Replace npx with pinned npm-tools and add security hardening (#21166)

* [dev] disable npm lifecycle scripts and npx

* Add npm-tools

* update npm-tools

* dev/image/Dockerfile

* update

Co-authored-by: Ona <no-reply@ona.com>

* Bump leeay version to 0.10.6

Co-authored-by: Ona <no-reply@ona.com>

* Fix npx removal to also delete the target script

The symlink at /root/.nvm/.../bin/npx points to npx-cli.js.
Remove both to ensure npx is fully disabled.

Co-authored-by: Ona <no-reply@ona.com>

* Remove gce-github-runner usage from all workflows

Replace self-hosted GCE runner pattern with GitHub-hosted ubuntu-latest runners across all workflows. This removes the three-phase pattern (create-runner, use-runner, delete-runner) and simplifies workflow execution.

Changes:
- Remove create-runner and delete-runner jobs from all workflows
- Replace runs-on: ${{ needs.create-runner.outputs.label }} with runs-on: ubuntu-latest
- Remove create-runner from job dependencies
- Preserve all other job dependencies and concurrency controls

Affected workflows:
- build.yml (8 jobs)
- workspace-integration-tests.yml (4 jobs)
- ide-integration-tests.yml (4 jobs)
- preview-env-check-regressions.yml (4 jobs)
- preview-env-gc.yml (2 jobs)
- jetbrains-auto-update-template.yml (1 job)
- jetbrains-integration-test.yml (1 job)
- code-nightly.yml (1 job)
- preview-env-delete.yml (1 job)

Co-authored-by: Ona <no-reply@ona.com>

* [dev] use ubuntu-latest-16-cores for builds

* Fix container permissions for GitHub-hosted runners

Add 'options: --user root' to all container configurations to resolve EACCES permission errors when GitHub Actions tries to write to internal directories.

GitHub-hosted runners require containers to run as root to allow the Actions runtime to write to /__w/_temp/_runner_file_commands/ and other internal paths.

Affected workflows:
- build.yml (3 container jobs)
- workspace-integration-tests.yml (2 container jobs)
- ide-integration-tests.yml (2 container jobs)
- preview-env-check-regressions.yml (1 container job)
- preview-env-gc.yml (1 container job)
- jetbrains-auto-update-template.yml (1 container job)
- jetbrains-integration-test.yml (1 container job)
- code-nightly.yml (1 container job)

Co-authored-by: Ona <no-reply@ona.com>

* Fix dev/image build by adding leeway dependency for npm-tools

Create leeway generic build for dev/npm-tools and use it as a dependency in dev/image:docker build. This resolves the build error where npm-tools files were not accessible during Docker build.

Changes:
- Add dev/npm-tools/BUILD.yaml with generic package containing package.json and package-lock.json
- Add dev/npm-tools:pkg as dependency in dev/image/BUILD.yaml
- Update Dockerfile to use COPY from leeway dependency path (dev-npm-tools--pkg/)

This follows the established pattern used in other builds like install/installer where dependencies are copied from leeway-generated paths.

Co-authored-by: Ona <no-reply@ona.com>

* Fix npm-tools installation permissions in dev/image

Add chown command to fix EACCES permission error when installing npm-tools. The COPY command creates files owned by root, but npm ci runs as gitpod user and needs write access to create node_modules.

Changes:
- Add 'sudo chown -R gitpod:gitpod /opt/npm-tools' before npm ci
- This ensures the gitpod user can write to /opt/npm-tools/node_modules/

Error fixed:
  npm error code EACCES
  npm error syscall mkdir
  npm error path /opt/npm-tools/node_modules
  npm error errno -13

Co-authored-by: Ona <no-reply@ona.com>

* [dev] Split builds into branch and main

Co-authored-by: Ona <no-reply@ona.com>

---------

Co-authored-by: Cornelius Ludmann <cornelius@ona.com>
Co-authored-by: Ona <no-reply@ona.com>
Co-authored-by: Gero Posmyk-Leinemann <gero@gitpod.io>

