Fix map zoom centering + match embed chip row radius to map card #51

	name: Security

	on:
	push:
	branches: [main]
	pull_request:
	branches: [main]
	schedule:
	- cron: "0 6 * * 1" # Mondays 06:00 UTC
	workflow_dispatch:

	permissions:
	contents: read

	jobs:
	npm-audit:
	name: npm audit
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- uses: actions/setup-node@v4
	with:
	node-version: 20
	cache: npm
	- run: npm ci
	# Most "high" advisories here are transitive Docusaurus build-time deps.
	# Fail only on critical so noise doesn't block merges; review highs in the report.
	- run: npm audit --audit-level=critical
	- if: always()
	run: npm audit --json > npm-audit.json \|\| true
	- if: always()
	uses: actions/upload-artifact@v4
	with:
	name: npm-audit-report
	path: npm-audit.json

	gitleaks:
	name: Secret scan (gitleaks OSS)
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	with:
	fetch-depth: 0
	- name: Install gitleaks
	run: \|
	GL_VERSION=8.21.2
	curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/v${GL_VERSION}/gitleaks_${GL_VERSION}_linux_x64.tar.gz" \
	\| sudo tar -xz -C /usr/local/bin gitleaks
	gitleaks version
	- name: Scan history for secrets
	run: gitleaks detect --source . --no-banner --redact --verbose --exit-code 1

	trivy-fs:
	name: Filesystem scan (Trivy)
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- uses: aquasecurity/trivy-action@v0.36.0
	with:
	scan-type: fs
	scan-ref: .
	ignore-unfixed: true
	severity: CRITICAL,HIGH
	exit-code: "1"
	# Skip lockfile noise from build-time-only deps; tighten later if needed.
	skip-dirs: node_modules,build,.docusaurus

Provide feedback