seedcase-project · lwjohnst86 · Dec 8, 2025 · Dec 8, 2025
@@ -0,0 +1,9 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: monthly
+    commit-message:
+      prefix: ci
+      include: scope
@@ -11,12 +11,14 @@ on:
       - reopened
       - opened
 
-permissions:
-  pull-requests: write
+# Limit token permissions for security
+permissions: read-all
 
 jobs:
   add-to-project:
     uses: seedcase-project/.github/.github/workflows/reusable-add-to-project.yml@main
+    permissions:
+      pull-requests: write
     with:
       app-id: ${{ vars.ADD_TO_BOARD_APP_ID }}
       board-number: 18

@@ -1,11 +1,16 @@
-name: Build and deploy website
+name: Build website
 
 on:
   push:
-    branches: main
+    branches:
+      - main
+
+# Limit token permissions for security
+permissions: read-all
 
 jobs:
-  build-deploy-docs:
+  build-website:
     uses: seedcase-project/.github/.github/workflows/reusable-build-docs.yml@main
+
     secrets:
       netlify-token: ${{ secrets.NETLIFY_AUTH_TOKEN }}
@@ -0,0 +1,17 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: "Security: Dependency Review"
+on: pull_request
+
+# Limit token permissions for security
+permissions: read-all
+
+jobs:
+  dependency-review:
+    uses: seedcase-project/.github/.github/workflows/reusable-dependency-review.yml@main