dev-setup

This workflow snippet itself shows no explicit malware, but it creates a high-impact supply-chain execution path: it checks out an input-selected branch, installs dependencies without frozen lockfile integrity enforcement, writes an npm auth token to ~/.npmrc, and then runs repository-defined snapshot/prerelease publish scripts with write permissions. The main security concerns are supply-chain integrity and token exposure during script execution; actual malicious behavior cannot be ruled out without inspecting ci:snapshot/ci:prerelease implementations and the repository’s dependency lifecycle scripts.

No direct malware indicators are visible in this workflow YAML. The main supply-chain risk is indirect: operator-controlled branch selection leads to checkout of code whose repository scripts (bun ci:snapshot/ci:prerelease) and fetched dependencies execute with write permissions and with npm/GitHub tokens available via ~/.npmrc and environment variables. Without reviewing the invoked scripts and the dependency tree, malware/exfiltration/publishing misuse cannot be ruled out; overall this should be treated as a moderate supply-chain risk release pipeline.