name: checks.security.dependencies

on:
  push:
  pull_request:
    paths: [ '/package.json', '/package-lock.json' ] # Allow PRs to be green if they do not introduce dependency change
  schedule:
    - cron: '0 0 * * 0' # at 00:00 on every Sunday

jobs:
  npm-audit:
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
        uses: actions/checkout@v4
      -
        name: Setup node
        uses: ./.github/actions/setup-node
      -
        name: NPM audit
        run:  npm audit --omit=dev