Updated workflows, security info, README

SergiiShcherbak · SergiiShcherbak · commit 04da16632a1b · 2025-04-07T03:54:58.000+02:00
diff --git a/.github/workflows/README.md b/.github/workflows/README.md
@@ -2,6 +2,7 @@
 
 This directory contains GitHub Actions workflow configurations for continuous integration (CI) of the ContextGem project.
 
+
 ## Available Workflows
 
 ### tests (`ci-tests.yml`)
@@ -22,6 +23,33 @@ This directory contains GitHub Actions workflow configurations for continuous in
     - `CONTEXTGEM_OPENAI_API_KEY`: Secret OpenAI API key
     - `GIST_SECRET`: Secret token to upload coverage results to a gist for badge generation
 
+### CodeQL Analysis (`codeql.yml`)
+
+This workflow performs code security scanning using GitHub's CodeQL analysis engine.
+
+**Features:**
+- Scans Python codebase for security vulnerabilities and coding errors
+- Analyzes code quality and identifies potential issues
+- Results are available in the Security tab of the repository
+
+**Trigger:**
+- Automatically runs on push and pull request events on the main and dev branches
+- Scheduled to run weekly
+- Can be triggered manually through the GitHub Actions UI
+
+### Documentation Build (`docs.yml`)
+
+This workflow builds and deploys the project documentation to GitHub Pages.
+
+**Features:**
+- Builds documentation using Sphinx
+- Deploys documentation to GitHub Pages when merged to main
+- Creates preview builds on pull requests
+
+**Trigger:**
+- Automatically runs on push and pull request events on the main branch
+- Can be triggered manually through the GitHub Actions UI
+
 ### Check Contributor Agreement (`contributor-agreement-check.yml`)
 
 This workflow ensures all contributors have signed the Contributor Agreement by checking for properly filled agreement files.
@@ -35,7 +63,10 @@ This workflow ensures all contributors have signed the Contributor Agreement by
 **Trigger:**
 - Automatically runs on all pull request events (opened, synchronized, reopened)
 
+
 ## Running Workflows
 
 - **tests:** These run automatically on push/PR to the main branch
+- **CodeQL Analysis:** Runs automatically on push/PR to main/dev, weekly, and manually
+- **Documentation Build:** Runs automatically on push/PR to main and manually
 - **Check Contributor Agreement:** Runs automatically on all PRs
diff --git a/.github/workflows/ci-tests.yml b/.github/workflows/ci-tests.yml
@@ -4,7 +4,7 @@ on:
   push:
     branches: [ main, dev ]
   pull_request:
-    branches: [ main ]
+    branches: [ main, dev ]
   workflow_dispatch:
 
 jobs:
@@ -92,6 +92,7 @@ jobs:
   update-badge:
     needs: tests-with-vcr
     runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/main'
     steps:
       - name: Download coverage artifact
         uses: actions/download-artifact@v4
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -2,7 +2,9 @@ name: "CodeQL"
 
 on:
   push:
-    branches: [ dev ]
+    branches: [ main, dev ]
+  pull_request:
+    branches: [ main, dev ]
   schedule:
     - cron: '0 0 * * 0'  # Run once per week at midnight on Sunday
   workflow_dispatch:
diff --git a/.github/workflows/contributor-agreement-check.yml b/.github/workflows/contributor-agreement-check.yml
@@ -12,13 +12,44 @@ jobs:
   check-contributor-agreement:
     runs-on: ubuntu-latest
     steps:
+      - name: Check if user is a maintainer
+        id: check-maintainer
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const { owner, repo } = context.repo;
+            const username = context.payload.pull_request.user.login;
+            
+            try {
+              const { data: permission } = await github.rest.repos.getCollaboratorPermissionLevel({
+                owner,
+                repo,
+                username,
+              });
+              
+              // Skip check for users with admin or write permissions
+              if (['admin', 'write'].includes(permission.permission)) {
+                console.log(`User ${username} is a maintainer with ${permission.permission} permissions. Skipping check.`);
+                return true;
+              }
+              
+              console.log(`User ${username} has ${permission.permission} permissions. Continuing with check.`);
+              return false;
+            } catch (error) {
+              console.log(`Error checking permissions: ${error}`);
+              return false;
+            }
+
       - name: Checkout code
+        if: steps.check-maintainer.outputs.result != 'true'
         uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 0
 
       - name: Check for contributor agreement
+        if: steps.check-maintainer.outputs.result != 'true'
         id: check-agreement
         run: |
           # Get the PR author's username
@@ -50,6 +81,7 @@ jobs:
           fi
 
       - name: Check for deleted contributor agreements
+        if: steps.check-maintainer.outputs.result != 'true'
         id: check-deleted
         run: |
           # Set proper base ref
@@ -68,8 +100,8 @@ jobs:
           fi
 
