Security #735
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security | |
| on: | |
| # Weekly scheduled scan (Monday 3am UTC) | |
| schedule: | |
| - cron: '0 3 * * 1' | |
| # Only on PRs (not every push) | |
| pull_request: | |
| branches: [main] | |
| paths: | |
| - 'apps/**/*.{ts,tsx,js,jsx}' | |
| - 'packages/**/*.{ts,tsx,js,jsx}' | |
| - 'package.json' | |
| - 'pnpm-lock.yaml' | |
| - '.github/workflows/security.yml' | |
| # Manual trigger | |
| workflow_dispatch: | |
| env: | |
| PNPM_VERSION: 10.23.0 | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: ${{ github.event_name == 'pull_request' }} | |
| jobs: | |
| # Lightweight secret scanning (fast, always runs on PRs) | |
| secrets: | |
| name: Secret Scanning | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 3 | |
| if: github.event_name != 'schedule' | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: ${{ github.event_name == 'pull_request' && 2 || 1 }} | |
| - name: Check for hardcoded secrets | |
| uses: trufflesecurity/trufflehog@v3.91.1 | |
| with: | |
| path: ./ | |
| base: ${{ github.event.repository.default_branch }} | |
| head: HEAD | |
| extra_args: --only-verified --exclude-paths=.github/trufflehog-exclude.txt | |
| continue-on-error: true | |
| # CodeQL (only on schedule, not blocking) | |
| codeql: | |
| name: CodeQL Analysis | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 6 | |
| if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v4 | |
| with: | |
| languages: javascript-typescript | |
| queries: security-extended | |
| - name: Autobuild | |
| uses: github/codeql-action/autobuild@v4 | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v4 | |
| continue-on-error: true | |
| # Dependency review (only on PRs with dependency changes) | |
| dependency-review: | |
| name: Dependency Review | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 3 | |
| if: github.event_name == 'pull_request' | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 1 | |
| - name: Dependency Review | |
| uses: actions/dependency-review-action@v4 | |
| with: | |
| fail-on-severity: critical | |
| vulnerability-check: true | |
| license-check: false | |
| comment-summary-in-pr: always | |
| warn-only: true |