ci: keep audit helper within workflow assets

e · e · commit 352dc6527b2f · 2026-06-10T16:52:13.000+04:00
diff --git a/.github/scripts/audit-production-dependencies.mjs b/.github/scripts/audit-production-dependencies.mjs
diff --git a/.github/workflows/security-audit.yml b/.github/workflows/security-audit.yml
@@ -41,7 +41,7 @@ jobs:
         with:
           node-version: '22'
       - name: Audit ${{ matrix.lockfile }}
-        run: node scripts/audit-production-dependencies.mjs --workspace "${{ matrix.path }}" --lockfile "${{ matrix.lockfile }}"
+        run: node .github/scripts/audit-production-dependencies.mjs --workspace "${{ matrix.path }}" --lockfile "${{ matrix.lockfile }}"
 
   security-audit:
     name: security-audit
diff --git a/tests/ci-workflow-coverage.test.mts b/tests/ci-workflow-coverage.test.mts
@@ -12,7 +12,7 @@ const packageJson = JSON.parse(readFileSync(resolve(root, 'package.json'), 'utf8
 const packageScripts = packageJson.scripts ?? {};
 const deployGateWorkflow = readFileSync(resolve(workflowsDir, 'deploy-gate.yml'), 'utf8');
 const securityAuditWorkflow = readFileSync(resolve(workflowsDir, 'security-audit.yml'), 'utf8');
-const securityAuditScript = readFileSync(resolve(root, 'scripts/audit-production-dependencies.mjs'), 'utf8');
+const securityAuditScript = readFileSync(resolve(root, '.github/scripts/audit-production-dependencies.mjs'), 'utf8');
 const testWorkflow = readFileSync(resolve(workflowsDir, 'test.yml'), 'utf8');
 const workflowText = readdirSync(workflowsDir)
   .filter((name) => name.endsWith('.yml') || name.endsWith('.yaml'))
@@ -179,7 +179,7 @@ describe('CI workflow coverage', () => {
     assert.match(securityAuditWorkflow, /\n    name: security-audit\n/, 'security-audit.yml must publish a security-audit check run');
     assert.match(
       securityAuditWorkflow,
-      /node scripts\/audit-production-dependencies\.mjs/,
+      /node \.github\/scripts\/audit-production-dependencies\.mjs/,
       'security-audit.yml must run the production dependency audit gate',
     );
     assert.match(
diff --git a/tests/security-audit-baseline.test.mjs b/tests/security-audit-baseline.test.mjs
@@ -5,7 +5,7 @@ import {
   BASELINE_ADVISORIES_BY_LOCKFILE,
   collectAuditFindings,
   collectUnbaselinedFindings,
-} from '../scripts/audit-production-dependencies.mjs';
+} from '../.github/scripts/audit-production-dependencies.mjs';
 
 function auditReportWith(via) {
   return {
