feat(ci): add dependency-audit.yml workflow

[don-petry]

Summary

• Adds .github/workflows/dependency-audit.yml to satisfy the compliance requirement
• Runs npm audit --audit-level=moderate on push/PR to main and weekly on Mondays at 06:00 UTC
• Follows existing repo patterns: permissions: {} at top level, explicit contents: read at job level, pinned action SHAs with version comments

Test plan

• Verify CI passes on this PR
• Confirm dependency-audit.yml appears in the Actions tab after merge

Closes #104

Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@don-petry has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 7 minutes and 13 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 7 minutes and 13 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 7541de66-063e-4187-91d5-01a6d5b1481a

📥 Commits

Reviewing files that changed from the base of the PR and between 1620841 and cd8123d.

📒 Files selected for processing (1)

• .github/workflows/dependency-audit.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-104-20260407-1732

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate failed

Failed conditions
1 Security Hotspot

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds a GitHub Actions workflow to run npm audit regularly for compliance and security scanning of npm dependencies.

Changes:

• Introduces .github/workflows/dependency-audit.yml workflow.
• Runs npm ci + npm audit --audit-level=moderate on push/PR to main and on a weekly cron schedule.

[Copilot]

The workflow pins actions by SHA (good), but the inline version comments (# v6) are the main human-auditable indicator of provenance and can easily become incorrect/misleading. Please update the comments to the exact release/tag that the pinned SHA comes from (e.g., # vX.Y.Z), or otherwise ensure the stated version matches the pinned commit. This helps reviewers/compliance auditors verify what’s actually running and reduces accidental drift.

Suggested change

	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
	- name: Use Node.js 20
	uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
	- name: Use Node.js 20
	uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f

[Copilot]

This workflow will run frequently (push + PR), and npm ci can be a noticeable cost. Consider enabling npm caching via actions/setup-node (with: cache: npm and, if needed, cache-dependency-path) to reduce CI time and load while keeping deterministic installs.

Suggested change

	node-version: '20'
	node-version: '20'
	cache: 'npm'

[don-petry]

Closing as stale — predates the standards PR.

This PR was generated by Claude during the original bulk-toggle yesterday, before petry-projects/.github#86 landed. That standards PR added prompt rules that:

• Require copying from petry-projects/.github/standards/workflows/ verbatim instead of writing workflow files from scratch
• Require verifying SHAs via gh api instead of guessing
• Require the CodeQL actions ecosystem in the matrix where applicable
• Allow gh api and gh label create for admin operations

Re-toggling the underlying issue will let Claude regenerate this fix using the new rules. The next run should produce a workflow that is byte-identical to the standard template (verified with the canary on TalkTerm#51 → PR #78 yesterday).