I set up this recently at a new company and did yarn + ncc to build a compiled js out of typescript. It was a bit hairy as a novice, but ended up working fine.
That protects from npm supply chain stuff, but obviously third-party includes like docker/build-push-action are still a risk.
That protects from npm supply chain stuff, but obviously third-party includes like docker/build-push-action are still a risk.