GitHub Actions Security: npm Scripts Disabled and Workflow Permissions Tightened

What Changed

Applied –ignore-scripts to npm install across 13 validation workflows and tightened security controls for the package-command slash dispatcher.

Security Hardening Details

The npm –ignore-scripts flag prevents potentially malicious lifecycle scripts in dependencies from executing during CI builds. The slash-command dispatcher now requires:

Comment authors to have OWNER, MEMBER, or COLLABORATOR repository permissions
Explicit fork checks to prevent unauthorized package operations
Improved input validation for branch names and pull request numbers

Affected Files

.github/workflows/content-validations.yaml
.github/workflows/data-connector-validations.yaml
.github/workflows/detection-validations.yaml
.github/workflows/documents-link-validation.yaml
.github/workflows/json-syntax-validation.yaml
.github/workflows/logo-validation.yaml
.github/workflows/package-command.yaml
.github/workflows/playbook-validations.yaml
.github/workflows/slash-command-dispatch.yaml
.github/workflows/solution-validations.yaml
.github/workflows/workbook-metadata-validations.yaml
.github/workflows/workbook-template-validations.yaml
.github/workflows/yaml-syntax-validation.yaml

What Changed#

Security Hardening Details#

Affected Files#

What Changed

Security Hardening Details

Affected Files