ci(security): add pnpm audit signatures step to validate job
Catches tampered package signatures (compromised maintainer supply-chain attack) before they reach CI artifacts.
This commit is contained in:
2
.github/workflows/ci.yml
vendored
2
.github/workflows/ci.yml
vendored
@@ -51,6 +51,8 @@ jobs:
|
||||
node-version: 22
|
||||
cache: pnpm
|
||||
- run: pnpm install --frozen-lockfile
|
||||
- name: Audit package signatures
|
||||
run: pnpm audit signatures --audit-level=high
|
||||
- name: Socket supply-chain scan
|
||||
if: github.event_name == 'pull_request'
|
||||
run: |
|
||||
|
||||
Reference in New Issue
Block a user