       - name: Comment on PR if checks fail
-        if: ${{ failure() }}
-        uses: actions/github-script@v6
+        if: ${{ failure() && steps.check-maintainer.outputs.result != 'true' }}
+        uses: actions/github-script@v7
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
diff --git a/README.md b/README.md
@@ -9,6 +9,7 @@
 [![License](https://img.shields.io/badge/License-Apache_2.0-bright.svg)](https://opensource.org/licenses/Apache-2.0)
 ![PyPI](https://img.shields.io/pypi/v/contextgem)
 [![Python Versions](https://img.shields.io/badge/python-3.10%20%7C%203.11%20%7C%203.12%20%7C%203.13-blue)](https://www.python.org/downloads/)
+[![Code Security](https://github.com/shcherbak-ai/contextgem/actions/workflows/codeql.yml/badge.svg?branch=main)](https://github.com/shcherbak-ai/contextgem/actions/workflows/codeql.yml)
 [![Code style: black](https://img.shields.io/badge/code%20style-black-000000.svg)](https://github.com/psf/black)
 [![Imports: isort](https://img.shields.io/badge/%20imports-isort-%231674b1?style=flat)](https://pycqa.github.io/isort/)
 [![Pydantic v2](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/pydantic/pydantic/main/docs/badge/v2.json)](https://pydantic.dev)
@@ -297,6 +298,13 @@ ContextGem is at an early stage. Our development roadmap includes:
 We are committed to making ContextGem the most effective tool for extracting structured information from documents.
 
 
+## 🔐 Security
+
+This project is automatically scanned for security vulnerabilities using [CodeQL](https://codeql.github.com/). We also use [Snyk](https://snyk.io) as needed for supplementary dependency checks.
+
+See [SECURITY](https://github.com/shcherbak-ai/contextgem/blob/main/SECURITY.md) file for details.
+
+
 ## 📄 License & Contact
 
 This project is licensed under the Apache 2.0 License - see the [LICENSE](https://github.com/shcherbak-ai/contextgem/blob/main/LICENSE) and [NOTICE](https://github.com/shcherbak-ai/contextgem/blob/main/NOTICE) files for details.
diff --git a/SECURITY.md b/SECURITY.md
@@ -8,12 +8,9 @@ We maintain security practices for the latest release of this library. Older ver
 
 ## Security Testing
 
-This project is regularly tested for security issues using both:
+This project is automatically tested for security issues using [CodeQL](https://codeql.github.com/) static analysis (run via GitHub Actions).
 
-- [CodeQL](https://codeql.github.com/) static analysis (run via GitHub Actions)
-- [Snyk](https://snyk.io) for continuous dependency vulnerability monitoring
-
-All known transitive vulnerabilities have been manually triaged and either resolved or confirmed to be non-applicable based on how the library is used. See the repository's issue tracker or changelog for relevant audit notes when applicable.
+We also use [Snyk](https://snyk.io) as needed for supplementary dependency vulnerability monitoring.
 
 
 ## Data Privacy
diff --git a/dev/readme.template.md b/dev/readme.template.md
@@ -9,6 +9,7 @@
 [![License](https://img.shields.io/badge/License-Apache_2.0-bright.svg)](https://opensource.org/licenses/Apache-2.0)
 ![PyPI](https://img.shields.io/pypi/v/contextgem)
 [![Python Versions](https://img.shields.io/badge/python-3.10%20%7C%203.11%20%7C%203.12%20%7C%203.13-blue)](https://www.python.org/downloads/)
+[![Code Security](https://github.com/shcherbak-ai/contextgem/actions/workflows/codeql.yml/badge.svg?branch=main)](https://github.com/shcherbak-ai/contextgem/actions/workflows/codeql.yml)
 [![Code style: black](https://img.shields.io/badge/code%20style-black-000000.svg)](https://github.com/psf/black)
 [![Imports: isort](https://img.shields.io/badge/%20imports-isort-%231674b1?style=flat)](https://pycqa.github.io/isort/)
 [![Pydantic v2](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/pydantic/pydantic/main/docs/badge/v2.json)](https://pydantic.dev)
@@ -126,6 +127,13 @@ ContextGem is at an early stage. Our development roadmap includes:
 We are committed to making ContextGem the most effective tool for extracting structured information from documents.
 
 
+## 🔐 Security
+
+This project is automatically scanned for security vulnerabilities using [CodeQL](https://codeql.github.com/). We also use [Snyk](https://snyk.io) as needed for supplementary dependency checks.
+
+See [SECURITY](https://github.com/shcherbak-ai/contextgem/blob/main/SECURITY.md) file for details.
+
+
 ## 📄 License & Contact
 
 This project is licensed under the Apache 2.0 License - see the [LICENSE](https://github.com/shcherbak-ai/contextgem/blob/main/LICENSE) and [NOTICE](https://github.com/shcherbak-ai/contextgem/blob/main/NOTICE) files for details.