Author: 4 people

.devcontainer/Dockerfile

@@ -93,7 +93,7 @@ ARG TARGETOS
 
 # Install dependencies
 USER root
-ARG LEEWAY_VERSION=0.10.4
+ARG LEEWAY_VERSION=0.10.6
 ENV LEEWAY_MAX_PROVENANCE_BUNDLE_SIZE=8388608
 ENV LEEWAY_WORKSPACE_ROOT=/workspace/gitpod
 ENV LEEWAY_REMOTE_CACHE_BUCKET=leeway-cache-dev-3ac8ef5
@@ -334,8 +334,32 @@ ENV HOME=/root
 RUN curl -fsSL https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.3/install.sh | bash \
     && bash -c ". $HOME/.nvm/nvm.sh \
     && nvm install v${NODE_VERSION} \
-    && nvm alias default v${NODE_VERSION} \
-    && npm install -g typescript yarn pnpm node-gyp @anthropic-ai/claude-code"
+    && nvm alias default v${NODE_VERSION}"
+
+# Disable npm/yarn lifecycle scripts by default (security hardening)
+# To allow specific packages, use: npm rebuild <package> or yarn rebuild <package>
+RUN npm config set ignore-scripts true --location=global && \
+    npm config set ignore-scripts true --location=user && \
+    echo 'ignore-scripts true' >> ~/.yarnrc
+
+# Disable npx (security hardening - prevents arbitrary package execution)
+# Remove npx from NVM and replace with stub that prints warning
+RUN rm -f /usr/bin/npx /usr/local/bin/npx && \
+    rm -f /root/.nvm/versions/node/v${NODE_VERSION}/bin/npx && \
+    rm -f /root/.nvm/versions/node/v${NODE_VERSION}/lib/node_modules/npm/bin/npx-cli.js && \
+    echo '#!/bin/sh' > /usr/local/bin/npx && \
+    echo 'echo "npx is disabled for security reasons. Use explicit package installation instead." >&2' >> /usr/local/bin/npx && \
+    echo 'exit 1' >> /usr/local/bin/npx && \
+    chmod +x /usr/local/bin/npx
+
+# Install npm-tools with locked dependencies
+COPY dev/npm-tools/package.json dev/npm-tools/package-lock.json /opt/npm-tools/
+RUN cd /opt/npm-tools && \
+    npm ci && \
+    for bin in /opt/npm-tools/node_modules/.bin/*; do \
+        ln -sf "$bin" /usr/local/bin/$(basename "$bin"); \
+    done && \
+    rm -rf ~/.npm/_cacache
 
 ENV PATH=$PATH:/root/.aws-iam:/root/.terraform:/workspace/bin
 

.github/workflows/branch-build.yml

@@ -6,9 +6,9 @@ permissions:
   actions: write  # This is required for trigger another action which is used by JetBrains integrateion tests
   packages: read
 on:
-  pull_request:
-    types: [ opened, edited ]
   push:
+    branches:
+      - main
   workflow_dispatch:
     inputs:
       recreate_vm:
@@ -29,19 +29,10 @@ on:
     - cron: '0 0 * * *'
 
