diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml
index 335ebc4..6e4eb3f 100644
--- a/.github/workflows/nodejs.yml
+++ b/.github/workflows/nodejs.yml
@@ -5,9 +5,6 @@ on:
     branches: ["main"]
   pull_request:
 
-permissions:
-  pull-requests: read # allows SonarCloud to decorate PRs with analysis results
-
 jobs:
   build:
     strategy:
@@ -31,7 +28,7 @@ jobs:
             node_modules-${{ matrix.os }}-node-${{ matrix.node-version }}
 
       - name: Run clean install
-        run: npm ci
+        run: npm ci --ignore-scripts
 
       - name: Run tests
         run: npm test
@@ -40,6 +37,8 @@ jobs:
     name: Run eslint and sonar scanning
     runs-on: ubuntu-latest
     needs: build
+    permissions:
+      pull-requests: read # allows SonarCloud to decorate PRs with analysis results
     steps:
       - name: Checkout code
         uses: actions/checkout@v6
@@ -61,9 +60,9 @@ jobs:
         run: npm run lint -- --format json --output-file eslint-results.json || true
 
       - name: Install Coverage Reporters
-        run: npm install -g nyc
+        run: npm install --ignore-scripts -g nyc
       - name: Install Mocha reporters
-        run: npm install -d mocha-multi-reporters mocha-junit-reporter mocha-sonarqube-reporter
+        run: npm install --ignore-scripts -d mocha-multi-reporters mocha-junit-reporter mocha-sonarqube-reporter
       - name: create mocha config
         run: |
           echo '{
diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
index 023c537..e7556b4 100644
--- a/.github/workflows/npm-publish.yml
+++ b/.github/workflows/npm-publish.yml
@@ -23,7 +23,7 @@ jobs:
       - name: Update npm
         run: npm install -g npm@latest
       - run: npm -v
-      - run: npm ci
+      - run: npm ci --ignore-scripts
       - run: npm run compile
       - run: npm test
       - run: npm publish