name: security-checks

on:
  push:
  pull_request:
    paths: [ '/package.json', '/package-lock.json' ] # Allow PRs to be green if they do not introduce dependency change
  schedule:
    - cron: '0 0 * * 0' # at 00:00 on every Sunday

jobs:
  npm-audit:
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
        uses: actions/checkout@v2
      -
        name: Setup node
        uses: ./.github/actions/setup-node
      -
        name: NPM audit
        run: exit "$(npm audit)" # Since node 15.x, it does not fail with error if we don't explicitly exit