From 35cb5a8b3ee06f95fc9c86d21940ec31dfdf6e7f Mon Sep 17 00:00:00 2001
From: Will Cory <willcory@Wills-MacBook-Pro.local>
Date: Thu, 14 Dec 2023 10:43:41 -0800
Subject: [PATCH 1/2] :lock: feat: Improve security of CI by not running
 scripts

---
 .circleci/config.yml                  | 24 ++++++++++++------------
 .github/actions/setup/action.yml      |  4 ++--
 Makefile                              |  2 +-
 ops/docker/Dockerfile.packages        |  2 +-
 package.json                          |  2 ++
 ufm-test-services/metamask/Dockerfile |  2 +-
 6 files changed, 19 insertions(+), 17 deletions(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 4ff1c2938faf..e8637d659850 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -155,7 +155,7 @@ jobs:
             - "node_modules"
       - run:
           name: Install dependencies
-          command: pnpm install --frozen-lockfile --offline
+          command: pnpm install:ci:offline
       - run:
           name: print forge version
           command: forge --version
@@ -367,7 +367,7 @@ jobs:
       # populate node modules from the cache
       - run:
           name: Install dependencies
-          command: pnpm install --frozen-lockfile --prefer-offline
+          command: pnpm install:ci
       - run:
           name: print forge version
           command: forge --version
@@ -399,7 +399,7 @@ jobs:
       # populate node modules from the cache
       - run:
           name: Install dependencies
-          command: pnpm install --frozen-lockfile --prefer-offline
+          command: pnpm install:ci
       # Note: this step needs to come first because one of the later steps modifies the cache & forces a contracts rebuild
       - run:
           name: semver lock
@@ -493,7 +493,7 @@ jobs:
       - attach_workspace: { at: "." }
       - run:
           name: Install dependencies
-          command: pnpm install --frozen-lockfile --prefer-offline
+          command: pnpm install:ci
       - check-changed:
           patterns: contracts-bedrock
       - run:
@@ -539,7 +539,7 @@ jobs:
       # populate node modules from the cache
       - run:
           name: Install dependencies
-          command: pnpm install --frozen-lockfile --prefer-offline
+          command: pnpm install:ci
       - run:
           name: Lint
           command: pnpm lint && git diff --exit-code
@@ -568,7 +568,7 @@ jobs:
       # populate node modules from the cache
       - run:
           name: Install dependencies
-          command: pnpm install --frozen-lockfile --prefer-offline
+          command: pnpm install:ci
       - run:
           name: Check generated and build
           command: pnpm generate:check
@@ -590,7 +590,7 @@ jobs:
       # populate node modules from the cache
       - run:
           name: Install dependencies
-          command: pnpm install --frozen-lockfile --prefer-offline
+          command: pnpm install:ci
       - run:
           name: anvil-l1
           background: true
@@ -654,7 +654,7 @@ jobs:
             npm i pnpm --global
       - run:
           name: pnpm dev deps
-          command: pnpm install --frozen-lockfile --prefer-offline
+          command: pnpm install:ci
       - run:
           name: specs toc
           command: pnpm lint:specs:toc && git diff --exit-code ./specs
@@ -674,7 +674,7 @@ jobs:
       - run:
           name: Install node_modules
           command: |
-            pnpm install --frozen-lockfile --prefer-offline
+            pnpm install:ci
       - run:
           name: Lint check
           command: |
@@ -859,7 +859,7 @@ jobs:
           name: run tests
           command: |
             mkdir -p /testlogs
-            
+
             export OP_E2E_CANNON_ENABLED="<<parameters.cannon_enabled>>"
             # Note: We don't use circle CI test splits because we need to split by test name, not by package. There is an additional
             # constraint that gotestsum does not currently (nor likely will) accept files from different pacakges when building.
@@ -951,7 +951,7 @@ jobs:
           working_directory: indexer
       - run:
           name: Install node_modules
-          command: pnpm install --frozen-lockfile --prefer-offline
+          command: pnpm install:ci
           working_directory: indexer/api-ts
       - run:
           name: Install tygo
@@ -1068,7 +1068,7 @@ jobs:
       - run:
           name: Install and build
           command: |
-            pnpm install --frozen-lockfile --prefer-offline && pnpm build
+            pnpm install:ci && pnpm build
       - attach_workspace:
           at: /tmp/workspace
       - run:
diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml
index 6bf7d59aeac5..b695d65254f3 100644
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@@ -19,10 +19,10 @@ runs:
 
