ci: blocklist package installation in GitHub workflows

rhyslbw · rhyslbw · commit e9fa14e51ae1 · 2025-09-09T09:52:21.000+01:00
Create install action and update all workflows:

✅ Added Yarn constraints infrastructure
- Installed @yarnpkg/plugin-constraints
- Configured in .yarnrc.yml
- Created empty .yarn/constraints.pro for rules
- Updated .gitignore to track constraints.pro

✅ Created .github/actions/install/action.yml
- Centralized yarn install with security flags
- Configurable install args and memory settings
- Clean max-old-space-size input (MB only)
- Mandatory yarn constraints verification

✅ Updated 9 workflows to use action:
- continuous-integration-unit-tests.yaml
- continuous-integration-e2e.yaml
- continuous-integration-side-tests.yaml
- continuous-integration-blockfrost-e2e.yaml
- test-deploy-e2e.yaml
- k6-web-socket.yaml
- k6-wallets.yaml
- release.yaml
- post_integration.yml

🎯 Benefits:
- Single source of truth for install logic
- Easy to add constraint checks later
- Consistent security posture across all workflows
- Reduced duplication and maintenance burden
- Foundation ready for security policy enforcement
diff --git a/.github/actions/install/action.yml b/.github/actions/install/action.yml
@@ -0,0 +1,24 @@
+name: 'Install Dependencies'
+description: 'Install dependencies with yarn and run security constraint checks'
+inputs:
+  install-args:
+    description: 'Additional arguments for yarn install'
+    required: false
+    default: '--inline-builds --mode=skip-build'
+  max-old-space-size:
+    description: 'Maximum old space size in MB for Node.js'
+    required: false
+    default: '8192'
+runs:
+  using: 'composite'
+  steps:
+    - name: 🔨 Install
+      shell: bash
+      run: yarn install --immutable --immutable-cache ${{ inputs.install-args }}
+      env:
+        NODE_OPTIONS: '--max_old_space_size=${{ inputs.max-old-space-size }}'
+        npm_config_ignore_scripts: ${{ vars.DISABLE_NPM_SCRIPTS || 'false' }}
+    
+    - name: 🛡️ Security Constraints Check
+      shell: bash
+      run: yarn constraints
diff --git a/.github/workflows/continuous-integration-blockfrost-e2e.yaml b/.github/workflows/continuous-integration-blockfrost-e2e.yaml
@@ -53,16 +53,16 @@ jobs:
         with:
           node-version: 18.12.0
 
+      - name: 🔨 Install
+        uses: ./.github/actions/install
+
       - name: 🔨 Build
         run: |
-          yarn install --immutable --inline-builds --mode=skip-build
           yarn workspace @cardano-sdk/cardano-services-client build:cjs
           yarn workspace @cardano-sdk/cardano-services build:cjs
           yarn workspace @cardano-sdk/e2e build:cjs
           yarn workspace @cardano-sdk/util-dev build:cjs
           docker build --no-cache .
-        env:
-          NODE_OPTIONS: '--max_old_space_size=8192'
 
       - name: 🌐 Setup local test network
         working-directory: packages/e2e
diff --git a/.github/workflows/continuous-integration-e2e.yaml b/.github/workflows/continuous-integration-e2e.yaml
@@ -53,9 +53,11 @@ jobs:
         with:
           node-version: 18.12.0
 
+      - name: 🔨 Install
+        uses: ./.github/actions/install
+
       - name: 🔨 Build
         run: |
-          yarn install --immutable --inline-builds --mode=skip-build
           yarn workspace @cardano-sdk/cardano-services-client build:cjs
           yarn workspace @cardano-sdk/cardano-services build:cjs
           yarn workspace @cardano-sdk/e2e build:cjs
diff --git a/.github/workflows/continuous-integration-side-tests.yaml b/.github/workflows/continuous-integration-side-tests.yaml
@@ -25,10 +25,11 @@ jobs:
         with:
           node-version: 18.12.0
 
+      - name: 🔨 Install
+        uses: ./.github/actions/install
+
       - name: 🔨 Build
-        run: |
-          yarn install --immutable --inline-builds --mode=skip-build
-          yarn build
+        run: yarn build
         env:
           NODE_OPTIONS: '--max_old_space_size=8192'
 
diff --git a/.github/workflows/continuous-integration-unit-tests.yaml b/.github/workflows/continuous-integration-unit-tests.yaml
@@ -25,10 +25,11 @@ jobs:
         with:
           node-version: 18.12.0
 
