chore(deps)(deps): bump the patch-updates group across 1 directory with 19 updates #44
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Audit | |
| on: | |
| # Run on every PR to main/master | |
| pull_request: | |
| branches: [main, master] | |
| # Run on pushes to main (catches direct commits) | |
| push: | |
| branches: [main, master] | |
| # Weekly scan: Sunday at 2 AM UTC | |
| # Catches newly disclosed vulnerabilities in existing dependencies | |
| schedule: | |
| - cron: '0 2 * * 0' | |
| # Allow manual trigger from GitHub UI | |
| workflow_dispatch: | |
| jobs: | |
| audit: | |
| name: Dependency Security Audit | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: '22' | |
| - name: Enable Corepack (for Yarn 4) | |
| run: corepack enable | |
| - name: Install dependencies | |
| run: yarn install --immutable | |
| - name: Run security audit (critical) | |
| run: yarn npm audit --severity critical | |
| - name: Run security audit (high) - warning only | |
| run: yarn npm audit --severity high || true | |
| # Non-blocking for high severity, but visible in logs | |
| # Optional: Create GitHub issue on scheduled run failure | |
| - name: Create issue on vulnerability found | |
| if: failure() && github.event_name == 'schedule' | |
| uses: actions/github-script@v8 | |
| with: | |
| script: | | |
| const title = '🚨 Security Vulnerability Detected'; | |
| const body = `A scheduled security audit found critical vulnerabilities in dependencies.\n\nRun \`yarn npm audit\` locally to see details.\n\n[View workflow run](${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId})`; | |
| // Check if issue already exists | |
| const issues = await github.rest.issues.listForRepo({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| state: 'open', | |
| labels: 'security' | |
| }); | |
| const existingIssue = issues.data.find(i => i.title === title); | |
| if (!existingIssue) { | |
| await github.rest.issues.create({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| title: title, | |
| body: body, | |
| labels: ['security', 'dependencies'] | |
| }); | |
| } |