From 480ec67a4846bead54036ab74d1c4c33b7b497eb Mon Sep 17 00:00:00 2001
From: Danijel Martinek <danijel@fraqtal.xyz>
Date: Thu, 14 May 2026 17:53:40 +0000
Subject: [PATCH] ci(security): add pnpm audit signatures step to validate job

Catches tampered package signatures (compromised maintainer
supply-chain attack) before they reach CI artifacts.
---
 .github/workflows/ci.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 61c2774..31512a6 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -51,6 +51,8 @@ jobs:
           node-version: 22
           cache: pnpm
       - run: pnpm install --frozen-lockfile
+      - name: Audit package signatures
+        run: pnpm audit signatures --audit-level=high
       - name: Socket supply-chain scan
         if: github.event_name == 'pull_request'
         run: |