     - name: Install node dependencies
       shell: bash
-      run: pnpm install --frozen-lockfile
+      run: pnpm install:ci
     - name: Derive appropriate SHAs for base and head for `nx affected` commands
       uses: nrwl/nx-set-shas@v3
-      with: 
+      with:
         main-branch-name: "develop"
     - run: |
         echo "nx using following shas:"
diff --git a/Makefile b/Makefile
index d20f5f6e13ee..ee033181487b 100644
--- a/Makefile
+++ b/Makefile
@@ -20,7 +20,7 @@ build-ts: submodules
 	if [ -n "$$NVM_DIR" ]; then \
 		. $$NVM_DIR/nvm.sh && nvm use; \
 	fi
-	pnpm install
+	pnpm install:ci
 	pnpm build
 .PHONY: build-ts
 
diff --git a/ops/docker/Dockerfile.packages b/ops/docker/Dockerfile.packages
index d9d7fd757f6a..a4ba78875fc3 100644
--- a/ops/docker/Dockerfile.packages
+++ b/ops/docker/Dockerfile.packages
@@ -73,7 +73,7 @@ WORKDIR /opt/optimism
 COPY --from=manifests /tmp/manifests  ./
 COPY *.json ./
 
-RUN pnpm install --frozen-lockfile
+RUN pnpm install:ci
 
 COPY ./packages ./packages
 
diff --git a/package.json b/package.json
index 6e917f95a5f0..610ae8b51e5b 100644
--- a/package.json
+++ b/package.json
@@ -14,6 +14,8 @@
     "build": "npx nx run-many --target=build",
     "test": "npx nx run-many --target=test",
     "issues": "./ops/scripts/todo-checker.sh",
+    "install:ci": "pnpm install --ignore-scripts --frozen-lockfile && pnpm postinstall && pnpm rebuild nx",
+    "install:ci:offline": "pnpm install --ignore-scripts --offline --frozen-lockfile && pnpm postinstall && pnpm rebuild nx",
     "lint": "npx nx run-many --target=lint",
     "test:coverage": "npx nx run-many --target=test:coverage",
     "lint:ts:check": "npx nx run-many --target=lint:ts:check",
diff --git a/ufm-test-services/metamask/Dockerfile b/ufm-test-services/metamask/Dockerfile
index b09e7bc3912f..58632416a992 100644
--- a/ufm-test-services/metamask/Dockerfile
+++ b/ufm-test-services/metamask/Dockerfile
@@ -17,7 +17,7 @@ RUN if [ "$METAMASK_PLAYWRIGHT_RUN_HEADLESS" != "false" ]; then \
 
 # Copy necessary files and directories
 COPY package.json pnpm-lock.yaml pnpm-workspace.yaml /app/
-RUN pnpm install --frozen-lockfile
+RUN pnpm install --frozen-lockfile --ignore-scripts
 COPY tests /app/tests/
 COPY playwright.config.ts /app/
 COPY start.sh /app/

From 4a440db72aa8e5235540b0bff6191e27279f5005 Mon Sep 17 00:00:00 2001
From: Will Cory <willcory@Wills-MacBook-Pro.local>
Date: Thu, 14 Dec 2023 11:15:46 -0800
Subject: [PATCH 2/2] :bug: fix working dir of indexer ci install

---
 .circleci/config.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index e8637d659850..d7c502791035 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -952,7 +952,6 @@ jobs:
       - run:
           name: Install node_modules
           command: pnpm install:ci
-          working_directory: indexer/api-ts
       - run:
           name: Install tygo
           command: go install github.com/gzuidhof/tygo@latest