fix: align deno.json audit task with CI invocation

[stack72]

Summary

The deno run audit task in deno.json has been silently broken since PR #484: it lacks --allow-env=GITHUB_STEP_SUMMARY and --allow-write, but scripts/audit_deps.ts:245 calls Deno.env.get("GITHUB_STEP_SUMMARY") and writeGitHubSummary() later writes that file. The task crashes with NotCapable after every successful scan, returning a non-zero exit code locally.

CI never noticed because .github/workflows/ci.yml:96 invoked scripts/audit_deps.ts directly with the correct flags, bypassing the task entirely.

This PR:

• Adds --allow-env=GITHUB_STEP_SUMMARY and --allow-write to the audit task in deno.json so it matches CI's flag set byte-for-byte. The script's writeGitHubSummary early-returns when GITHUB_STEP_SUMMARY is unset, so the local dev experience is unchanged — the grant only matters in CI where the var is set.
• Drops && deno outdated from the task. CI's vuln-scan invocation never included it, and CI runs deno outdated as its own failure-tolerant step (ci.yml:98-106) with || true warning semantics that would be lost if folded into the task's && chain. That separate CI step is left intact. In practice no developer ever saw deno outdated run via deno run audit because the task always crashed first.
• Routes CI's "Scan for known vulnerabilities" step through deno task audit so the deno.json task is the single source of truth. This eliminates the silent drift that hid this bug for ~30 PRs and matches the existing deno task check/deno task test/deno task compile pattern used elsewhere in ci.yml.

Notes

• Not a regression. Git history (scripts/audit_deps.ts, deno.json:15) shows the task body has been unchanged since 017139c4 (PR feat: add dependency auditing CI gate with OSV-Scanner #484), introduced together with the script that requires the env access. The task never worked locally; the bug was masked by CI bypassing it.
• The unbounded --allow-write grant on the local task is a deliberate trade-off for CI parity. Locally, GITHUB_STEP_SUMMARY is never set, so writeGitHubSummary() returns at audit_deps.ts:246 before any write — the grant covers an unreachable code path.
• Resolves swamp-club lab issue Block PR Merges on Review Failings #27.

Test plan

• deno run audit from the repo root — exits 0, "No known vulnerabilities found"
• deno fmt --check — clean
• deno check — clean (1117 files)
• deno lint — clean (1011 files)
• CI deps-audit job passes (validates step 2 — deno task audit produces the same output as the previous inline command, since they're byte-for-byte the same command line)

🤖 Generated with Claude Code

[github-actions]

CI Security Review

Critical / High

None.

Medium

None.

Low

None.

Verdict

PASS — Security-neutral change. The deps-audit job now routes through deno task audit instead of inlining the same command. The Deno permission flags (--allow-read --allow-net=api.osv.dev --allow-env=GITHUB_STEP_SUMMARY --allow-write) are byte-for-byte identical to what CI was already executing at line 96. No new actions, no trigger changes, no expression interpolation, no secret handling changes, no permission escalation. The deno.json task gains --allow-write (unbounded) and --allow-env=GITHUB_STEP_SUMMARY compared to its previous definition, but these match the existing CI flags and the write path is unreachable locally (the script early-returns when GITHUB_STEP_SUMMARY is unset).

[github-actions]

Code Review

Blocking Issues

None.

Suggestions

None — this is a clean, minimal fix. The changes are correct and well-scoped:

• The added --allow-env=GITHUB_STEP_SUMMARY and --allow-write flags match what audit_deps.ts actually requires (line 245: Deno.env.get("GITHUB_STEP_SUMMARY"), line 241: writeGitHubSummary writes that file) and align with the existing audit-actions task pattern.
• Routing CI through deno task audit eliminates the silent drift that hid this bug.
• Removing && deno outdated from the task is correct since CI already runs it as a separate failure-tolerant step with || true semantics.