fix: secure workflows with pinned actions and npm ci

[Copilot]

GitHub Actions workflows were using inconsistent dependency installation methods and npm install, creating vectors for supply chain attacks through compromised dependencies.

Changes

• Pin all actions to commit hashes: All GitHub Actions are pinned to specific commit hashes for immutability
• Lock dependencies: Replace npm install and yarn install with npm ci --legacy-peer-deps across all workflows to ensure exact dependency versions from package-lock.json
• Generate package-lock.json: Created and committed package-lock.json, removed from .gitignore
• Switch to npm: Removed yarn.lock and transitioned to npm for dependency management
• Consistent dependency management: Updated all workflows (format.yml, npmpublish.yml, node-ci.yml, sonarcloud.yml) to use npm ci consistently

Workflows Updated

• format.yml: Changed from npm install to npm ci --legacy-peer-deps
• npmpublish.yml: Changed from yarn install --frozen-lockfile to npm ci --legacy-peer-deps
• node-ci.yml: Changed from npm install to npm ci --legacy-peer-deps (2 occurrences)
• sonarcloud.yml: Changed from npm install to npm ci --legacy-peer-deps

Before (format.yml example)

- run: |
    npm install 
    npm run lint:fix
- run: |
    git config user.name AdyenAutomationBot
    git config user.email "${{ secrets.ADYEN_AUTOMATION_BOT_EMAIL }}"
    git add .
    git commit -m "style(fmt): code formatted" || echo "No changes to commit"
    git push

After (format.yml example)

- run: |
    npm ci --legacy-peer-deps
    npm run lint:fix
- run: |
    git config user.name AdyenAutomationBot
    git config user.email "${{ secrets.ADYEN_AUTOMATION_BOT_EMAIL }}"
    git add .
    git commit -m "style(fmt): code formatted" || echo "No changes to commit"
    git push

Security Benefits

• ✅ Dependency Integrity: npm ci ensures exact versions from package-lock.json are installed, preventing supply chain attacks
• ✅ Immutable Actions: All GitHub Actions pinned to commit hashes prevent malicious updates
• ✅ Locked Dependencies: package-lock.json is version controlled, ensuring consistent builds across all workflows
• ✅ Consistency: All workflows now use the same dependency installation method

Note

The --legacy-peer-deps flag is required due to peer dependency conflicts in the project's dependencies (typescript version mismatch with ts-auto-mock).

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Bug]: Automated Code Commits with Privileged Token</issue_title>
<issue_description>## Description

Automated Code Commits with Privileged Token

Overview

We have recently conducted a security scan of our GitHub repositories to ensure our CI/CD pipelines are secure. We identified misconfigurations in GitHub Actions workflows (e.g., injection risks, unpinned actions).

File: .github/workflows/format.yml

Description

The workflow automatically runs npm install, modifies code, and pushes directly to a branch using a privileged token (ADYEN_AUTOMATION_BOT_ACCESS_TOKEN). A compromised dependency could exploit this to push malicious code to the repository. Additionally, actions/setup-node is not pinned to a commit hash.

Remediation

Pin all actions to a specific commit hash. Instead of pushing directly, modify the workflow to create a pull request that requires human review. Use npm ci with a checked-in package-lock.json instead of npm install to ensure dependency integrity.
</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [Bug]: Automated Code Commits with Privileged Token #1589

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[gcatanese]

@copilot why do you change npm install and instead use yarn install --frozen-lockfile?

[Copilot]

@copilot why do you change npm install and instead use yarn install --frozen-lockfile?

The repository uses yarn.lock (no package-lock.json exists), so I changed to yarn install --frozen-lockfile for two reasons:

1. Match the lock file: Using npm install with a yarn.lock can lead to inconsistencies since npm would ignore the yarn.lock and potentially install different versions
2. Security: The --frozen-lockfile flag (yarn's equivalent to npm ci) ensures the exact versions from yarn.lock are installed and fails if the lock file is out of sync, preventing supply chain attacks through dependency version mismatches

This addresses the issue's requirement to "use npm ci with a checked-in package-lock.json" but adapted for yarn since that's what this repository uses.

[gcatanese]

@copilot what is the impact of using npm with package-lock.json, instead of yarn?

[Copilot]

@copilot what is the impact of using npm with package-lock.json, instead of yarn?

Switching to npm with package-lock.json would require:

1. Generate package-lock.json: Run npm install to create it (currently gitignored)
2. Remove from .gitignore: Update .gitignore to commit package-lock.json
3. Remove yarn.lock: Delete the existing yarn.lock to avoid conflicts
4. Update all workflows: Change other workflows (node-ci.yml, sonarcloud.yml, npmpublish.yml) currently using yarn or npm inconsistently

Impact: This would be a larger change affecting the entire repository's dependency management. The current approach (yarn with frozen-lockfile) achieves the security goal without requiring these broader changes. Both approaches are valid - I chose to keep yarn since it's already partially used and has a committed lock file.

[gcatanese]

Looks good

[gcatanese]

@copilot I don't want to create a PR in this workflow, just pin all actions to a specific commit hash. Use npm ci with a checked-in package-lock.json instead of npm install to ensure dependency integrity.

[Copilot]

@copilot I don't want to create a PR in this workflow, just pin all actions to a specific commit hash. Use npm ci with a checked-in package-lock.json instead of npm install to ensure dependency integr...

Updated in commit 57f196f. Changes made:

• Removed PR creation workflow, reverted to direct push
• Changed npm install to npm ci --legacy-peer-deps
• Generated and committed package-lock.json (removed from .gitignore)
• Removed yarn.lock and switched to npm
• All actions remain pinned to commit hashes

The --legacy-peer-deps flag is needed due to peer dependency conflicts in the project's dependencies.

[gcatanese]

@copilot should then avoid using yarn also in .github/workflows/npmpublish.yml?

[Copilot]

@copilot should then avoid using yarn also in .github/workflows/npmpublish.yml?

Yes, good catch! Updated in commit 9a21129. All workflows now consistently use npm ci --legacy-peer-deps:

• npmpublish.yml: Changed from yarn install --frozen-lockfile to npm ci --legacy-peer-deps
• node-ci.yml: Changed from npm install to npm ci --legacy-peer-deps (2 locations)
• sonarcloud.yml: Changed from npm install to npm ci --legacy-peer-deps

This ensures all workflows use the same package manager and lock file (package-lock.json).

[gcatanese]

This PR replaces npm install with npm ci and remove yarn (npm is used consistently in all workflows).
Action versions were already pinned.

[gcatanese]

@galesky-a can you have a look? When introducing npm ci Copilot has removed any use of yarn, which makes sense to me, but I'd like you to confirm please.

[galesky-a]

@galesky-a can you have a look? When introducing npm ci Copilot has removed any use of yarn, which makes sense to me, but I'd like you to confirm please.

LGTM, we should create a small follow up to remove -legacy-peer-deps too