chore(deps): bump softprops/action-gh-release from 2.6.1 to 3.0.0 #149

	name: Security

	on:
	push:
	branches: [main]
	pull_request:
	branches: [main]
	schedule:
	# Weekly scan every Monday at 06:00 UTC
	- cron: "0 6 * * 1"

	permissions:
	contents: read
	security-events: write

	jobs:
	npm-audit:
	name: Dependency audit
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
	with:
	node-version: "20"
	cache: "npm"
	- run: npm ci
	- name: Audit production dependencies
	run: npm audit --omit=dev --audit-level=high
	continue-on-error: true
	- name: Audit all dependencies (informational)
	run: npm audit --audit-level=critical

	semgrep:
	name: Semgrep SAST
	runs-on: ubuntu-latest
	container:
	image: semgrep/semgrep
	steps:
	- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	- name: Run Semgrep
	run: \|
	semgrep scan \
	--config auto \
	--config p/javascript \
	--config p/typescript \
	--config p/nodejs \
	--config p/owasp-top-ten \
	--config p/sql-injection \
	--config p/xss \
	--error \
	--severity ERROR \
	--exclude "v0-prototype" \
	--exclude "node_modules" \
	--exclude "dist" \
	--exclude "*.test.ts" \
	--exclude "*.spec.ts" \
	--sarif --output semgrep-results.sarif \
	.
	env:
	SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
	continue-on-error: true
	- name: Upload SARIF to GitHub Security tab
	uses: github/codeql-action/upload-sarif@5c8a8a642e79153f5d047b10ec1cba1d1cc65699 # v3
	if: always()
	with:
	sarif_file: semgrep-results.sarif
	continue-on-error: true

Provide feedback