ci: add security

Author: mnrendra

.github/workflows/release.yml

@@ -25,6 +25,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
           token: ${{ secrets.TOKEN }}
 
       - name: Import GPG

.github/workflows/security.yml

@@ -0,0 +1,61 @@
+name: Security
+
+on:
+  push:
+    branches-ignore:
+      - '[0-9].[0-9].x'
+      - '[0-9].x.x'
+      - '[0-9].x'
+      - main
+      - next
+      - rc
+      - beta
+      - alpha
+
+jobs:
+  security:
+    name: Security
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      id-token: write
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [javascript, typescript]
+    steps:
+
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+          token: ${{ secrets.TOKEN }}
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Analyze CodeQL
+        uses: github/codeql-action/analyze@v3
+
+      - name: Analyze OSSF Scorecard
+        uses: ossf/scorecard-action@v2
+        with:
+          results_file: ossf_scorecard.sarif
+          results_format: sarif
+          repo_token: ${{ secrets.TOKEN }}
+          publish_results: true
+
+      - name: Upload to GitHub Actions Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: OSSF Scorecard
+          path: ossf_scorecard.sarif
+
+      - name: Upload to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ossf_scorecard.sarif

.github/workflows/test.yml

@@ -22,6 +22,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 2 # At least fetch the last two commits for comparison
+          persist-credentials: false
 
       - name: Setup Node
         uses: actions/setup-node@v4