From d35f3b7c98849045db12a0e658c12215ef173a47 Mon Sep 17 00:00:00 2001
From: Clay Sheaff <claysheaff@protonmail.com>
Date: Sat, 14 Feb 2026 12:14:02 -0800
Subject: [PATCH] Split security audit into weekly workflow

Move pip-audit to its own workflow that runs weekly + on PRs, so the
main CI (lint + unit tests) stays fast. Only lint and tests are
required to merge.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/ci.yml       | 25 -------------------------
 .github/workflows/security.yml | 28 ++++++++++++++++++++++++++++
 2 files changed, 28 insertions(+), 25 deletions(-)
 create mode 100644 .github/workflows/security.yml

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 7810389..bbd754f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -36,28 +36,3 @@ jobs:
 
       - name: Run unit tests
         run: bats test/talktype.bats
-
-  security:
-    name: Security
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Install pip-audit
-        run: pip install pip-audit
-
-      - name: Audit whisper dependencies
-        run: |
-          python3 -m venv /tmp/audit-venv
-          /tmp/audit-venv/bin/pip install --upgrade pip
-          /tmp/audit-venv/bin/pip install faster-whisper
-          /tmp/audit-venv/bin/pip install pip-audit
-          /tmp/audit-venv/bin/pip-audit
-
-      - name: Audit moonshine dependencies
-        run: |
-          python3 -m venv /tmp/audit-moonshine
-          /tmp/audit-moonshine/bin/pip install --upgrade pip
-          /tmp/audit-moonshine/bin/pip install transformers torch soundfile
-          /tmp/audit-moonshine/bin/pip install pip-audit
-          /tmp/audit-moonshine/bin/pip-audit
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
new file mode 100644
index 0000000..ba565eb
--- /dev/null
+++ b/.github/workflows/security.yml
@@ -0,0 +1,28 @@
+name: Security
+
+on:
+  schedule:
+    - cron: '0 9 * * 1'  # Every Monday at 9am UTC
+  pull_request:
+    branches: [main]
+
+jobs:
+  audit:
+    name: Dependency audit
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Audit whisper dependencies
+        run: |
+          python3 -m venv /tmp/audit-venv
+          /tmp/audit-venv/bin/pip install --upgrade pip
+          /tmp/audit-venv/bin/pip install faster-whisper pip-audit
+          /tmp/audit-venv/bin/pip-audit
+
+      - name: Audit moonshine dependencies
+        run: |
+          python3 -m venv /tmp/audit-moonshine
+          /tmp/audit-moonshine/bin/pip install --upgrade pip
+          /tmp/audit-moonshine/bin/pip install transformers torch soundfile pip-audit
+          /tmp/audit-moonshine/bin/pip-audit