From 632827bdda5222d558ca5039eef7ae478c4c805c Mon Sep 17 00:00:00 2001
From: James Garbutt <43081j@users.noreply.github.com>
Date: Thu, 29 Jan 2026 15:26:44 +0000
Subject: [PATCH 1/2] chore: use specific commits for github actions

Also turns off install scripts entirely.

Minor nice to have for security.
---
 .github/workflows/autofix.yml    |  4 ++--
 .github/workflows/ci.yml         | 30 +++++++++++++++---------------
 .github/workflows/lunaria.yml    |  4 ++--
 .github/workflows/provenance.yml |  2 +-
 4 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/autofix.yml b/.github/workflows/autofix.yml
index d277a1f884..cd871c811b 100644
--- a/.github/workflows/autofix.yml
+++ b/.github/workflows/autofix.yml
@@ -17,9 +17,9 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       - run: corepack enable
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
           node-version: lts/*
           cache: 'pnpm'
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index eaa577aacf..6ab17581c8 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -19,15 +19,15 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       - run: corepack enable
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
           node-version: lts/*
           cache: pnpm
 
       - name: 📦 Install dependencies
-        run: pnpm install
+        run: pnpm install --ignore-scripts
 
       - name: 🔠 Lint project
         run: pnpm lint
@@ -36,15 +36,15 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       - run: corepack enable
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
           node-version: lts/*
           cache: pnpm
 
       - name: 📦 Install dependencies
-        run: pnpm install
+        run: pnpm install --ignore-scripts
 
       - name: 🌐 Install browser
         run: pnpm playwright install
@@ -64,15 +64,15 @@ jobs:
       image: mcr.microsoft.com/playwright:v1.57.0-noble
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       - run: corepack enable
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
           node-version: lts/*
           cache: pnpm
 
       - name: 📦 Install dependencies
-        run: pnpm install
+        run: pnpm install --ignore-scripts
 
       - name: 🖥️ Test project (browser)
         run: pnpm test:browser
@@ -81,15 +81,15 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       - run: corepack enable
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
           node-version: lts/*
           cache: pnpm
 
       - name: 📦 Install dependencies
-        run: pnpm install
+        run: pnpm install --ignore-scripts
 
       - name: 🏗️ Build project
         run: pnpm build
@@ -103,15 +103,15 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       - run: corepack enable
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
           node-version: lts/*
           cache: pnpm
 
       - name: 📦 Install dependencies
-        run: pnpm install
+        run: pnpm install --ignore-scripts
 
       - name: 🔍 Check for unused code
         run: pnpm knip:production
diff --git a/.github/workflows/lunaria.yml b/.github/workflows/lunaria.yml
index d3b0123fbd..eb4c336319 100644
--- a/.github/workflows/lunaria.yml
+++ b/.github/workflows/lunaria.yml
@@ -22,14 +22,14 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           # Necessary for Lunaria to work properly
           # Makes the action clone the entire git history
           fetch-depth: 0
 
       - run: corepack enable
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
           node-version: lts/*
           cache: pnpm
diff --git a/.github/workflows/provenance.yml b/.github/workflows/provenance.yml
index 1f5f618054..a6475c5031 100644
--- a/.github/workflows/provenance.yml
+++ b/.github/workflows/provenance.yml
@@ -16,7 +16,7 @@ jobs:
   check-provenance:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           fetch-depth: 0
       - name: Check provenance downgrades

From cab4665f00562c6e581b720f6c5f759bc2aca203 Mon Sep 17 00:00:00 2001
From: James Garbutt <43081j@users.noreply.github.com>
Date: Thu, 29 Jan 2026 15:32:15 +0000
Subject: [PATCH 2/2] chore: use workspace instead

---
 .github/workflows/ci.yml | 10 +++++-----
 pnpm-workspace.yaml      |  2 ++
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 6ab17581c8..69feaefca7 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -27,7 +27,7 @@ jobs:
           cache: pnpm
 
       - name: 📦 Install dependencies
-        run: pnpm install --ignore-scripts
+        run: pnpm install
 
       - name: 🔠 Lint project
         run: pnpm lint
@@ -44,7 +44,7 @@ jobs:
           cache: pnpm
 
       - name: 📦 Install dependencies
-        run: pnpm install --ignore-scripts
+        run: pnpm install
 
       - name: 🌐 Install browser
         run: pnpm playwright install
@@ -72,7 +72,7 @@ jobs:
           cache: pnpm
 
       - name: 📦 Install dependencies
-        run: pnpm install --ignore-scripts
+        run: pnpm install
 
       - name: 🖥️ Test project (browser)
         run: pnpm test:browser
@@ -89,7 +89,7 @@ jobs:
           cache: pnpm
 
       - name: 📦 Install dependencies
-        run: pnpm install --ignore-scripts
+        run: pnpm install
 
       - name: 🏗️ Build project
         run: pnpm build
@@ -111,7 +111,7 @@ jobs:
           cache: pnpm
 
       - name: 📦 Install dependencies
-        run: pnpm install --ignore-scripts
+        run: pnpm install
 
       - name: 🔍 Check for unused code
         run: pnpm knip:production
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
index 34124d38fb..f09619ad2d 100644
--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@@ -28,3 +28,5 @@ onlyBuiltDependencies:
   - simple-git-hooks@2.13.1
 
 ignoreWorkspaceRootCheck: true
+
+ignoreDepScripts: true