chore(deps): bump actions/setup-node from 5 to 6 #9
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Security CI — dependency vulnerabilities + secret scanning. | |
| # Complements ci.yml (typecheck / build / tests, which already run the | |
| # unsafeHtml + bundle guards). Kept as a separate workflow so it can run on a | |
| # schedule and surface independently of the build matrix. | |
| name: security | |
| on: | |
| push: | |
| branches: ["**"] | |
| pull_request: | |
| schedule: | |
| # Weekly, so newly-disclosed CVEs in pinned deps surface even without a push. | |
| - cron: "0 6 * * 1" | |
| permissions: | |
| contents: read | |
| jobs: | |
| npm-audit: | |
| name: npm audit (runtime deps) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - uses: actions/setup-node@v6 | |
| with: | |
| node-version: 22 | |
| cache: npm | |
| - run: npm ci | |
| # Fail the job only on high/critical advisories in shipped (non-dev) deps; | |
| # lower-severity transitive dev noise is reported but not blocking. | |
| - name: Audit production dependencies | |
| run: npm audit --omit=dev --audit-level=high | |
| secret-scan: | |
| name: gitleaks (working tree + full history) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v5 | |
| with: | |
| # Full history so a secret committed-then-removed is still caught. | |
| fetch-depth: 0 | |
| - name: Scan for committed secrets | |
| uses: gitleaks/gitleaks-action@v2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |