[Tech] Add LavaMoat allow scripts (#416)

* add lavamoat allow scripts

* update yarn lock

* update install scripts in workflows

* update npm in workflows to yarn

* install yarn flatpak ci

* install make on flatpak build ci

* add gcc dep to flatpak ci

* rm unused register-scheme install

* rm make gcc from flatpak ci

Author: BrettCleary

.github/workflows/build.yml

@@ -35,9 +35,9 @@ jobs:
       - name: Authenticate with private NPM package
         run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc
       - name: Install modules.
-        run: npm i --legacy-peer-deps
+        run: yarn setup
       - name: Build artifacts.
-        run: npm run dist:win
+        run: yarn dist:win
       - name: Upload EXE.
         uses: actions/upload-artifact@v3
         with:
@@ -68,7 +68,7 @@ jobs:
       - name: Authenticate with private NPM package
         run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc
       - name: Install modules.
-        run: yarn
+        run: yarn setup
       - name: Build deb artifact
         run: yarn dist:linux:ci:deb
       - name: Build rpm artifact
@@ -97,7 +97,7 @@ jobs:
       - name: Authenticate with private NPM package
         run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc
       - name: Install modules.
-        run: yarn
+        run: yarn setup
       - name: Build artifacts.
         run: yarn dist:mac
         env:

.github/workflows/codecheck.yml

@@ -26,6 +26,6 @@ jobs:
       - name: Authenticate with private NPM package
         run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc
       - name: Install modules.
-        run: yarn
+        run: yarn setup
       - name: Check Typescript syntax
         run: yarn codecheck

.github/workflows/flatpak-build.yml

@@ -44,12 +44,14 @@ jobs:
           ssh://git@github.com/
       - name: Authenticate with private NPM package
         run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc
+      - name: install yarn
+        run: npm install --global yarn
       - name: Install modules.
-        run: npm i --legacy-peer-deps
+        run: yarn setup
       - name: Build artifacts.
-        run: npm run dist:linux:ci:flatpak
+        run: yarn dist:linux:ci:flatpak
       - name: Prepare Flatpak
-        run: npm run flatpak:prepare
+        run: yarn flatpak:prepare
       - name: Build Flatpak
         uses: flatpak/flatpak-github-actions/flatpak-builder@v6
         with:

.github/workflows/lint.yml

@@ -26,7 +26,7 @@ jobs:
       - name: Authenticate with private NPM package
         run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc
       - name: Install modules.
-        run: yarn
+        run: yarn setup
       - name: Lint code.
         run: yarn lint
       - name: Prettier code.

.github/workflows/release_flathub.yml

@@ -31,7 +31,7 @@ jobs:
       - name: Authenticate with private NPM package
         run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc
       - name: Install modules.
-        run: yarn
+        run: yarn setup
       - name: Checkout flathub repository.
         run: git clone https://github.com/flathub/xyz.hyperplay.HyperPlay.git
       - name: Update flathub release

.github/workflows/release_linux.yml

@@ -32,6 +32,6 @@ jobs:
       - name: Authenticate with private NPM package
         run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc
       - name: Install modules.
-        run: yarn
+        run: yarn setup
       - name: Build artifacts.
         run: yarn run release:linux

.github/workflows/release_macOS.yml

@@ -41,7 +41,7 @@ jobs:
         run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc
 
       - name: Install dependencies
-        run: yarn
+        run: yarn setup
 
       - name: Build artifacts.
         run: yarn release:mac

.github/workflows/test-e2e-dev.yml

@@ -32,7 +32,7 @@ jobs:
       - name: Authenticate with private NPM package
         run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc
       - name: Install modules.
-        run: yarn
+        run: yarn setup
         env:
           PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1
       - name: Build and Test
@@ -57,7 +57,7 @@ jobs:
       - name: Authenticate with private NPM package
         run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc
       - name: Install modules.
-        run: yarn
+        run: yarn setup
         env:
           PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1
       - name: Build and Test
@@ -86,7 +86,7 @@ jobs:
       - name: Authenticate with private NPM package
         run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc
       - name: Install modules.
-        run: npm i --legacy-peer-deps
+        run: yarn setup
         env:
           PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1
       - name: Build and Test

.github/workflows/test-e2e-packaged.yml

@@ -33,7 +33,7 @@ jobs:
       - name: Authenticate with private NPM package
         run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc
       - name: Install modules.
-        run: yarn
+        run: yarn setup
         env:
           PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1
       - name: Build and Test
@@ -58,7 +58,7 @@ jobs:
       - name: Authenticate with private NPM package
         run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc
       - name: Install modules.
-        run: yarn
+        run: yarn setup
         env:
           PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1
       - name: Build and Test
@@ -87,7 +87,7 @@ jobs:
       - name: Authenticate with private NPM package
         run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc
       - name: Install modules.
-        run: npm i --legacy-peer-deps
+        run: yarn setup
         env:
           PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1
       - name: Build and Test

.github/workflows/test.yml

@@ -27,6 +27,6 @@ jobs:
       - name: Authenticate with private NPM package
         run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc
       - name: Install modules.
-        run: yarn
+        run: yarn setup
       - name: Test
         run: yarn test:ci

.gitignore

@@ -40,7 +40,6 @@ vite-plugin-electron.log
 
 # Yarn Berry support
 # these can be reconfigured if we ever want to adopt yarn berry
-.yarnrc.yml 
 .yarn/
 
 flathub/update-flathub.js

.yarnrc

@@ -0,0 +1 @@
+ignore-scripts true

.yarnrc.yml

@@ -0,0 +1 @@
+enableScripts: false

package.json

@@ -224,6 +224,7 @@
     "zod": "^3.21.4"
   },
   "scripts": {
+    "setup": "yarn install && yarn allow-scripts",
     "start": "vite",
     "codecheck": "tsc --noEmit",
     "find-deadcode": "ts-prune --error",
@@ -267,6 +268,8 @@
   "devDependencies": {
     "@babel/plugin-transform-arrow-functions": "^7.22.5",
     "@electron/notarize": "^1.2.3",
+    "@lavamoat/allow-scripts": "^2.3.1",
+    "@lavamoat/preinstall-always-fail": "^1.0.0",
     "@playwright/test": "^1.32.1",
     "@testing-library/dom": "^7.31.0",
     "@testing-library/jest-dom": "^5.16.4",
@@ -317,5 +320,25 @@
     "xml-js": "^1.6.11"
   },
   "optionalDependencies": {},
-  "packageManager": "yarn@1.22.19"
+  "packageManager": "yarn@1.22.19",
+  "lavamoat": {
+    "allowScripts": {
+      "@fortawesome/fontawesome-svg-core": false,
+      "@fortawesome/fontawesome-svg-core>@fortawesome/fontawesome-common-types": false,
+      "@fortawesome/free-brands-svg-icons": false,
+      "@fortawesome/free-regular-svg-icons": false,
+      "@fortawesome/free-solid-svg-icons": false,
+      "@lavamoat/preinstall-always-fail": false,
+      "@metamask/sdk>eciesjs>secp256k1": true,
+      "@rudderstack/rudder-sdk-node>bull>msgpackr>msgpackr-extract": true,
+      "@testing-library/dom>aria-query>@babel/runtime-corejs3>core-js-pure": true,
+      "@valist/sdk>files-from-path>ipfs-unixfs>protobufjs": true,
+      "classic-level": true,
+      "discord-rich-presence-typescript>discord-rpc>register-scheme": false,
+      "electron": true,
+      "electron-vite>esbuild": true,
+      "playwright": true,
+      "vite>esbuild": true
+    }
+  }
 }