30 lines
987 B
YAML
30 lines
987 B
YAML
name: Security audit
|
|
|
|
# Weekly npm audit at high+ severity for the root app. Reports to the job summary; does NOT fail the build
|
|
# (advisories appear constantly and a red checkmark train would just get
|
|
# muted). Re-run on demand via workflow_dispatch.
|
|
|
|
on:
|
|
schedule:
|
|
- cron: '0 6 * * 1' # Mondays 06:00 UTC
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
audit:
|
|
name: npm audit (high+)
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Setup Node 22
|
|
uses: actions/setup-node@v4
|
|
with:
|
|
node-version: '22'
|
|
|
|
- name: Audit root app
|
|
run: |
|
|
echo '## Root app advisories' >> "$GITHUB_STEP_SUMMARY"
|
|
npm audit --audit-level=high --json > legacy-audit.json || true
|
|
node -e "const a=require('./legacy-audit.json');const m=a.metadata?.vulnerabilities||{};console.log('high:'+(m.high||0)+' critical:'+(m.critical||0));" >> "$GITHUB_STEP_SUMMARY"
|
|
continue-on-error: true
|