Refactor CI auditing

This changes how we audit (for vulns and deprecations) in CI from a
reusable workflow to two self-contained workflows. I believe this makes
the setup a bit more explicit (when each happens) at the cost of some
duplication (which is counteracted by the removal of conditional logic)
and potential audit failures if there are build failures (because there
is no longer a `needs:` relation between the build job and audit jobs,
tho at the same time only one of the audit jobs should actually be
blocked by the build job).

Author: ericcornelissen

.github/workflows/audit-dev.yml

@@ -0,0 +1,79 @@
+name: Audit
+on:
+  pull_request:
+    paths:
+      - .github/workflows/audit-dev.yml
+      - .grype.yml
+      - .ndmrc
+      - .syft.yml
+      - .tool-versions
+      - Containerfile
+      - package-lock.json
+  push:
+    branches:
+      - main
+  schedule:
+    - cron: 0 3 * * *
+  workflow_dispatch: ~
+
+permissions: read-all
+
+jobs:
+  deprecations:
+    name: Deprecations
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        with:
+          persist-credentials: false
+      - name: Install Node.js
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        with:
+          cache: npm
+          node-version-file: .nvmrc
+      - name: Audit all deprecation warnings
+        run: make audit-deprecations-npm
+  image:
+    name: Image
+    runs-on: ubuntu-24.04
+    strategy:
+      fail-fast: false
+      matrix:
+        ref: ${{ fromJSON(inputs.refs) }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        id: checkout
+        with:
+          persist-credentials: false
+          ref: ${{ matrix.ref }}
+      - name: Install tooling
+        uses: asdf-vm/actions/install@4f8f7939dd917fc656bb7c3575969a5988c28364 # v3.0.0
+        run: echo "${GRYPERC}" | tee .grype.yml
+      - name: Audit dependencies in container image
+        run: make audit-vulnerabilities-image
+      - name: Upload SBOM and vulnerability scan
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+        if: ${{ failure() || success() }}
+        with:
+          if-no-files-found: error
+          name: container-scan-${{ steps.checkout.outputs.commit }}
+          path: |
+            sbom-syft.json
+            vulns.json
+  npm:
+    name: npm
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+        with:
+          persist-credentials: false
+      - name: Install Node.js
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        with:
+          cache: npm
+          node-version-file: .nvmrc
+      - name: Audit all npm dependencies
+        run: make audit-vulnerabilities-npm

.github/workflows/reusable-audit.yml .github/workflows/audit-release.yml

@@ -1,12 +1,8 @@
-name: Audit
+name: Audit (release)
 on:
-  workflow_call:
-    inputs:
-      refs:
-        default: |-
-          [""]
-        required: false
-        type: string
+  schedule:
+    - cron: 0 3 * * *
+  workflow_dispatch: ~
 
 permissions: read-all
 
@@ -17,47 +13,43 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        ref: ${{ fromJSON(inputs.refs) }}
+        ref:
+         - v0
     steps:
       - name: Checkout repository
         uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
         with:
-          persist-credentials: false
           ref: ${{ matrix.ref }}
+          persist-credentials: false
       - name: Install Node.js
         uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
         with:
           cache: npm
           node-version-file: .nvmrc
       - name: Insert custom configuration
-        if: ${{ startsWith(matrix.ref, 'v') }}
         env:
           NDMRC: ${{ vars.NDMRC }}
         run: echo "${NDMRC}" | tee .ndmrc
-      - name: Audit all deprecation warnings
-        if: ${{ !startsWith(matrix.ref, 'v') }}
-        run: make audit-deprecations-npm
       - name: Audit production deprecation warnings
-        if: ${{ startsWith(matrix.ref, 'v') }}
         run: make audit-deprecations-npm ARGS="--omit=dev"
   image:
     name: Image
     runs-on: ubuntu-24.04
     strategy:
       fail-fast: false
       matrix:
-        ref: ${{ fromJSON(inputs.refs) }}
+        ref:
+         - v0
     steps:
       - name: Checkout repository
         uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
         id: checkout
         with:
-          persist-credentials: false
           ref: ${{ matrix.ref }}
+          persist-credentials: false
       - name: Install tooling
         uses: asdf-vm/actions/install@4f8f7939dd917fc656bb7c3575969a5988c28364 # v3.0.0
       - name: Insert custom configuration
-        if: ${{ startsWith(matrix.ref, 'v') }}
         env:
           GRYPERC: ${{ vars.GRYPERC }}
         run: echo "${GRYPERC}" | tee .grype.yml
@@ -78,21 +70,18 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        ref: ${{ fromJSON(inputs.refs) }}
+        ref:
+         - v0
     steps:
       - name: Checkout repository
         uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
         with:
-          persist-credentials: false
           ref: ${{ matrix.ref }}
+          persist-credentials: false
       - name: Install Node.js
         uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
         with:
           cache: npm
           node-version-file: .nvmrc
-      - name: Audit all npm dependencies
-        if: ${{ !startsWith(matrix.ref, 'v') }}
-        run: make audit-vulnerabilities-npm
       - name: Audit production npm dependencies
-        if: ${{ startsWith(matrix.ref, 'v') }}
         run: make audit-vulnerabilities-npm ARGS="--omit dev"

.github/workflows/check.yml

@@ -9,11 +9,6 @@ on:
 permissions: read-all
 
 jobs:
-  audit:
-    name: Audit
-    uses: ./.github/workflows/reusable-audit.yml
-    needs:
-      - build
   build:
     name: Build with ${{ matrix.engine }}
     runs-on: ubuntu-24.04

.github/workflows/nightly.yml

@@ -7,12 +7,6 @@ on:
 permissions: read-all
 
 jobs:
-  audit:
-    name: Audit
-    uses: ./.github/workflows/reusable-audit.yml
-    with:
-      refs: |-
-        ["main", "v0"]
   tooling:
     name: Update tooling
     runs-on: ubuntu-24.04