh && nvm use; \ . $$NVM_DIR/nvm.sh && nvm use; \
fi fi
pnpm install pnpm install:ci
pnpm build pnpm build
.PHONY: build-ts .PHONY: build-ts
......
ops/docker/Dockerfile.packages
View file @ 35cb5a8b
...@@ -73,7 +73,7 @@ WORKDIR /opt/optimism ...@@ -73,7 +73,7 @@ WORKDIR /opt/optimism
COPY --from=manifests /tmp/manifests ./ COPY --from=manifests /tmp/manifests ./
COPY *.json ./ COPY *.json ./
RUN pnpm install --frozen-lockfile RUN pnpm install:ci
COPY ./packages ./packages COPY ./packages ./packages
......
package.json
View file @ 35cb5a8b
...@@ -14,6 +14,8 @@ ...@@ -14,6 +14,8 @@
"build": "npx nx run-many --target=build", "build": "npx nx run-many --target=build",
"test": "npx nx run-many --target=test", "test": "npx nx run-many --target=test",
"issues": "./ops/scripts/todo-checker.sh", "issues": "./ops/scripts/todo-checker.sh",
"install:ci": "pnpm install --ignore-scripts --frozen-lockfile && pnpm postinstall && pnpm rebuild nx",
"install:ci:offline": "pnpm install --ignore-scripts --offline --frozen-lockfile && pnpm postinstall && pnpm rebuild nx",
"lint": "npx nx run-many --target=lint", "lint": "npx nx run-many --target=lint",
"test:coverage": "npx nx run-many --target=test:coverage", "test:coverage": "npx nx run-many --target=test:coverage",
"lint:ts:check": "npx nx run-many --target=lint:ts:check", "lint:ts:check": "npx nx run-many --target=lint:ts:check",
......
ufm-test-services/metamask/Dockerfile
View file @ 35cb5a8b
...@@ -17,7 +17,7 @@ RUN if [ "$METAMASK_PLAYWRIGHT_RUN_HEADLESS" != "false" ]; then \ ...@@ -17,7 +17,7 @@ RUN if [ "$METAMASK_PLAYWRIGHT_RUN_HEADLESS" != "false" ]; then \
# Copy necessary files and directories # Copy necessary files and directories
COPY package.json pnpm-lock.yaml pnpm-workspace.yaml /app/ COPY package.json pnpm-lock.yaml pnpm-workspace.yaml /app/
RUN pnpm install --frozen-lockfile RUN pnpm install --frozen-lockfile --ignore-scripts
COPY tests /app/tests/ COPY tests /app/tests/
COPY playwright.config.ts /app/ COPY playwright.config.ts /app/
COPY start.sh /app/ COPY start.sh /app/
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment