ci(audit): add weekly cargo-audit + npm-audit workflow

Runs Mondays 06:00 UTC (plus workflow_dispatch) so any freshly
published advisory surfaces as its own failing run rather than
slipping into an unrelated PR's check.yml noise. npm audit is
gated to --audit-level=high to skip the low/moderate chatter that
doesn't warrant a bump.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-04-21 17:32:34 +01:00
parent 697642fa4d
commit 59209bd181

51
.github/workflows/audit.yml vendored Normal file
View File

@@ -0,0 +1,51 @@
# Weekly dependency vulnerability scan.
#
# This runs separately from check.yml so a newly published advisory
# surfaces as its own failing run (easy to spot, easy to track)
# without blocking unrelated PR work. Manually triggerable via
# workflow_dispatch for ad-hoc checks after dependency bumps.
name: audit
on:
schedule:
# Mondays 06:00 UTC — early in the week so any advisory has the
# whole week to be triaged rather than landing on a Friday.
- cron: "0 6 * * 1"
workflow_dispatch:
jobs:
cargo-audit:
name: cargo audit
runs-on: ubuntu-22.04
timeout-minutes: 10
steps:
- uses: actions/checkout@v4
# rustsec/audit-check runs cargo-audit against the RustSec
# advisory DB. Fails the job on any unignored advisory.
- name: Run cargo audit
uses: rustsec/audit-check@v2
with:
token: ${{ secrets.GITHUB_TOKEN }}
npm-audit:
name: npm audit
runs-on: ubuntu-22.04
timeout-minutes: 10
steps:
- uses: actions/checkout@v4
- name: Install Node
uses: actions/setup-node@v4
with:
node-version: 20
cache: npm
- name: Install JS deps
run: npm ci
# --audit-level=high ignores low/moderate noise — we care about
# high and critical advisories, which are the ones that warrant
# an actual bump.
- name: Run npm audit
run: npm audit --audit-level=high