From a532c096690ae77c55db5498458611f6cf5637ce Mon Sep 17 00:00:00 2001
From: Jan Nanista <jan.jakub.nanista@gmail.com>
Date: Thu, 9 Nov 2023 17:52:38 -0800
Subject: [PATCH] fix: Add empty NPM_TOKEN to vulnerable post-install scripts

---
 .github/workflows/publish-packages.yaml | 2 ++
 .github/workflows/vape-test.yml         | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/.github/workflows/publish-packages.yaml b/.github/workflows/publish-packages.yaml
index 3825e2d1e..a9a94340c 100644
--- a/.github/workflows/publish-packages.yaml
+++ b/.github/workflows/publish-packages.yaml
@@ -31,6 +31,8 @@ jobs:
             # Run the post-install scripts
             - name: Build Dependencies
               run: yarn install --frozen-lockfile --offline
+              env:
+                  NPM_TOKEN: ""
 
             # Cache build artifacts from turbo
             #
diff --git a/.github/workflows/vape-test.yml b/.github/workflows/vape-test.yml
index 84ef79b07..2bbb89e10 100644
--- a/.github/workflows/vape-test.yml
+++ b/.github/workflows/vape-test.yml
@@ -33,6 +33,8 @@ jobs:
             # Run the post-install scripts
             - name: Build Dependencies
               run: yarn install --frozen-lockfile --offline
+              env:
+                  NPM_TOKEN: ""
 
             # Cache build artifacts from turbo
             #