From bc8f80b3f6c4d1f683862792435141e594225c0e Mon Sep 17 00:00:00 2001
From: Hermes Agent <root@okwn.cc>
Date: Fri, 22 May 2026 21:56:17 +0000
Subject: [PATCH] ci: add security scanning

---
 .github/workflows/ci.yml | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 4163539..775e272 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -26,7 +26,27 @@ jobs:
       - name: Compile
         run: pnpm build
 
+  security:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v6
+
+      - name: Set up node
+        uses: actions/setup-node@v6
+
+      - name: Install pnpm
+        uses: pnpm/action-setup@v4
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Run security audit
+        run: pnpm audit --audit-level=high
+
   test:
+    needs: [ compile ]
     runs-on: ubuntu-latest
 
     steps:
@@ -46,7 +66,7 @@ jobs:
         run: pnpm test
 
   publish:
-    needs: [ compile, test ]
+    needs: [ compile, test, security ]
     if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
     runs-on: ubuntu-latest
     permissions: