Separate parallel job (no `needs:`) so a deploy failure cannot mask the
audit signal and vice versa. Scans dev deps (no --omit=dev) — deliberately
broader than the PR gate; see ci-gitea.md §Nightly audit vs PR gate.
Key behaviours:
- Self-test the jq title-matcher before any API call (mirrors ci.yml guard pattern)
- Survives non-zero exit: set +e captures AUDIT_EXIT before dedupe runs
- Dedupes by MARKER in title (handles >1 open security issues from Renovate)
- Patches oldest match or opens new issue; closed prior → new issue (expected)
- JSON payload built entirely with jq — never string-concat advisory text
- NIGHTLY_AUDIT_TOKEN passed via step env: only, never inline, never under set -x
- Heartbeat on clean path (guards $GITHUB_STEP_SUMMARY availability — unproven)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
5dc1bf6bfb