fix(security): run npm install with --ignore-scripts to avoid malicious scripts in CI

Author: yogeshchoudhary147

.github/actions/build/action.yml

@@ -19,7 +19,7 @@ runs:
 
     - name: Install dependencies
       shell: bash
-      run: npm ci --include=dev
+      run: npm ci --ignore-scripts --include=dev
 
     - name: Build package
       shell: bash

.github/actions/npm-publish/action.yml

@@ -30,7 +30,7 @@ runs:
 
     - name: Install dependencies
       shell: bash
-      run: npm ci --include=dev
+      run: npm ci --ignore-scripts --include=dev
 
     - name: Build package
       if: inputs.require-build == 'true'

.github/workflows/integration.yml

@@ -49,7 +49,7 @@ jobs:
           ref: ${{ github.event.pull_request.head.sha || github.ref }}
 
       - name: Install dependencies
-        run: npm ci
+        run: npm ci --ignore-scripts
 
       - name: Build SDK
         run: npm run build

.github/workflows/sca_scan.yml

@@ -10,7 +10,7 @@ jobs:
   snyk-cli:
     uses: auth0/devsecops-tooling/.github/workflows/sca-scan.yml@main
     with:
-      pre-scan-commands: "npm install && npm run install:examples"
+      pre-scan-commands: "npm install --ignore-scripts && npm run install:examples"
       additional-arguments: "--exclude=README.md"
       node-version: 24
     secrets: inherit

.github/workflows/test.yml

@@ -54,7 +54,7 @@ jobs:
           cache: npm
 
       - name: Install dependencies
-        run: npm ci --include=dev
+        run: npm ci --ignore-scripts --include=dev
 
       - name: Run tests
         run: npm run test