 jobs:
-  create-runner:
-    uses: gitpod-io/gce-github-runner/.github/workflows/create-vm.yml@main
-    secrets:
-      runner_token: ${{ secrets.SELF_HOSTED_GITHUB_RUNNER_TOKEN }}
-      gcp_credentials: ${{ secrets.SELF_HOSTED_GITHUB_RUNNER_GCP_CREDENTIALS }}
-    concurrency:
-      group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-create-runner
-      cancel-in-progress: false
-
   configuration:
     name: Configure job parameters
-    runs-on: ${{ needs.create-runner.outputs.label }}
-    needs: [ create-runner ]
+    runs-on: ubuntu-latest
+    environment: main-build
     concurrency:
       group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-configuration
       cancel-in-progress: true
@@ -112,13 +103,15 @@ jobs:
       (needs.configuration.outputs.pr_no_diff_skip != 'true') &&
       (needs.configuration.outputs.preview_enable == 'true') &&
       (needs.configuration.outputs.is_scheduled_run != 'true')
-    needs: [ configuration, create-runner ]
+    needs: [ configuration ]
+    environment: main-build
     concurrency:
       group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-build-previewctl
       cancel-in-progress: ${{ needs.configuration.outputs.is_main_branch == 'false' }}
-    runs-on: ${{ needs.create-runner.outputs.label }}
+    runs-on: ubuntu-latest-16-cores
     container:
       image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:main-gha.33389
+      options: --user root
     steps:
       - uses: actions/checkout@v4
       - name: Setup Environment
@@ -135,13 +128,14 @@ jobs:
         run: |
           leeway build dev/preview/previewctl:cli --cache remote
   infrastructure:
-    needs: [ configuration, build-previewctl, create-runner ]
+    needs: [ configuration, build-previewctl ]
+    environment: main-build
     if: |
       (needs.configuration.outputs.pr_no_diff_skip != 'true') &&
       (needs.configuration.outputs.preview_enable == 'true') &&
       (needs.configuration.outputs.is_main_branch != 'true') &&
       (needs.configuration.outputs.is_scheduled_run != 'true')
-    runs-on: ${{ needs.create-runner.outputs.label }}
+    runs-on: ubuntu-latest
     concurrency:
       group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-infrastructure
       cancel-in-progress: true
@@ -166,8 +160,9 @@ jobs:
 
   build-gitpod:
     name: Build Gitpod
-    needs: [ configuration, create-runner ]
-    runs-on: ${{ needs.create-runner.outputs.label }}
+    needs: [ configuration ]
+    environment: main-build
+    runs-on: ubuntu-latest-16-cores
     outputs:
       affected_packages: ${{ steps.check_vulnerabilities.outputs.affected_packages }}
     concurrency:
@@ -189,6 +184,7 @@ jobs:
           - 6379:6379
     container:
       image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:main-gha.33389
+      options: --user root
       env:
         DB_HOST: "mysql"
         DB_PORT: "23306"
@@ -399,8 +395,9 @@ jobs:
           name: vulnerability-reports
           path: ${{ steps.scan.outputs.leeway_vulnerability_reports_dir }}
   install-app:
-    runs-on: ${{ needs.create-runner.outputs.label }}
-    needs: [ configuration, build-gitpod, create-runner ]
+    runs-on: ubuntu-latest
+    needs: [ configuration, build-gitpod ]
+    environment: main-build
     if: ${{ needs.configuration.outputs.is_main_branch == 'true' && needs.configuration.outputs.is_scheduled_run != 'true' }}
     strategy:
       fail-fast: false
@@ -439,9 +436,9 @@ jobs:
       - build-previewctl
       - build-gitpod
       - infrastructure
-      - create-runner
+    environment: main-build
     if: needs.configuration.outputs.is_scheduled_run != 'true'
-    runs-on: ${{ needs.create-runner.outputs.label }}
+    runs-on: ubuntu-latest
     concurrency:
       group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-install
       cancel-in-progress: ${{ needs.configuration.outputs.is_main_branch == 'false' }}
@@ -489,8 +486,9 @@ jobs:
 
