chore: harden dependency workflows

This commit is contained in:
Mario Zechner
2026-05-20 15:53:18 +02:00
parent aa4adac766
commit 17cc86a479
9 changed files with 174 additions and 4 deletions

View File

@@ -30,7 +30,7 @@ jobs:
sudo ln -s $(which fdfind) /usr/local/bin/fd
- name: Install dependencies
run: npm ci
run: npm ci --ignore-scripts
- name: Build
run: npm run build

31
.github/workflows/npm-audit.yml vendored Normal file
View File

@@ -0,0 +1,31 @@
name: npm audit
on:
schedule:
- cron: '37 7 * * *'
workflow_dispatch:
permissions:
contents: read
jobs:
audit:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: 22
cache: npm
- name: Install dependencies without lifecycle scripts
run: npm ci --ignore-scripts --no-audit --no-fund
- name: Audit production vulnerabilities
run: npm audit --omit=dev --audit-level=moderate
- name: Verify registry signatures
run: npm audit signatures --omit=dev