Skip to content
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 35 additions & 0 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
name: CodeQL

on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: '27 4 * * 1' # Mondays 04:27 UTC

permissions:
contents: read

jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
security-events: write
contents: read
actions: read
steps:
- name: Checkout
uses: actions/checkout@v6

- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: javascript-typescript
queries: security-extended

- name: Perform CodeQL analysis
uses: github/codeql-action/analyze@v3
with:
category: '/language:javascript-typescript'
70 changes: 70 additions & 0 deletions .github/workflows/security.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
name: Security

on:
push:
branches: [main]
pull_request:

permissions:
contents: read

jobs:
# Flags a PR that introduces a dependency with a high+ advisory.
# Delta-based: gates NEW risk without tripping on pre-existing debt.
#
# NON-BLOCKING for now: this repo has the GitHub Dependency graph disabled,
# so the action cannot run yet. An admin must enable it under
# Settings → Code security → Dependency graph. Once enabled, remove
# `continue-on-error` below to turn this into a real gate.
dependency-review:
name: Dependency Review
if: github.event_name == 'pull_request'
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v6

- name: Dependency review
uses: actions/dependency-review-action@v4
continue-on-error: true

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: making dependency-review continue-on-error with the in-code TODO correctly resolves the prior red-check bug (this Security workflow failed on 2266395, passes on a25b53e) — nicely documented in the surrounding comment. Minor follow-up gap: the PR description's Follow-ups list still omits enabling the repo Dependency graph (Settings → Code security), which is the prerequisite to flip continue-on-error off later. It's captured in the workflow comment (good) but not alongside secret-scanning + branch-protection in the description's tracking list.

with:
fail-on-severity: high

# Scans the diff for committed secrets. TruffleHog is used instead of
# gitleaks-action, which requires a paid licence for organisation accounts.
secret-scan:
name: Secret Scan
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v6
with:
fetch-depth: 0

- name: TruffleHog
uses: trufflesecurity/trufflehog@main

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

style: trufflesecurity/trufflehog is pinned to the mutable @main ref. In a security-hardening PR this is itself a supply-chain risk — unreviewed upstream changes would execute in CI with checkout access to the repo. Pin to a release tag or commit SHA, consistent with every other action in these two workflows (checkout@v6, dependency-review-action@v4, setup-node@v6, codeql-action/init+analyze@v3).

with:
extra_args: --results=verified,unknown

# Full-tree audit. Intentionally NON-BLOCKING for now: the tree currently
# has a pre-existing dev-only high advisory (vite/esbuild dev server).
# Flip `continue-on-error` off once the tree is clean.
npm-audit:
name: npm audit (advisory)
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v6

- name: Setup Node
uses: actions/setup-node@v6
with:
node-version: 24
cache: npm

- name: Install dependencies
run: npm ci

- name: Audit
run: npm audit --audit-level=high
continue-on-error: true
Loading