   monitoring:
     name: "Install Monitoring Satellite"
-    needs: [ infrastructure, build-previewctl, create-runner ]
-    runs-on: ${{ needs.create-runner.outputs.label }}
+    needs: [ infrastructure, build-previewctl ]
+    environment: main-build
+    runs-on: ubuntu-latest
     if: needs.configuration.outputs.with_monitoring == 'true' && needs.configuration.outputs.is_scheduled_run != 'true'
     concurrency:
       group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-monitoring
@@ -518,10 +516,11 @@ jobs:
       - build-gitpod
       - infrastructure
       - install
-      - create-runner
-    runs-on: ${{ needs.create-runner.outputs.label }}
+    environment: main-build
+    runs-on: ubuntu-latest
     container:
       image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:main-gha.33389
+      options: --user root
     if: needs.configuration.outputs.with_integration_tests != '' && needs.configuration.outputs.is_scheduled_run != 'true'
     concurrency:
       group: ${{ needs.configuration.outputs.preview_name }}-integration-test
@@ -551,7 +550,6 @@ jobs:
     needs:
       - configuration
       - build-gitpod
-      - create-runner
     if: needs.configuration.outputs.is_main_branch == 'true' && needs.configuration.outputs.is_scheduled_run != 'true'
     uses: ./.github/workflows/workspace-integration-tests.yml
     with:
@@ -563,7 +561,6 @@ jobs:
     needs:
       - configuration
       - build-gitpod
-      - create-runner
     if: needs.configuration.outputs.is_main_branch == 'true' && needs.configuration.outputs.is_scheduled_run != 'true'
     uses: ./.github/workflows/code-updates.yml
     secrets: inherit
@@ -573,7 +570,6 @@ jobs:
     needs:
       - configuration
       - build-gitpod
-      - create-runner
     if: needs.configuration.outputs.is_main_branch == 'true' && needs.configuration.outputs.is_scheduled_run != 'true'
     uses: ./.github/workflows/jetbrains-updates.yml
     secrets: inherit
@@ -587,6 +583,7 @@ jobs:
       - workspace-integration-tests-main
       - ide-code-updates
       - ide-jb-updates
+    environment: main-build
     runs-on: ubuntu-latest
     steps:
       - name: Slack Notification
@@ -598,23 +595,3 @@ jobs:
           SLACK_COLOR: "danger"
           SLACK_MESSAGE: "⚠️ Security Alert: Daily vulnerability scan detected critical vulnerabilities in the following packages:\n${{ needs.build-gitpod.outputs.affected_packages }}"
           SLACK_FOOTER: "<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|View Workflow Logs>"
-
-  delete-runner:
-    if: always()
-    needs:
-      - create-runner
-      - configuration
-      - build-previewctl
-      - infrastructure
-      - build-gitpod
-      - install-app
-      - install
-      - monitoring
-      - integration-test
-      - notify-scheduled-failure
-    uses: gitpod-io/gce-github-runner/.github/workflows/delete-vm.yml@main
-    secrets:
-      gcp_credentials: ${{ secrets.SELF_HOSTED_GITHUB_RUNNER_GCP_CREDENTIALS }}
-    with:
-      runner-label: ${{ needs.create-runner.outputs.label }}
-      machine-zone: ${{ needs.create-runner.outputs.machine-zone }}

.github/workflows/build.yml

@@ -15,9 +15,10 @@ jobs:
         run: |
           curl -fsSL https://github.com/csweichel/oci-tool/releases/download/v0.2.1/oci-tool_0.2.1_linux_amd64.tar.gz | tar xz -C /usr/local/bin
           chmod +x /usr/local/bin/oci-tool
-          cd ./components/ide/gha-update-image/
+          cd ./dev/npm-tools && npm ci
+          echo "$PWD/node_modules/.bin" >> $GITHUB_PATH
+          cd $GITHUB_WORKSPACE/components/ide/gha-update-image/
           yarn
-          npm i -g bun
       - name: Check for updates
         id: updates
         run: |

.github/workflows/code-build.yaml

@@ -8,17 +8,11 @@ on:
     - cron: "0 0 * * *"
 
 jobs:
-  create-runner:
-    uses: gitpod-io/gce-github-runner/.github/workflows/create-vm.yml@main
-    secrets:
-      runner_token: ${{ secrets.SELF_HOSTED_GITHUB_RUNNER_TOKEN }}
-      gcp_credentials: ${{ secrets.SELF_HOSTED_GITHUB_RUNNER_GCP_CREDENTIALS }}
-
   build:
-    runs-on: ${{ needs.create-runner.outputs.label }}
-    needs: [create-runner]
+    runs-on: ubuntu-latest
     container:
       image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:main-gha.33389
+      options: --user root
     steps:
       - uses: actions/checkout@v4
       - uses: ./.github/actions/setup-environment
@@ -56,15 +50,3 @@ jobs:
           SLACK_WEBHOOK: ${{ secrets.IDE_SLACK_WEBHOOK }}
           SLACK_COLOR: ${{ job.status }}
           SLACK_FOOTER: "<https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|Workflow logs>"
-
-  delete-runner:
-    if: always()
-    needs:
-      - create-runner
-      - build
-    uses: gitpod-io/gce-github-runner/.github/workflows/delete-vm.yml@main
-    secrets:
-      gcp_credentials: ${{ secrets.SELF_HOSTED_GITHUB_RUNNER_GCP_CREDENTIALS }}
-    with:
-      runner-label: ${{ needs.create-runner.outputs.label }}
-      machine-zone: ${{ needs.create-runner.outputs.machine-zone }}

