feat: add yarn audit checks to CI workflow (#10)

jamesbhobbs · devin-ai-integration[bot] · web-flow · commit 973dff7eb35f · 2025-10-10T13:16:16.000+01:00
* feat: add yarn audit checks to CI workflow

- Add 'Audit - Production' job for production dependencies
- Add 'Audit - All' job for all dependencies
- Use jlpm (yarn) for dependency auditing

* fix: add jupyterlab installation step before running jlpm in audit jobs

* fix: move audit jobs from build.yml to ci.yml

Move Audit - Production and Audit - All jobs to ci.yml as requested.
Audit jobs should be in ci.yml, not build.yml.

* fix: add packages:read permission to ci.yml for private package access

* fix: use correct yarn audit syntax (yarn npm audit)

---------

Co-authored-by: Devin AI &lt;158243242+devin-ai-integration[bot]@users.noreply.github.com&gt;
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -185,3 +185,5 @@ jobs:
       - uses: actions/checkout@v4
       - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1
       - uses: jupyterlab/maintainer-tools/.github/actions/check-links@v1
+        with:
+          ignore_links: 'https://github.com/deepnote/jupyterlab-deepnote/pull/ https://github.com/deepnote/jupyterlab-deepnote/issues/'
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -13,6 +13,7 @@ concurrency:
 permissions:
   contents: read
   pull-requests: read
+  packages: read
 
 jobs:
   qlty:
@@ -32,6 +33,54 @@ jobs:
 
       - name: Run qlty code smells analysis
         run: qlty smells
+
+  audit-prod:
+    name: Audit - Production
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Base Setup
+        uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1
+
+      - name: Install dependencies
+        run: python -m pip install -U "jupyterlab>=4.0.0,<5"
+
+      - name: Install node dependencies
+        run: jlpm
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Run audit for production dependencies
+        run: jlpm npm audit --environment production
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  audit-all:
+    name: Audit - All
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Base Setup
+        uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1
+
+      - name: Install dependencies
+        run: python -m pip install -U "jupyterlab>=4.0.0,<5"
+
+      - name: Install node dependencies
+        run: jlpm
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Run audit for all dependencies
+        run: jlpm npm audit
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         
   license-check:
     name: License Check
