reedsy · alecgibson · Apr 2, 2026 · Apr 2, 2026 · Copilot · Apr 2, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -33,7 +33,7 @@ jobs:
         registry-url: 'https://npm.pkg.github.com'
     - name: Install
       # Skip post-install to avoid malicious scripts stealing PAT
-      # Skip post-install to avoid malicious scripts stealing PAT
+      # During authenticated install, skip lifecycle scripts to reduce risk of
+      # malicious scripts exfiltrating the GITHUB_TOKEN auth token; scripts are
+      # re-enabled in the post-install step below.
-      # Skip post-install to avoid malicious scripts stealing PAT
+      # During authenticated install, skip lifecycle scripts to reduce risk of
+      # malicious scripts exfiltrating the GITHUB_TOKEN auth token; scripts are
+      # re-enabled in the post-install step below.
-      run: npm install --ignore-script
+      run: npm install --ignore-scripts
       env:
         NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - name: Post-install