From dba83e14ea03cd78c8b5a26129c325c23970a8b5 Mon Sep 17 00:00:00 2001
From: fumikito <guy@hametuha.com>
Date: Tue, 31 Mar 2026 17:51:49 +0900
Subject: [PATCH] Use npm ci --ignore-scripts in shared workflows for supply
 chain security

Co-authored-by: Claude <noreply@anthropic.com>
---
 .github/workflows/lint.yml | 2 +-
 .github/workflows/npm.yml  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index d953ecc..a2ba481 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -24,7 +24,7 @@ jobs:
 
       - name: Check Yaml Syntax
         run: |
-          npm install
+          npm ci --ignore-scripts
           npm test
 
   phplint:
diff --git a/.github/workflows/npm.yml b/.github/workflows/npm.yml
index a7d2fb4..85fc542 100644
--- a/.github/workflows/npm.yml
+++ b/.github/workflows/npm.yml
@@ -40,7 +40,7 @@ jobs:
           node-version-file: ${{ inputs.node_version && '' || '.node-version' }}
 
       - name: Install NPM Packages
-        run:  npm install
+        run:  npm ci --ignore-scripts
 
       - name: Run Syntax Check
         run:  npm run ${{ inputs.command }}