ci(api): add --prod flag to security audit (#130)

Barazo AppView backend barazo.forum

Align with barazo-web by only auditing production dependencies.
DevDependency vulnerabilities don't affect deployed containers.

authored by

Guido X Jansen and committed by

GitHub 1 week ago d87cb2d9 60c12e07

+1 -1

1 changed file

expand all

.github

workflows

ci.yml

+1 -1

.github/workflows/ci.yml

··· 136 136 - name: Security audit with retry 137 137 run: | 138 138 for attempt in 1 2 3; do 139 - output=$(pnpm audit --audit-level=high 2>&1) && { echo "$output"; exit 0; } 139 + output=$(pnpm audit --audit-level=high --prod 2>&1) && { echo "$output"; exit 0; } 140 140 if echo "$output" | grep -q "ERR_PNPM_AUDIT_BAD_RESPONSE\|ECONNREFUSED\|ETIMEDOUT\|EAI_AGAIN"; then 141 141 echo "::warning::Audit registry unavailable (attempt $attempt/3), retrying in 15s..." 142 142 sleep 15