name: Security audit # Weekly npm audit at high+ severity for the root app. Reports to the job summary; does NOT fail the build # (advisories appear constantly and a red checkmark train would just get # muted). Re-run on demand via workflow_dispatch. on: schedule: - cron: '0 6 * * 1' # Mondays 06:00 UTC workflow_dispatch: jobs: audit: name: npm audit (high+) runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Setup Node 22 uses: actions/setup-node@v4 with: node-version: '22' - name: Audit root app run: | echo '## Root app advisories' >> "$GITHUB_STEP_SUMMARY" npm audit --audit-level=high --json > legacy-audit.json || true node -e "const a=require('./legacy-audit.json');const m=a.metadata?.vulnerabilities||{};console.log('high:'+(m.high||0)+' critical:'+(m.critical||0));" >> "$GITHUB_STEP_SUMMARY" continue-on-error: true