+      - name: 🔨 Install
+        uses: ./.github/actions/install
+
       - name: 🔨 Build
-        run: |
-          yarn install --immutable --inline-builds --mode=skip-build
-          yarn build
+        run: yarn build
         env:
           NODE_OPTIONS: '--max_old_space_size=8192'
 
diff --git a/.github/workflows/k6-wallets.yaml b/.github/workflows/k6-wallets.yaml
@@ -67,10 +67,11 @@ jobs:
         uses: actions/setup-node@v3
         with:
           node-version: 18.12.0
+      - name: 🔨 Install
+        uses: ./.github/actions/install
+
       - name: 🔨 Build
-        run: |
-          yarn install --immutable --inline-builds --mode=skip-build
-          yarn workspace @cardano-sdk/util-dev build:cjs
+        run: yarn workspace @cardano-sdk/util-dev build:cjs
         env:
           NODE_OPTIONS: '--max_old_space_size=8192'
       - name: Run k6 cloud test
diff --git a/.github/workflows/k6-web-socket.yaml b/.github/workflows/k6-web-socket.yaml
@@ -59,10 +59,11 @@ jobs:
         uses: actions/setup-node@v3
         with:
           node-version: 18.12.0
+      - name: 🔨 Install
+        uses: ./.github/actions/install
+
       - name: 🔨 Build
-        run: |
-          yarn install --immutable --inline-builds --mode=skip-build
-          yarn workspace @cardano-sdk/util-dev build:cjs
+        run: yarn workspace @cardano-sdk/util-dev build:cjs
         env:
           NODE_OPTIONS: '--max_old_space_size=8192'
       - name: Run k6 cloud test
diff --git a/.github/workflows/post_integration.yml b/.github/workflows/post_integration.yml
@@ -17,11 +17,13 @@ jobs:
         with:
           node-version: 18.12.0
 
+      - name: 🔨 Install
+        uses: ./.github/actions/install
+        with:
+          max-old-space-size: '10240'
+
       - name: 🔨 Build Docs
-        env:
-          NODE_OPTIONS: '--max-old-space-size=10240'
         run: |
-          yarn install --immutable --inline-builds
           yarn build
           yarn docs
 
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -34,8 +34,7 @@ jobs:
           git_commit_gpgsign: true
 
       - name: 💽 Install dependencies
-        run: |
-          yarn install --immutable --inline-builds --mode=skip-build
+        uses: ./.github/actions/install
         env:
           YARN_ENABLE_IMMUTABLE_INSTALLS: false
 
diff --git a/.github/workflows/test-deploy-e2e.yaml b/.github/workflows/test-deploy-e2e.yaml
@@ -65,13 +65,13 @@ jobs:
         with:
           node-version: 18.12.0
 
+      - name: 🔨 Install
+        uses: ./.github/actions/install
+
       - name: 🔨 Build
         run: |
-          yarn install --immutable --inline-builds --mode=skip-build
           yarn build:cjs
           docker build --no-cache .
-        env:
-          NODE_OPTIONS: '--max_old_space_size=8192'
 
       - name: 🔬 Test - e2e - wallet
         env:
diff --git a/.gitignore b/.gitignore
@@ -13,6 +13,7 @@ lerna-debug.log
 !.yarn/releases
 !.yarn/sdks
 !.yarn/versions
+!.yarn/constraints.pro
 
 # created by nix
 result
diff --git a/.yarn/constraints.pro b/.yarn/constraints.pro
@@ -0,0 +1,2 @@
+# Yarn constraints for security policy enforcement
+# Add constraint rules here to prevent malicious package versions
diff --git a/.yarn/plugins/@yarnpkg/plugin-constraints.cjs b/.yarn/plugins/@yarnpkg/plugin-constraints.cjs
diff --git a/.yarnrc.yml b/.yarnrc.yml
@@ -11,5 +11,7 @@ plugins:
     spec: "@yarnpkg/plugin-workspace-tools"
   - path: .yarn/plugins/yarn-plugin-nixify.cjs
     spec: "https://raw.githubusercontent.com/stephank/yarn-plugin-nixify/main/dist/yarn-plugin-nixify.js"
+  - path: .yarn/plugins/@yarnpkg/plugin-constraints.cjs
+    spec: "@yarnpkg/plugin-constraints"
 
 yarnPath: .yarn/releases/yarn-3.2.1.cjs
