ci(security): make npm audit advisory on pull requests

devakone · devakone · commit ccc5a6bfde05 · 2026-02-22T12:36:23.000-05:00
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -29,8 +29,20 @@ jobs:
       - name: Install dependencies
         run: npm ci
 
-      - name: NPM audit (moderate)
-        run: npm audit --audit-level=moderate
+      - name: NPM audit (advisory on PRs)
+        if: github.event_name == 'pull_request'
+        run: |
+          set +e
+          npm audit --audit-level=moderate
+          code=$?
+          set -e
+          if [ "$code" -ne 0 ]; then
+            echo "::warning::npm audit reported vulnerabilities (advisory mode on PRs)."
+          fi
+
+      - name: NPM audit (enforced on push)
+        if: github.event_name == 'push'
+        run: npm audit --audit-level=critical
 
       - name: Trufflehog git history scan
         uses: trufflesecurity/trufflehog@main
