# Per ADR-0015 (CI/CD on Gitea Actions). Weekly full-tree security # scans plus a Lighthouse run against the production environment when # its URL is configured. Complements the per-PR ci.yml workflow with # broader / longer-running checks that don't fit the per-PR budget. name: Security and perf — scheduled on: schedule: # Mondays, 04:00 UTC — outside business hours; before the week starts. - cron: '0 4 * * 1' workflow_dispatch: jobs: full-tree-scan: runs-on: [self-hosted, on-prem] steps: - uses: actions/checkout@v4 - uses: pnpm/action-setup@v3 - uses: actions/setup-node@v4 with: node-version-file: '.nvmrc' cache: 'pnpm' - run: pnpm install --frozen-lockfile - run: pnpm audit # Full-tree Trivy (no skip-dirs, no severity filter — the per-PR # gate filters by severity for speed; this run wants the full # surface for the security feed). - uses: aquasecurity/trivy-action@master with: scan-type: fs ignore-unfixed: true - uses: gitleaks/gitleaks-action@v2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} lighthouse-prod: # Skipped silently if the prod URL hasn't been configured yet. if: vars.LHCI_PROD_URL != '' runs-on: [self-hosted, on-prem] steps: - uses: actions/checkout@v4 - uses: pnpm/action-setup@v3 - uses: actions/setup-node@v4 with: node-version-file: '.nvmrc' cache: 'pnpm' - run: pnpm install --frozen-lockfile - run: pnpm exec lhci collect --url=${{ vars.LHCI_PROD_URL }} --numberOfRuns=3 - run: pnpm exec lhci assert --config=./lighthouserc.js - uses: actions/upload-artifact@v4 if: always() with: name: lighthouseci-prod-report path: .lighthouseci/ retention-days: 90