name: Security on: pull_request: branches: - main push: branches: - main schedule: - cron: "25 5 * * 1" workflow_dispatch: permissions: contents: read jobs: dependency-review: if: github.event_name == 'pull_request' runs-on: ubuntu-latest permissions: contents: read pull-requests: read steps: - name: Dependency review uses: actions/dependency-review-action@v4 with: fail-on-severity: high npm-audit: runs-on: ubuntu-latest timeout-minutes: 20 steps: - name: Checkout code uses: actions/checkout@v4 - name: Set up Node.js uses: actions/setup-node@v4 with: node-version-file: ".nvmrc" cache: npm - name: Install dependencies run: npm ci - name: Run npm audit (production dependencies) run: npm audit --omit=dev --audit-level=high codeql: if: github.event_name != 'pull_request' runs-on: ubuntu-latest timeout-minutes: 30 permissions: actions: read contents: read security-events: write steps: - name: Checkout code uses: actions/checkout@v4 - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: languages: javascript-typescript - name: Autobuild uses: github/codeql-action/autobuild@v3 - name: Analyze uses: github/codeql-action/analyze@v3