Dev

.github/workflows/ci-tests-coverage.yml

@@ -50,17 +50,39 @@ jobs:
             /p:ExcludeByFile="**/Migrations/*.cs%3b**/Areas/Identity/**/*.cs%3b**/*.g.cs%3b**/*.designer.cs"
       - name: Install ReportGenerator for HTML coverage
         if: always()
+<<<<<<< HEAD
+<<<<<<< HEAD
         run: |
           dotnet tool install -g dotnet-reportgenerator-globaltool || dotnet tool update -g dotnet-reportgenerator-globaltool
           echo "$HOME/.dotnet/tools" >> $GITHUB_PATH
+=======
+        run: dotnet tool install -g dotnet-reportgenerator-globaltool || dotnet tool update -g dotnet-reportgenerator-globaltool
+>>>>>>> 800dd81 (Add k6 load testing suite and documentation)
+=======
+        run: |
+          dotnet tool install -g dotnet-reportgenerator-globaltool || dotnet tool update -g dotnet-reportgenerator-globaltool
+          echo "$HOME/.dotnet/tools" >> $GITHUB_PATH
+>>>>>>> 348a276 (ci: format ReportGenerator installation and update commands for clarity)
 
       - name: Generate HTML coverage report
         if: always()
         run: |
           reportgenerator \
+<<<<<<< HEAD
+<<<<<<< HEAD
+            -reports:"TestResults/**/coverage.cobertura.xml" \
+            -targetdir:"TestResults/coverage-html" \
+            -reporttypes:"Html;HtmlSummary"
+=======
+            -reports:TestResults/**/coverage.cobertura.xml \
+            -targetdir:TestResults/coverage-html \
+            -reporttypes:Html;HtmlSummary
+>>>>>>> 800dd81 (Add k6 load testing suite and documentation)
+=======
             -reports:"TestResults/**/coverage.cobertura.xml" \
             -targetdir:"TestResults/coverage-html" \
             -reporttypes:"Html;HtmlSummary"
+>>>>>>> 348a276 (ci: format ReportGenerator installation and update commands for clarity)
 
 
       - name: Upload test results and coverage

.github/workflows/codeql-analysis.yml

@@ -17,8 +17,17 @@ permissions:
 jobs:
   analyze:
     name: Analyze C# Code
+<<<<<<< HEAD
+<<<<<<< HEAD
     # Removed: if: github.event.repository.private == false
     # That condition caused the job to be permanently skipped on private repos.
+=======
+    if: github.event.repository.private == false
+>>>>>>> aef5768 (ci: update security workflows to check for private repository status)
+=======
+    # Removed: if: github.event.repository.private == false
+    # That condition caused the job to be permanently skipped on private repos.
+>>>>>>> e20a634 (ci: update workflows to remove private repository condition for security scans)
     runs-on: ubuntu-latest
     timeout-minutes: 30
 
@@ -56,11 +65,25 @@ jobs:
         uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
         with:
           category: "/language:${{ matrix.language }}"
+<<<<<<< HEAD
+<<<<<<< HEAD
+=======
+>>>>>>> a7cca78 (ci: update CodeQL and Gitleaks workflows to improve handling of private repositories and artifact uploads)
           # FIX: Disable SARIF upload to GitHub's code-scanning API.
           # This repo is private without GitHub Advanced Security, so the upload
           # endpoint returns "Code scanning is not enabled" and fails the job.
           # The scan itself completes successfully — disabling upload lets the
           # job pass while preserving full analysis coverage.
           # To re-enable: remove this line and enable Code Scanning at
           # Settings → Code security → Code scanning (requires GHAS).
-          upload: false
+<<<<<<< HEAD
+          upload: false
+=======
+          # upload: false is NOT set — we attempt upload normally.
+          # On private repos without GHAS the upload will warn but the job still passes
+          # because the action only hard-errors when security-events write is explicitly denied.
+        continue-on-error: false
+>>>>>>> e20a634 (ci: update workflows to remove private repository condition for security scans)
+=======
+          upload: false
+>>>>>>> a7cca78 (ci: update CodeQL and Gitleaks workflows to improve handling of private repositories and artifact uploads)

