This commit changes the behavior of auditing to audit only production
dependencies.
Security checks have been failing for months due to Vue CLI dependencies
and lack of resolution from the developers. This commit makes auditing
ignore development dependencies.
The reasons include:
- Vulnerabilities in developer dependencies cause pipelines to fail
on every run.
- This is caused by dependencies such that lack resolution from the
developers. Vue developers consider `npm audit` broken design and do
not prioritize solutions. Discussions: vuejs/vue-cli#6637,
vuejs/vue-cli#6621, vuejs/vue-cli#6555, vuejs/vue-cli#6553,
vuejs/vue-cli#6523, vuejs/vue-cli#6486, vuejs/vue-cli#6632.
- Development packages are not relevant for the production payload.
- False positives create behavior of ignoring them completely instead of
taking action, which creates a security vulnerability itself.
- Failed tests are shown in a badge on README file, giving wrong picture
of security posture of users.
`npm audit --omit=dev` is used instead of `npm audit --production` which
is deprecated as of npm v8.7.0 npm/cli#4744.
This commit also removes exiting with output of `npm audit` command to
fix exiting with textual output, leading to failures.
- Bump setup-node action to v2.
- Use composite actions to reuse same setting. This is preferred over
reusable templates because reusable templates are on job-level but
setting up node should be a step.
- Seperate test pipeline into E2E, integration and unit test pipelines.
- Improve documenetation for pipelines (ci-cd.md).
- Introduce naming convention for worklow files and names.
- Center badges with multiple files on README file.
