ci: set up pnpm audio

Author: kantord

.github/actions/setup/action.yml

@@ -0,0 +1,19 @@
+name: Setup Node + pnpm
+description: Install pnpm, setup Node.js with pnpm cache, and install deps
+runs:
+  using: composite
+  steps:
+    - name: Setup pnpm
+      uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
+      with:
+        version: 10.18.3
+
+    - name: Setup Node.js
+      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+      with:
+        node-version: 20
+        cache: pnpm
+
+    - name: Install dependencies
+      shell: bash
+      run: pnpm install --frozen-lockfile

.github/workflows/npm-audit.yml

@@ -0,0 +1,24 @@
+name: Security Checks
+
+on:
+  push:
+    branches: ["**"]
+  pull_request:
+    branches: ["**"]
+
+permissions:
+  contents: read
+
+jobs:
+  pnpm-audit:
+    name: PNPM Audit
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Setup
+        uses: ./.github/actions/setup
+
+      - name: Run pnpm audit
+        run: pnpm audit --prod --audit-level=moderate

package.json

@@ -2,6 +2,7 @@
   "name": "toolhive-cloud-ui",
   "version": "0.1.0",
   "private": true,
+  "packageManager": "[email protected]",
   "scripts": {
     "dev": "next dev",
     "build": "next build",