.github/workflows/gitleaks.yml

@@ -32,8 +32,46 @@ jobs:
         uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+<<<<<<< HEAD
+<<<<<<< HEAD
           # GITLEAKS_CONFIG points to your custom rules file at repo root.
           GITLEAKS_CONFIG: .gitleaks.toml
+<<<<<<< HEAD
+          # FIX: gitleaks-action v2 auto-generates a SARIF file internally and
+          # handles its own artifact upload when GITLEAKS_ENABLE_UPLOAD_ARTIFACT=true
+          # (the default). The `with.args` parameter does not exist in this action
+          # and was silently ignored — that is why results.sarif was never written
+          # to disk, causing the upload step to fail with "file not found".
+          # Uploading SARIF to the code-scanning API also requires GitHub Advanced
+          # Security (GHAS), which is not available on private free-plan repos.
+          # We therefore disable the built-in artifact upload and instead capture
+          # the report ourselves below using actions/upload-artifact (no GHAS needed).
+          GITLEAKS_ENABLE_UPLOAD_ARTIFACT: false
+=======
+        with:
+          args: detect --source=. --report-format sarif --report-path results.sarif
+>>>>>>> aef5768 (ci: update security workflows to check for private repository status)
+
+      - name: Upload Gitleaks report as workflow artifact
+        # Run even when gitleaks finds secrets (exit code 1) so the report is
+        # always available for review — but skip when the step was cancelled.
+        if: always() && steps.gitleaks.outcome != 'cancelled'
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: gitleaks-report
+          # gitleaks-action v2 writes the SARIF to this fixed path
+          path: results.sarif
+          if-no-files-found: ignore
+=======
+          # Fix: In gitleaks-action v2, report format/path are controlled via
+          # GITLEAKS_REPORT_FORMAT and GITLEAKS_REPORT_PATH env vars, NOT via
+          # the `with.args` parameter (which is ignored by this action version).
+          GITLEAKS_REPORT_FORMAT: sarif
+          GITLEAKS_REPORT_PATH: results.sarif
+=======
+          # GITLEAKS_CONFIG points to your custom rules file at repo root.
+>>>>>>> a7cca78 (ci: update CodeQL and Gitleaks workflows to improve handling of private repositories and artifact uploads)
+          GITLEAKS_CONFIG: .gitleaks.toml
           # FIX: gitleaks-action v2 auto-generates a SARIF file internally and
           # handles its own artifact upload when GITLEAKS_ENABLE_UPLOAD_ARTIFACT=true
           # (the default). The `with.args` parameter does not exist in this action
@@ -51,7 +89,13 @@ jobs:
         if: always() && steps.gitleaks.outcome != 'cancelled'
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
+<<<<<<< HEAD
+          sarif_file: results.sarif
+        continue-on-error: true
+>>>>>>> e20a634 (ci: update workflows to remove private repository condition for security scans)
+=======
           name: gitleaks-report
           # gitleaks-action v2 writes the SARIF to this fixed path
           path: results.sarif
-          if-no-files-found: ignore
+          if-no-files-found: ignore
+>>>>>>> a7cca78 (ci: update CodeQL and Gitleaks workflows to improve handling of private repositories and artifact uploads)

.github/workflows/security-scans.yml

@@ -12,12 +12,41 @@ permissions:
   contents: read
 
 jobs:
+<<<<<<< HEAD
+<<<<<<< HEAD
+=======
+>>>>>>> 319cdfb (ci: remove dependency review job to enhance compatibility with private repositories)
   # NOTE: actions/dependency-review-action has been intentionally removed.
   # It hard-requires GitHub Advanced Security (GHAS) on private repositories —
   # the Dependency Graph being enabled is necessary but not sufficient.
   # GHAS is only available on GitHub Enterprise plans.
   # Equivalent coverage is provided by dotnet-vulnerability-scan below,
   # which uses `dotnet list --vulnerable` and needs no special GitHub features.
+<<<<<<< HEAD
+=======
+  dependency-review:
+    name: Dependency Review
+    # Fix: Removed `github.event.repository.private == false` — that condition
+    # permanently skips this job on private repos.
+    #
+    # Dependency Review requires the Dependency Graph to be enabled in your
+    # repository settings (Settings → Code security → Dependency graph).
+    # It does NOT require GitHub Advanced Security on private repos —
+    # the Dependency Graph feature is available on all GitHub plans.
+    # Enable it at: https://github.com/Som3a99/company-management-system/settings/security_analysis
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Dependency Review
+        uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
+        with:
+          fail-on-severity: moderate
+>>>>>>> aef5768 (ci: update security workflows to check for private repository status)
+=======
+>>>>>>> 319cdfb (ci: remove dependency review job to enhance compatibility with private repositories)
 
   dotnet-vulnerability-scan:
     name: .NET Vulnerability Audit