v6.2 (#301)

improved deployment flow

Author: RubenHalman

.github/workflows/publish.yml

@@ -29,15 +29,4 @@ jobs:
       - run: npm ci
       - run: npm run build
 
-      # === SNYK integration ===
-      - name: Install Snyk
-        run: npm install -g snyk
-
-      - name: Auth Snyk
-        run: snyk auth ${{ secrets.SNYK_TOKEN }}
-
-      - name: Snyk Test (fail on high/critical)
-        run: snyk test --severity-threshold=high
-
-      # === Publish (only runs if Snyk passes) ===
       - run: cd out && npm publish --access public --provenance

.github/workflows/snyk-pr.yml

@@ -0,0 +1,43 @@
+name: Snyk PR Check
+
+on:
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+  pull-requests: write
+  security-events: write
+
+jobs:
+  snyk:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          cache: "npm"
+
+      - name: Install deps
+        run: npm ci
+
+      - name: Build
+        run: npm run build
+
+      - name: Test
+        run: npm run build
+
+      # === SNYK integration ===
+      - name: Install Snyk
+        run: npm install -g snyk
+
+      - name: Auth Snyk
+        run: snyk auth ${{ secrets.SNYK_TOKEN }}
+
+      - name: Snyk Test (fail on high/critical)
+        run: snyk test --severity-threshold=high

README.md

@@ -289,7 +289,7 @@ _Get SARIF output including exact line numbers of violations._
 
 ## Installation
 
-`lightning-flow-scanner-core` is published to **npm** and **scanned with Snyk during release**.
+`lightning-flow-scanner-core` is [scanned with Snyk](https://github.com/Flow-Scanner/lightning-flow-scanner-core?tab=security-ov-file) prior to publication on **npm**.
 
 [![npm version](https://img.shields.io/npm/v/@flow-scanner/lightning-flow-scanner-core?label=npm)](https://www.npmjs.com/package/@flow-scanner/lightning-flow-scanner-core) [![Known Vulnerabilities](https://snyk.io/test/github/Flow-Scanner/lightning-flow-scanner-core/badge.svg)](https://snyk.io/test/github/Flow-Scanner/lightning-flow-scanner-core)
 

SECURITY.md

@@ -3,9 +3,10 @@
 ## Security Practices
 
 - Code is open-source and peer-reviewed by the community.
-- Vulnerabilities can be reported privately via GitHub security features.
-- Changes to the repository are scanned and reviewed before merging.
-- Tokenless Publishing with scoped npm packages and releases via GitHub Actions Trusted Publishing (OIDC).
+- Vulnerabilities can be reported privately via [GitHub security reporting](https://github.com/Flow-Scanner/lightning-flow-scanner-core/security).
+- All changes are **scanned with Snyk** and reviewed before merging.
+- Releases are published to npm using **GitHub Actions Trusted Publishing (OIDC)**.
+- Tags (`v*`) trigger automated `npm publish`, providing a full audit trail.
 
 ## Reporting a Vulnerability