ci: harden publish settings

Author: sapphi-red

.github/workflows/publish.yml

@@ -7,10 +7,13 @@ on:
 
 jobs:
   publish:
+    # prevents this action from running on forks
+    if: github.repository == 'vitejs/launch-editor'
     runs-on: ubuntu-latest
     permissions:
       contents: read
       id-token: write
+    environment: Release
 
     steps:
       - name: Checkout repository
@@ -31,6 +34,9 @@ jobs:
           # disable cache, to avoid cache poisoning (https://docs.zizmor.sh/audits/#cache-poisoning)
           package-manager-cache: false
 
+      - name: Disallow installation scripts
+        run: yq '.allowBuilds[]=false' -i pnpm-workspace.yaml
+
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
 

pnpm-workspace.yaml

@@ -1,2 +1,4 @@
 packages:
   - 'packages/*'
+allowBuilds:
+  yorkie: true