From e61fb6fdc63b251ebc57d362b400ed7be909a4ac Mon Sep 17 00:00:00 2001
From: ylemkimon <y@ylem.kim>
Date: Sun, 6 Sep 2020 15:13:12 +0900
Subject: [PATCH] ci: don't persist credentials and run scripts (#2450)

---
 .github/workflows/ci.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 0f6a5c28..267a4ff1 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -21,6 +21,7 @@ jobs:
     - uses: actions/checkout@v2
       with:
         submodules: recursive
+        persist-credentials: false # minimize exposure and prevent accidental pushes
 
     - name: Use Node.js 12.x
       uses: actions/setup-node@v1
@@ -39,6 +40,8 @@ jobs:
 
     - name: Install dependencies
       run: yarn --immutable
+      env:
+        YARN_ENABLE_SCRIPTS: 0 # disable postinstall scripts
 
     - name: Lint code
       run: yarn test:lint
@@ -126,6 +129,7 @@ jobs:
       if: github.event_name != 'pull_request_target'
       with:
         submodules: recursive
+        persist-credentials: false # minimize exposure and prevent accidental pushes
     - uses: actions/checkout@v2
       if: github.event_name == 'pull_request_target'
       with:
@@ -152,6 +156,8 @@ jobs:
 
     - name: Install dependencies
       run: yarn --immutable
+      env:
+        YARN_ENABLE_SCRIPTS: 0 # disable postinstall scripts
 
     - name: Verify screenshots and generate diffs and new screenshots
       run: yarn node dockers/screenshotter/screenshotter.js -b ${{ matrix.browser }} --verify --diff --new -c ${{ job.services.selenium.id }}