From 1fe5d9e21eab880ddca911a70893dc3dc56e09cb Mon Sep 17 00:00:00 2001
From: "Barabanov, Alexander" <alexander.barabanov@intel.com>
Date: Wed, 1 Apr 2026 17:42:03 +0100
Subject: [PATCH 1/3] add npm audit

Signed-off-by: Barabanov, Alexander <alexander.barabanov@intel.com>
---
 .github/workflows/npm-audit-fix.yml | 87 +++++++++++++++++++++++++++++
 1 file changed, 87 insertions(+)
 create mode 100644 .github/workflows/npm-audit-fix.yml

diff --git a/.github/workflows/npm-audit-fix.yml b/.github/workflows/npm-audit-fix.yml
new file mode 100644
index 0000000000..38850573dc
--- /dev/null
+++ b/.github/workflows/npm-audit-fix.yml
@@ -0,0 +1,87 @@
+name: NPM Audit Fix
+
+on:
+  schedule:
+    - cron: "0 3 2,16 * *"
+  workflow_dispatch:
+    inputs:
+      force_fix:
+        description: "Run npm audit fix --force (includes breaking changes)"
+        required: false
+        default: false
+        type: boolean
+permissions: {} # No permissions by default on workflow level
+
+jobs:
+  npm-audit-fix:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read # to checkout code
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Set up Node.js
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        with:
+          node-version-file: application/ui/.nvmrc
+
+      - name: Install dependencies
+        working-directory: application/ui
+        run: npm ci
+
+      - name: Display audit report
+        working-directory: application/ui
+        continue-on-error: true
+        run: |
+          npm audit || true
+
+      - name: Run npm audit fix (safe mode)
+        if: ${{ github.event_name == 'schedule' || github.event.inputs.force_fix != 'true' }}
+        working-directory: application/ui
+        continue-on-error: true
+        run: npm audit fix --package-lock-only || echo "Some issues could not be auto-fixed"
+
+      - name: Run npm audit fix (force mode)
+        if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.force_fix == 'true' }}
+        working-directory: application/ui
+        continue-on-error: true
+        run: npm audit fix --force || true
+
+      - name: Check for changes
+        id: check-changes
+        working-directory: application/ui
+        run: |
+          if git diff --quiet package-lock.json package.json; then
+            echo "changed=false" >> $GITHUB_OUTPUT
+          else
+            echo "changed=true" >> $GITHUB_OUTPUT
+          fi
+
+      # GitHub App token is required to trigger other workflows (GITHUB_TOKEN cannot trigger workflows)
+      - name: Get token
+        if: steps.check-changes.outputs.changed == 'true'
+        id: get-github-app-token
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
+        with:
+          app-id: ${{ secrets.RENOVATE_APP_ID }}
+          private-key: ${{ secrets.RENOVATE_APP_PEM }}
+
+      - name: Create PR if lockfile changed
+        if: steps.check-changes.outputs.changed == 'true'
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        with:
+          token: ${{ steps.get-github-app-token.outputs.token }}
+          author: oep-renovate[bot] <212772560+oep-renovate[bot]@users.noreply.github.com>
+          committer: oep-renovate[bot] <212772560+oep-renovate[bot]@users.noreply.github.com>
+          commit-message: "fix(deps): npm audit fixes [security]"
+          title: "fix(deps): npm audit fixes [security]"
+          body: |
+            This PR was automatically created to update NPM dependencies with:
+            ${{ github.event.inputs.force_fix == 'true' && '`npm audit fix --force`' || '`npm audit fix --package-lock-only`' }}
+          branch: "npm-audit-fix-${{ github.run_id }}"
+          base: main
+          delete-branch: true

From b1d62aa556b2a9dad1d00eaa98b607460e328125 Mon Sep 17 00:00:00 2001
From: "Barabanov, Alexander" <alexander.barabanov@intel.com>
Date: Wed, 1 Apr 2026 17:42:39 +0100
Subject: [PATCH 2/3] remove vuln flag

Signed-off-by: Barabanov, Alexander <alexander.barabanov@intel.com>
---
 .github/workflows/_reusable-security-scan.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/_reusable-security-scan.yaml b/.github/workflows/_reusable-security-scan.yaml
index 9261a4c452..5baf07859f 100644
--- a/.github/workflows/_reusable-security-scan.yaml
+++ b/.github/workflows/_reusable-security-scan.yaml
@@ -126,7 +126,7 @@ jobs:
           scan_type: "fs"
           scan-scope: ${{ inputs.scan-scope }}
           severity: ${{ inputs.severity-level }}
-          scanners: "vuln,secret,config"
+          scanners: "secret,config"
           format: "sarif"
           timeout: "15m"
           ignore_unfixed: "false"

From 8d100e7dee16120593168efd0589b8b47cdb4eb1 Mon Sep 17 00:00:00 2001
From: "Barabanov, Alexander" <alexander.barabanov@intel.com>
Date: Wed, 1 Apr 2026 17:43:36 +0100
Subject: [PATCH 3/3] add lfs

Signed-off-by: Barabanov, Alexander <alexander.barabanov@intel.com>
---
 .github/workflows/npm-audit-fix.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/npm-audit-fix.yml b/.github/workflows/npm-audit-fix.yml
index 38850573dc..f3048b7222 100644
--- a/.github/workflows/npm-audit-fix.yml
+++ b/.github/workflows/npm-audit-fix.yml
@@ -22,6 +22,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
+          lfs: true
           persist-credentials: false
 
       - name: Set up Node.js