From c776b683f9741704d9dfaf2f867728d3ff174b8b Mon Sep 17 00:00:00 2001
From: "const.koutsakis@aurecongroup.com" <constantinos.koutsakis@gmail.com>
Date: Mon, 27 Apr 2026 02:52:58 +1000
Subject: [PATCH] chore: drop npm-audit job from security.yml until #21 lands
 frontend

---
 .github/branch-protection/develop.json |  1 -
 .github/branch-protection/main.json    |  1 -
 .github/workflows/security.yml         | 17 +----------------
 3 files changed, 1 insertion(+), 18 deletions(-)

diff --git a/.github/branch-protection/develop.json b/.github/branch-protection/develop.json
index 414c27b..adc1fa1 100644
--- a/.github/branch-protection/develop.json
+++ b/.github/branch-protection/develop.json
@@ -13,7 +13,6 @@
       "Lint PR title (conventional commits)",
       "Secret scan (gitleaks)",
       "Python deps (pip-audit)",
-      "Frontend deps (npm audit)",
       "Container image scan (trivy)"
     ]
   },
diff --git a/.github/branch-protection/main.json b/.github/branch-protection/main.json
index f43a6d3..8324bcb 100644
--- a/.github/branch-protection/main.json
+++ b/.github/branch-protection/main.json
@@ -13,7 +13,6 @@
       "Lint PR title (conventional commits)",
       "Secret scan (gitleaks)",
       "Python deps (pip-audit)",
-      "Frontend deps (npm audit)",
       "Container image scan (trivy)"
     ]
   },
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 5989ee5..b182298 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -67,22 +67,7 @@ jobs:
             --vulnerability-service osv \
             $IGNORES
 
-  npm-audit:
-    name: Frontend deps (npm audit)
-    runs-on: ubuntu-latest
-    # Skips cleanly until #21 lands frontend/package.json.
-    if: hashFiles('frontend/package-lock.json') != ''
-    steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6
-        with:
-          node-version: "24"
-          cache: npm
-          cache-dependency-path: frontend/package-lock.json
-      - run: cd frontend && npm ci
-      # --audit-level=high — fail only on high/critical; moderate/low noted
-      # but not blocking.
-      - run: cd frontend && npm audit --audit-level=high
+  # Frontend deps (npm audit) — added by ticket #21 alongside frontend/.
 
   trivy-image:
     name: Container image scan (trivy)