ci: upgrade to Node.js 24 across all CI jobs #14
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Audit | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| schedule: | |
| - cron: '0 18 * * 0' # Weekly Sunday 02:00 SGT (18:00 UTC Sunday) | |
| jobs: | |
| npm-audit: | |
| name: Dependency Vulnerability Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup Node 24 | |
| uses: actions/setup-node@v5 | |
| with: | |
| node-version: '24' | |
| cache: 'npm' | |
| cache-dependency-path: package-lock.json | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Run npm audit | |
| # Remaining 2 moderate CVEs: esbuild <=0.24.2 (GHSA-67mh-4wv8-2f99) via | |
| # vite <=6.4.1. Fix requires npm audit fix --force → vite@8 (breaking | |
| # migration). Build-time only — not bundled into the served static app. | |
| # All high and critical CVEs are resolved. | |
| run: npm audit --audit-level=high | |
| api-audit: | |
| name: AI Proxy Dependency Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup Node 24 | |
| uses: actions/setup-node@v5 | |
| with: | |
| node-version: '24' | |
| - name: Install API proxy dependencies | |
| working-directory: api | |
| run: npm install | |
| - name: Run npm audit on API proxy | |
| working-directory: api | |
| run: npm audit --audit-level=high |