26 lines
742 B
YAML
26 lines
742 B
YAML
|
|
# Weekly dependency guard (QA-B0-02 durable fix): dependency rot must surface
|
||
|
|
# as a red scheduled run, not wait for the next manual audit. Fails on any
|
||
|
|
# high+ vulnerability in production deps; prints the outdated report either way.
|
||
|
|
name: deps-audit
|
||
|
|
on:
|
||
|
|
schedule:
|
||
|
|
- cron: '0 11 * * 1' # Mondays 11:00 UTC (~06:00 America/Chicago)
|
||
|
|
workflow_dispatch:
|
||
|
|
|
||
|
|
jobs:
|
||
|
|
audit:
|
||
|
|
runs-on: docker
|
||
|
|
container:
|
||
|
|
image: node:22-bookworm
|
||
|
|
steps:
|
||
|
|
- uses: actions/checkout@v4
|
||
|
|
|
||
|
|
- name: Install (lockfile-exact)
|
||
|
|
run: npm ci
|
||
|
|
|
||
|
|
- name: Audit production deps (fail on high or critical)
|
||
|
|
run: npm audit --omit=dev --audit-level=high
|
||
|
|
|
||
|
|
- name: Outdated report (informational)
|
||
|
|
run: npm outdated || true
|