audit.yml

name: Continuous Audit Check

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  schedule:
    - cron: "0 5 * * 0" # Weekly every Sunday 05:00 UTC

  workflow_dispatch:

jobs:
  node-npm:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v2

      - name: Audit
        # must use login shell (-l) to have nvm preinstalled, -e exits shell on nonzero exit codes
        shell: bash -e -l {0}
        run: |
          NODE=$(jq -r .engines.node ./package.json)
          NPM=$(jq -r .engines.npm ./package.json)
          echo "Node/npm version: ${NODE}/${NPM} - found on package.json"
          echo "RUN:\"nvm i\" => Sets up npm."
          nvm i
          echo "RUN:\"npm i -g npm@${NPM}\" => Set up npm ${NPM}"
          npm i -g npm@"${NPM}"
          echo "RUN:\"npm i --package-lock-only\" => Creates package-lock.json which is used by audit, also audits, but always exits with 0 and gives a very short output."
          npm i --package-lock-only --ignore-scripts
          echo "RUN:\"npm audit\" => Runs the actual audit."
          npm audit --audit-level=moderate --omit=dev @tauri-apps/cli