feat: major project cleanup, udpate README.md, NekoCon General Availa… #11
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # .github/workflows/dependency-review.yml | |
| name: Dependency Review and Vulnerability Scan | |
| on: | |
| push: | |
| branches-ignore: | |
| - 'main' | |
| - 'staging' | |
| - 'dev' | |
| paths: | |
| - 'pyproject.toml' | |
| - 'setup.py' | |
| - 'setup.cfg' | |
| - '**/*requirements*.txt' | |
| - 'Pipfile' | |
| - 'Pipfile.lock' | |
| pull_request: | |
| branches: ['staging', 'dev'] | |
| paths: | |
| - 'pyproject.toml' | |
| - 'setup.py' | |
| - 'setup.cfg' | |
| - '**/*requirements*.txt' | |
| - 'Pipfile' | |
| - 'Pipfile.lock' | |
| workflow_dispatch: | |
| # Updated permissions to allow for code scanning alerts | |
| permissions: | |
| contents: read | |
| security-events: write | |
| # Cancel outdated workflow runs on the same branch/PR | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| dependency-review: | |
| name: Scan Dependencies | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Dependency Review | |
| # This action scans dependency manifest files for known vulnerabilities | |
| # using the GitHub Advisory Database and can check for license compliance. | |
| # See: https://github.com/actions/dependency-review-action | |
| uses: actions/dependency-review-action@v4 | |
| with: | |
| # The base branch for the pull request or the main branch for pushes | |
| base-ref: ${{ github.event.pull_request.base.sha || 'main' }} | |
| head-ref: ${{ github.sha }} | |
| # Scan for vulnerabilities reported in the GitHub Advisory Database | |
| vulnerability-check: true | |
| # Fail the workflow if any vulnerabilities with 'high' or 'critical' severity are found. | |
| # Allowed values: low, moderate, high, critical | |
| fail-on-severity: high | |
| codeql-analysis: | |
| name: CodeQL SAST Analysis | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: python | |
| # Optional: specify queries for additional security checks | |
| # queries: security-extended,security-and-quality | |
| - name: Autobuild | |
| uses: github/codeql-action/autobuild@v3 | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v3 | |
| with: | |
| category: "/language:python" | |
| upload: true |