From 991278ebacd3730b61247e5e06d31e200ed45d57 Mon Sep 17 00:00:00 2001
From: "gandalf-the-greybeard[bot]"
 <gandalf-the-greybeard[bot]@users.noreply.github.com>
Date: Sun, 8 Mar 2026 19:02:12 +0000
Subject: [PATCH] ci: add npm audit step to shared plugin CI workflow

Adds a security audit step (npm audit --omit=dev) to catch known
vulnerabilities in production dependencies. Runs after tests so build
failures are reported before audit findings. Uses --omit=dev to focus
on production-facing risk.

This covers all 6 plugin repos that use the shared workflow.
---
 .github/workflows/plugin-ci.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/plugin-ci.yaml b/.github/workflows/plugin-ci.yaml
index a1ba824..53d8ce5 100644
--- a/.github/workflows/plugin-ci.yaml
+++ b/.github/workflows/plugin-ci.yaml
@@ -41,3 +41,6 @@ jobs:
 
       - name: Run tests
         run: npm test
+
+      - name: Security audit
+        run: npm audit --omit=dev