chore: only audit production workspaces

After #5309 moved docs dependencies to proudction deps, we started failing our daily audit CI check. Currently these deps are production so they are available when we run `pack`, but they don't need to be audited since they are never present in our published tarball. This change runs `audit` on the root CLI and all workspaces within the `workspaces/` directory, which are the only production workspaces.
npm · Oct 13, 2022 · 9d7a6ff · 9d7a6ff
1 parent a09e19d
commit 9d7a6ff
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 1 deletion.
diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
@@ -31,4 +31,4 @@ jobs:
       - name: Reset Deps
         run: node . run resetdeps -- --package-lock
       - name: Run Audit
-        run: node . audit
+        run: node . audit -iwr -w workspaces
diff --git a/scripts/template-oss/audit.yml b/scripts/template-oss/audit.yml
@@ -0,0 +1,13 @@
+name: Audit
+
+on:
+  workflow_dispatch:
+  schedule:
+    # "At 08:00 UTC (01:00 PT) on Monday" https://crontab.guru/#0_8_*_*_1
+    - cron: "0 8 * * 1"
+
+jobs:
+  audit:
+    {{> job jobName="Audit Dependencies" jobDepFlags="--package-lock" }}
+      - name: Run Audit
+        run: {{ rootNpmPath }} audit -iwr -w workspaces
diff --git a/scripts/template-oss/root.js b/scripts/template-oss/root.js
@@ -7,6 +7,7 @@ module.exports = {
       '.github/workflows/ci-release.yml': 'ci-release.yml',
       '.github/dependabot.yml': false,
       '.github/workflows/post-dependabot.yml': false,
+      '.github/workflows/audit.yml': 'audit.yml',
     },
   },
   workspaceRepo: {