BillTracker/.forgejo/workflows/deps-audit.yml

26 lines
742 B
YAML

# Weekly dependency guard (QA-B0-02 durable fix): dependency rot must surface
# as a red scheduled run, not wait for the next manual audit. Fails on any
# high+ vulnerability in production deps; prints the outdated report either way.
name: deps-audit
on:
schedule:
- cron: '0 11 * * 1' # Mondays 11:00 UTC (~06:00 America/Chicago)
workflow_dispatch:
jobs:
audit:
runs-on: docker
container:
image: node:22-bookworm
steps:
- uses: actions/checkout@v4
- name: Install (lockfile-exact)
run: npm ci
- name: Audit production deps (fail on high or critical)
run: npm audit --omit=dev --audit-level=high
- name: Outdated report (informational)
run: npm outdated || true