ci-firewall

Shows how to set up a simple firewall on GitHub Actions that only allows NPM and GitHub's IPs, dynamically sourced on startup.

Disclaimer: I am not a security researcher, so I can't guarantee anything. Also, if another script has root access, then that script can trivially disable the firewall.