From add5d4ee5db8bfab34be30d5d6b0895d50d63385 Mon Sep 17 00:00:00 2001
From: Ramona Hartinger <r.hartinger@adito.de>
Date: Fri, 2 Jan 2026 08:01:34 +0100
Subject: [PATCH 1/2] ci: only allowed sonar job to read PRs

---
 .github/workflows/nodejs.yml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml
index 335ebc4..629b429 100644
--- a/.github/workflows/nodejs.yml
+++ b/.github/workflows/nodejs.yml
@@ -5,9 +5,6 @@ on:
     branches: ["main"]
   pull_request:
 
-permissions:
-  pull-requests: read # allows SonarCloud to decorate PRs with analysis results
-
 jobs:
   build:
     strategy:
@@ -40,6 +37,8 @@ jobs:
     name: Run eslint and sonar scanning
     runs-on: ubuntu-latest
     needs: build
+    permissions:
+      pull-requests: read # allows SonarCloud to decorate PRs with analysis results
     steps:
       - name: Checkout code
         uses: actions/checkout@v6

From 4c69027c7c89a1c623d87cc5f62fcfccda4ef251 Mon Sep 17 00:00:00 2001
From: Ramona Hartinger <r.hartinger@adito.de>
Date: Fri, 2 Jan 2026 11:12:57 +0100
Subject: [PATCH 2/2] ci: adding --ignore-scripts to prevent script injections

---
 .github/workflows/nodejs.yml      | 6 +++---
 .github/workflows/npm-publish.yml | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml
index 629b429..6e4eb3f 100644
--- a/.github/workflows/nodejs.yml
+++ b/.github/workflows/nodejs.yml
@@ -28,7 +28,7 @@ jobs:
             node_modules-${{ matrix.os }}-node-${{ matrix.node-version }}
 
       - name: Run clean install
-        run: npm ci
+        run: npm ci --ignore-scripts
 
       - name: Run tests
         run: npm test
@@ -60,9 +60,9 @@ jobs:
         run: npm run lint -- --format json --output-file eslint-results.json || true
 
       - name: Install Coverage Reporters
-        run: npm install -g nyc
+        run: npm install --ignore-scripts -g nyc
       - name: Install Mocha reporters
-        run: npm install -d mocha-multi-reporters mocha-junit-reporter mocha-sonarqube-reporter
+        run: npm install --ignore-scripts -d mocha-multi-reporters mocha-junit-reporter mocha-sonarqube-reporter
       - name: create mocha config
         run: |
           echo '{
diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
index 023c537..e7556b4 100644
--- a/.github/workflows/npm-publish.yml
+++ b/.github/workflows/npm-publish.yml
@@ -23,7 +23,7 @@ jobs:
       - name: Update npm
         run: npm install -g npm@latest
       - run: npm -v
-      - run: npm ci
+      - run: npm ci --ignore-scripts
       - run: npm run compile
       - run: npm test
       - run: npm publish