Runs Mondays 06:00 UTC (plus workflow_dispatch) so any freshly published advisory surfaces as its own failing run rather than slipping into an unrelated PR's check.yml noise. npm audit is gated to --audit-level=high to skip the low/moderate chatter that doesn't warrant a bump. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
52 lines
1.4 KiB
YAML
52 lines
1.4 KiB
YAML
# Weekly dependency vulnerability scan.
|
|
#
|
|
# This runs separately from check.yml so a newly published advisory
|
|
# surfaces as its own failing run (easy to spot, easy to track)
|
|
# without blocking unrelated PR work. Manually triggerable via
|
|
# workflow_dispatch for ad-hoc checks after dependency bumps.
|
|
name: audit
|
|
|
|
on:
|
|
schedule:
|
|
# Mondays 06:00 UTC — early in the week so any advisory has the
|
|
# whole week to be triaged rather than landing on a Friday.
|
|
- cron: "0 6 * * 1"
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
cargo-audit:
|
|
name: cargo audit
|
|
runs-on: ubuntu-22.04
|
|
timeout-minutes: 10
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
# rustsec/audit-check runs cargo-audit against the RustSec
|
|
# advisory DB. Fails the job on any unignored advisory.
|
|
- name: Run cargo audit
|
|
uses: rustsec/audit-check@v2
|
|
with:
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
npm-audit:
|
|
name: npm audit
|
|
runs-on: ubuntu-22.04
|
|
timeout-minutes: 10
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Install Node
|
|
uses: actions/setup-node@v4
|
|
with:
|
|
node-version: 20
|
|
cache: npm
|
|
|
|
- name: Install JS deps
|
|
run: npm ci
|
|
|
|
# --audit-level=high ignores low/moderate noise — we care about
|
|
# high and critical advisories, which are the ones that warrant
|
|
# an actual bump.
|
|
- name: Run npm audit
|
|
run: npm audit --audit-level=high
|