.github/workflows/code-nightly.yml

@@ -12,9 +12,10 @@ jobs:
         run: |
           curl -fsSL https://github.com/csweichel/oci-tool/releases/download/v0.2.1/oci-tool_0.2.1_linux_amd64.tar.gz | tar xz -C /usr/local/bin
           chmod +x /usr/local/bin/oci-tool
-          cd ./components/ide/gha-update-image/
+          cd ./dev/npm-tools && npm ci
+          echo "$PWD/node_modules/.bin" >> $GITHUB_PATH
+          cd $GITHUB_WORKSPACE/components/ide/gha-update-image/
           yarn
-          npm i -g bun
       - name: Check for updates
         id: updates
         run: |

.github/workflows/code-updates.yml

@@ -32,18 +32,12 @@ on:
     - cron: "0 3 * * *"
 
 jobs:
-  create-runner:
-    uses: gitpod-io/gce-github-runner/.github/workflows/create-vm.yml@main
-    secrets:
-      runner_token: ${{ secrets.SELF_HOSTED_GITHUB_RUNNER_TOKEN }}
-      gcp_credentials: ${{ secrets.SELF_HOSTED_GITHUB_RUNNER_GCP_CREDENTIALS }}
-
   configuration:
     name: Configuration
-    runs-on: ${{ needs.create-runner.outputs.label }}
-    needs: [create-runner]
+    runs-on: ubuntu-latest
     container:
       image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:main-gha.33389
+      options: --user root
     outputs:
       name: ${{ steps.configuration.outputs.name }}
       version: ${{ steps.configuration.outputs.version }}
@@ -96,8 +90,8 @@ jobs:
 
   infrastructure:
     name: Create preview environment infrastructure
-    needs: [configuration, create-runner]
-    runs-on: ${{ needs.create-runner.outputs.label }}
+    needs: [configuration]
+    runs-on: ubuntu-latest
     concurrency:
       group: ${{ needs.configuration.outputs.name }}-infrastructure
     steps:
@@ -128,10 +122,11 @@ jobs:
 
   check:
     name: Check for regressions
-    needs: [configuration, infrastructure, create-runner]
-    runs-on: ${{ needs.create-runner.outputs.label }}
+    needs: [configuration, infrastructure]
+    runs-on: ubuntu-latest
     container:
       image: eu.gcr.io/gitpod-core-dev/dev/dev-environment:main-gha.33389
+      options: --user root
       volumes:
         - /var/tmp:/var/tmp
         - /tmp:/tmp
@@ -216,9 +211,9 @@ jobs:
 
   delete:
     name: Delete preview environment
-    needs: [configuration, infrastructure, check, create-runner]
+    needs: [configuration, infrastructure, check]
     if: github.event.inputs.skip_delete != 'true' && always()
-    runs-on: ${{ needs.create-runner.outputs.label }}
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - name: Setup Environment
@@ -231,18 +226,3 @@ jobs:
         uses: ./.github/actions/delete-preview
         with:
           name: ${{ needs.configuration.outputs.name }}
-
-  delete-runner:
-    if: always()
-    needs:
-      - create-runner
-      - configuration
-      - infrastructure
-      - check
-      - delete
-    uses: gitpod-io/gce-github-runner/.github/workflows/delete-vm.yml@main
-    secrets:
-      gcp_credentials: ${{ secrets.SELF_HOSTED_GITHUB_RUNNER_GCP_CREDENTIALS }}
-    with:
-      runner-label: ${{ needs.create-runner.outputs.label }}
-      machine-zone: ${{ needs.create-runner.outputs.machine-zone }}