feat: add audit stage

this MR adds a "audit" stage that runs alongside lint and test.

it is currently set to "allow_failure: true", so it won't stop the pipeline.

I would like to enforce it, but i noticed in my own project, that it might be tricky to immediatly fix every issue. Client side vulnerabilities are also not easy to judge if they can be exploited. E.g. i have a prototype pollution issue in react-page from a transitive dependency (https://github.com/react-page/react-page/issues/951), but i am not sure if it can be exploited.

currently we focus on awareness, so allow_failure: true is ok for the moment, i hope that we can tighten up. Projects can also decide to set t to false of course.

for node apps it uses yarn audit. that would also support different levels, so you could only block critical problems.