From 4ed52717031a8886f02bd41e20245ac5c420aca9 Mon Sep 17 00:00:00 2001
From: cc <98377878+hicccc77@users.noreply.github.com>
Date: Thu, 2 Apr 2026 22:30:49 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=E7=AE=A1=E7=90=86=E5=99=A8?=
 =?UTF-8?q?=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .github/workflows/security-scan.yml | 34 ++++++++++-------------------
 1 file changed, 12 insertions(+), 22 deletions(-)

diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
index 91687f1..e598698 100644
--- a/.github/workflows/security-scan.yml
+++ b/.github/workflows/security-scan.yml
@@ -2,9 +2,9 @@ name: Security Scan
 
 on:
   schedule:
-    - cron: '0 2 * * *'  # 每天 UTC 02:00（北京时间 10:00）
-  workflow_dispatch:     # 支持手动触发
-  pull_request:          # 监控 PR
+    - cron: '0 2 * * *'  # 每天 UTC 02:00
+  workflow_dispatch:     # 手动触发
+  pull_request:          # PR 时触发
     branches: [ main, dev ]
 
 permissions:
@@ -33,18 +33,14 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: '20'
-
-      - name: Install pnpm
-        uses: pnpm/action-setup@v3
-        with:
-          version: 9
+          cache: 'npm' # 使用 npm 缓存加速
 
       - name: Install dependencies
-        run: pnpm install --frozen-lockfile --ignore-scripts
+        run: npm ci --ignore-scripts
 
       # 1. npm audit - 检查依赖漏洞
       - name: Dependency vulnerability audit
-        run: pnpm audit --audit-level=moderate
+        run: npm audit --audit-level=moderate
         continue-on-error: true
 
       # 2. CodeQL 静态分析
@@ -69,7 +65,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         continue-on-error: true
 
-  # 动态获取所有分支并扫描（排除已在 matrix 中的）
+  # 动态获取所有分支并扫描
   scan-all-branches:
     name: Scan additional branches
     runs-on: ubuntu-latest
@@ -79,19 +75,13 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: List all branches
-        id: branches
-        run: |
-          git branch -r | grep -v HEAD | sed 's|origin/||' | tr -d ' ' | while read branch; do
-            echo "Branch: $branch"
-          done
-
-      - name: Run pnpm audit on all branches
+      - name: Run npm audit on all branches
         run: |
           git branch -r | grep -v HEAD | sed 's|origin/||' | tr -d ' ' | while read branch; do
             echo "===== Auditing branch: $branch ====="
             git checkout "$branch" 2>/dev/null || continue
-            pnpm install --frozen-lockfile --silent 2>/dev/null || npm install --silent 2>/dev/null || true
-            pnpm audit --audit-level=moderate 2>/dev/null || true
+            # 尝试安装并审计
+            npm ci --ignore-scripts --silent 2>/dev/null || npm install --ignore-scripts --silent 2>/dev/null || true
+            npm audit --audit-level=moderate 2>/dev/null || true
           done
-        continue-on-error: true
+        continue-on-error: true
\ No newline at end of file