ci: use npm ci with caching in all CI workflows (#9150)

ericpgreen2 · web-flow · commit b86785a41b61 · 2026-04-01T15:05:56.000+03:00
Switch all GitHub Actions workflows from `npm install` to `npm ci` and
enable npm caching via `actions/setup-node`. This hardens CI against
supply chain attacks by ensuring only lockfile-pinned versions are
installed, and speeds up installs by caching downloaded tarballs.
diff --git a/.github/workflows/docs-check.yml b/.github/workflows/docs-check.yml
@@ -21,6 +21,7 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version-file: '.nvmrc'
+          cache: 'npm'
 
       # - name: Filter modified codepaths
       #   uses: dorny/paths-filter@v3
@@ -38,7 +39,7 @@ jobs:
 
       - name: Build docs
         run: |-
-          npm install -w docs
+          npm ci -w docs
           npm run build -w docs
         # https://typicode.github.io/husky/how-to.html#ci-server-and-docker
         env:
diff --git a/.github/workflows/prettier.yml b/.github/workflows/prettier.yml
@@ -12,9 +12,10 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version-file: '.nvmrc'
+          cache: 'npm'
 
       - name: NPM Install
-        run: npm install
+        run: npm ci
         # https://typicode.github.io/husky/how-to.html#ci-server-and-docker
         env:
           HUSKY: 0
diff --git a/.github/workflows/rill-ui.yml b/.github/workflows/rill-ui.yml
@@ -69,6 +69,7 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version-file: '.nvmrc'
+          cache: 'npm'
 
       - name: Setup Env variables from Inputs for Prod
         if: ( github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') ) || ( github.event_name == 'workflow_dispatch' && inputs.env == 'prod' )
@@ -93,7 +94,7 @@ jobs:
 
       - name: Build Cloud UI
         run: |-
-          npm install
+          npm ci
           npm run build -w web-admin
         env:
           RILL_UI_PUBLIC_RILL_ADMIN_URL: https://admin.${{ env.DOMAIN }}
diff --git a/.github/workflows/web-test-code-quality.yml b/.github/workflows/web-test-code-quality.yml
@@ -34,6 +34,7 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version-file: '.nvmrc'
+          cache: 'npm'
 
       - name: Web code quality checks
         run: bash ./scripts/web-test-code-quality.sh
diff --git a/.github/workflows/web-test-e2e.yml b/.github/workflows/web-test-e2e.yml
@@ -81,9 +81,10 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version-file: '.nvmrc'
+          cache: 'npm'
 
       - name: NPM Install
-        run: npm install
+        run: npm ci
         # https://typicode.github.io/husky/how-to.html#ci-server-and-docker
         env:
           HUSKY: 0
diff --git a/.github/workflows/web-test-unit-tests.yml b/.github/workflows/web-test-unit-tests.yml
@@ -29,9 +29,10 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version-file: '.nvmrc'
+          cache: 'npm'
 
       - name: NPM Install
-        run: npm install
+        run: npm ci
         # https://typicode.github.io/husky/how-to.html#ci-server-and-docker
         env:
           HUSKY: 0
diff --git a/scripts/web-test-code-quality.sh b/scripts/web-test-code-quality.sh
@@ -70,7 +70,7 @@ echo "filters: admin=$ADMIN local=$LOCAL common=$COMMON"
 echo ""
 echo "== NPM Install =="
 # https://typicode.github.io/husky/how-to.html#ci-server-and-docker
-HUSKY=0 npm install
+HUSKY=0 npm ci
 
 if [[ "$COMMON" == "true" ]]; then
   echo ""
