chore: root commit of OWSAP security testing/tightening

2026-03-01 20:46:47 -06:00
parent 1645896e54
commit 079b8b9492
25 changed files with 1131 additions and 107 deletions
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -8,12 +8,21 @@ jobs:
  deploy:
    runs-on: vps-host
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4.2.2
+
+      - name: Supply chain checks (production dependencies)
+        run: |
+          set -euo pipefail
+          cd api
+          npm ci
+          npm audit --omit=dev --audit-level=high
+          cd ../web
+          npm ci
+          npm audit --omit=dev --audit-level=high

      - name: Build Web
        run: |
          cd web
-          npm ci
          npm run build

      - name: Deploy with Docker Compose
@@ -48,4 +57,4 @@ jobs:
          sudo docker-compose exec -T api npx prisma migrate deploy

      - name: Reload Nginx
-        run: sudo systemctl reload nginx
+        run: sudo systemctl reload nginx