🔒 feat: Improve security of CI by not running scripts

[roninjin10]

NPM packages can run arbitrary scripts when installed. To improve security in CI pass in --ignore-scripts flags.

Developers locally can also choose to use npm install:ci if they want the same assurances locally too.

Nx requires a post install script to run so we explicitly run it via running pnpm rebuild nx. If any other packages require a postinstall scripts we should do the same. This makes it so we never are accidentally introducing a new script we didn't realize is running.

[coderabbitai]

Walkthrough

Walkthrough

The overall change involves standardizing the dependency installation process across various configurations and Dockerfiles to a specific pnpm install:ci command. This shift is likely aimed at optimizing the installation for continuous integration (CI) environments, ensuring consistency and potentially leveraging caching or other CI-specific optimizations. Additionally, for the metamask service, a security-focused change was made to ignore scripts during installation.

Changes

File(s)	Change Summary
.circleci/config.yml .github/actions/setup/action.yml Makefile ops/docker/.../Dockerfile.packages	Replaced pnpm install with pnpm install:ci to standardize the CI dependency installation process.
ufm-test-services/metamask/Dockerfile	Modified pnpm install to include --ignore-scripts flag for security reasons.

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on X ?

---

Tips

Chat with CodeRabbit Bot (@coderabbitai)

• You can reply to a review comment made by CodeRabbit.
• You can tag CodeRabbit on specific lines of code or files in the PR by tagging @coderabbitai in a comment.
• You can tag @coderabbitai in a PR comment and ask one-off questions about the PR and the codebase. Use quoted replies to pass the context for follow-up questions.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger a review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• The JSON schema for the configuration file is available here.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/coderabbit-overrides.v2.json

[codecov]

Codecov Report

Merging #8626 (4a440db) into develop (631b6f4) will decrease coverage by 0.05%.
Report is 9 commits behind head on develop.
The diff coverage is n/a.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop    #8626      +/-   ##
===========================================
- Coverage    34.61%   34.57%   -0.05%     
===========================================
  Files          167      167              
  Lines         7162     7162              
  Branches      1212     1212              
===========================================
- Hits          2479     2476       -3     
- Misses        4532     4537       +5     
+ Partials       151      149       -2     

Flag	Coverage Δ
cannon-go-tests	63.48% <ø> (ø)
chain-mon-tests	27.14% <ø> (ø)
common-ts-tests	26.74% <ø> (ø)
contracts-bedrock-tests	20.18% <ø> (-0.15%)	⬇️
contracts-ts-tests	12.25% <ø> (ø)
core-utils-tests	44.03% <ø> (ø)
sdk-next-tests	42.18% <ø> (ø)
sdk-tests	42.18% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

see 3 files with indirect coverage changes