Protect against npm supply chain attacks in GitHub Actions

.github/workflows/manual-test-matrix-workflow.yaml

@@ -75,9 +75,13 @@ jobs:
       - name: "Check docker status"
         run: systemctl status docker
       - name: "Run npm install"
-        run: "npm install"
+        run: "npm install --ignore-scripts --before=\"$(date -d '7 days ago' --iso-8601=seconds)\""
+      - name: "Install Cypress binary"
+        run: "npx cypress install"
       - name: "Run compile"
         run: "npm run compile"
+      - name: "Download resources"
+        run: "npm run resources"
       - name: "Run test(s)"
         env:
           BERG_VERBOSE: ${{ inputs.verbose }}

.github/workflows/on-pull-request-workflow.yaml

@@ -21,9 +21,13 @@ jobs:
           distribution: "adopt"
           java-version: "17"
       - name: Install Dependencies
-        run: npm install
+        run: npm install --ignore-scripts --before="$(date -d '7 days ago' --iso-8601=seconds)"
+      - name: Install Cypress binary
+        run: npx cypress install
       - name: Compile TypeScript
         run: npm run compile
+      - name: Download resources
+        run: npm run resources
       - name: Lint
         run: npm run lint
       - name: Get changed files

.github/workflows/reusable-build-project-workflow.yaml

@@ -36,9 +36,13 @@ jobs:
         with:
           firefox-version: "latest-esr"
       - name: "Run npm install"
-        run: "npm install"
+        run: "npm install --ignore-scripts --before=\"$(date -d '7 days ago' --iso-8601=seconds)\""
+      - name: "Install Cypress binary"
+        run: "npx cypress install"
       - name: "Run compile"
         run: "npm run compile"
+      - name: "Download resources"
+        run: "npm run resources"
       - name: "Run all tests"
         if: "${{ github.event.inputs.spec == '' }}"
         env:

.github/workflows/scheduled-run-all-tests-workflow.yaml

@@ -1,7 +1,7 @@
 on:
   schedule:
-    - cron: "0 0 * * *"
-name: "Nightly matrix workflow"
+    - cron: "0 0 * * 1"
+name: "Weekly matrix workflow"
 concurrency:
   group: ${{ github.ref }}
   cancel-in-progress: true
@@ -70,9 +70,13 @@ jobs:
       - name: "Check docker status"
         run: "systemctl status docker"
       - name: "Run npm install"
-        run: "npm install"
+        run: "npm install --ignore-scripts --before=\"$(date -d '7 days ago' --iso-8601=seconds)\""
+      - name: "Install Cypress binary"
+        run: "npx cypress install"
       - name: "Run compile"
         run: "npm run compile"
+      - name: "Download resources"
+        run: "npm run resources"
       - name: "Run test(s)"
         run: "npm run test:compiled -- --browser=chrome --specs=packages/testsuite/cypress/e2e/${{ matrix.specs }}/*.cy.ts"
       - name: "Archive test report(s) and video(s)"

README.md

@@ -45,6 +45,21 @@ npm install
 
 in the root directory to download all of the NPM dependencies specified in `package.json`
 
+> **Security note:** To protect against npm supply chain attacks, it is recommended to use the following flags:
+> - `--ignore-scripts` — prevents pre/post install scripts of dependencies from executing (main attack vector)
+> - `--before` — limits package resolution to versions published more than 7 days ago, relying on security teams removing compromised packages within that window
+>
+> ```
+> npm install --ignore-scripts --before="$(date -d '7 days ago' --iso-8601=seconds 2>/dev/null || date -v -7d +%Y-%m-%dT%H:%M:%S)"
+> ```
+>
+> Note: `--ignore-scripts` also skips the project's own `postinstall` hook and the Cypress binary download. Run the following steps manually afterwards:
+> ```
+> npx cypress install
+> npm run compile
+> npm run resources
+> ```
+
 - If you want to run Cypress developer console with the loaded spec files, run
 
 ```