fix cve scanning node

Author: davidalk

.github/workflows/cve-scanning-node.yml

@@ -7,24 +7,42 @@ defaults:
 
 on:
   push:
-    branches: [ "main" ]
-    paths: ['ui/**']
-  pull_request:
-    branches: [ "main" ]
+    branches: ["main"]
+    paths: ["ui/**"]
+  pull_request_target:
+    branches: ["main"]
 
 jobs:
-  # CVE scanning
   cvescan:
-    name: CVE Scanning
+    name: CVE Scan
     runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        node-version: [18.x]
+
+    permissions:
+      contents: read
+
+    env:
+      NODE_VERSION: 24.x
+
     steps:
-      - uses: actions/checkout@v4
-      - name: Use Node.js ${{ matrix.node-version }}
+      - name: Checkout repository (trusted)
+        uses: actions/checkout@v4
+
+      - name: Set up Node
         uses: actions/setup-node@v4
         with:
-          node-version: ${{ matrix.node-version }}
-      - run: npm ci
-      - run: npx --yes auditjs ossi --whitelist allow-list.json
+          node-version: ${{ env.NODE_VERSION }}
+
+      - name: Checkout PR code (untrusted)
+        uses: actions/checkout@v4
+        with:
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+          ref: ${{ github.event.pull_request.head.ref }}
+
+      - name: Run CVE scan (auditjs)
+        env:
+          OSS_INDEX_USERNAME: ${{ secrets.OSS_INDEX_USERNAME }}
+          OSS_INDEX_PASSWORD: ${{ secrets.OSS_INDEX_PASSWORD }}
+        run: |
+          echo "Running auditjs with secrets available"
+          npm ci
+          npx --yes auditjs ossi --whitelist allow-list.json -u "$OSS_INDEX_USERNAME" -p "$OSS_INDEX_PASSWORD"