Fix dependabot approval error and add deployment guards for non-app changes (#34)

* Initial plan

* Fix PR approval error and add deploy check for non-app changes

Co-authored-by: PhantomDave <34485699+PhantomDave@users.noreply.github.com>

* Add CodeQL configuration for security scanning

Co-authored-by: PhantomDave <34485699+PhantomDave@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: PhantomDave <34485699+PhantomDave@users.noreply.github.com>

Author: Copilot

.github/codeql/codeql-config.yml

@@ -0,0 +1,32 @@
+name: "BankTracker CodeQL Config"
+
+# Disable default queries and use security-extended query suite for comprehensive security scanning
+disable-default-queries: false
+
+queries:
+  - uses: security-extended
+  - uses: security-and-quality
+
+# Paths to exclude from analysis
+paths-ignore:
+  - '**/node_modules/**'
+  - '**/dist/**'
+  - '**/build/**'
+  - '**/bin/**'
+  - '**/obj/**'
+  - '**/*.Designer.cs'
+  - '**/Migrations/**'
+  - '**/wwwroot/lib/**'
+  - 'frontend/src/generated/**'
+  - '**/*.min.js'
+  - '**/*.min.css'
+  - '**/package-lock.json'
+  - '**/yarn.lock'
+  - '**/pnpm-lock.yaml'
+
+# Paths to include for analysis
+paths:
+  - 'PhantomDave.BankTracking.Api/**'
+  - 'PhantomDave.BankTracking.Data/**'
+  - 'PhantomDave.BankTracking.Library/**'
+  - 'frontend/src/**'

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,64 @@
+name: "CodeQL Analysis"
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    # Run CodeQL analysis at 2 AM UTC every day
+    - cron: '0 2 * * *'
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      packages: read
+      actions: read
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: csharp
+            build-mode: manual
+          - language: javascript-typescript
+            build-mode: none
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+          config-file: ./.github/codeql/codeql-config.yml
+
+      - name: Setup .NET
+        if: matrix.language == 'csharp'
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: '9.0.x'
+
+      - name: Restore dependencies
+        if: matrix.language == 'csharp'
+        run: dotnet restore PhantomDave.BankTracking.sln
+
+      - name: Build .NET solution
+        if: matrix.language == 'csharp'
+        run: dotnet build PhantomDave.BankTracking.sln --configuration Release --no-restore
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{ matrix.language }}"

.github/workflows/dependabot-auto-merge.yml

@@ -1,4 +1,4 @@
-name: Dependabot Auto-Approve and Auto-Merge
+name: Dependabot Auto-Merge
 
 on:
   pull_request_target:
@@ -10,7 +10,7 @@ permissions:
 
 jobs:
   dependabot:
-    name: Auto-approve and enable auto-merge
+    name: Enable auto-merge for Dependabot
     runs-on: ubuntu-latest
     # Only run for Dependabot PRs
     if: github.actor == 'dependabot[bot]'
@@ -21,12 +21,6 @@ jobs:
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
 
-      - name: Approve PR
-        run: gh pr review --approve "$PR_URL"
-        env:
-          PR_URL: ${{ github.event.pull_request.html_url }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
       - name: Enable auto-merge for Dependabot PRs
         run: gh pr merge --auto --squash "$PR_URL"
         env:

.github/workflows/deploy-tailscale.yml

@@ -19,6 +19,7 @@ jobs:
     outputs:
       backend: ${{ steps.filter.outputs.backend }}
       frontend: ${{ steps.filter.outputs.frontend }}
+      has_app_changes: ${{ steps.filter.outputs.backend == 'true' || steps.filter.outputs.frontend == 'true' || steps.filter.outputs.compose == 'true' }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -37,6 +38,9 @@ jobs:
             frontend:
               - 'frontend/**'
               - '.github/workflows/build-frontend-image.yml'
+            compose:
+              - 'compose.yaml'
+              - 'compose.local.yaml'
 
   wait-for-backend:
     name: Wait for Backend Image
@@ -77,6 +81,7 @@ jobs:
     if: |
       always() && !cancelled() && 
       !contains(needs.*.result, 'failure') &&
+      (needs.detect-changes.outputs.has_app_changes == 'true') &&
       (needs.wait-for-backend.result == 'success' || needs.wait-for-backend.result == 'skipped') &&
       (needs.wait-for-frontend.result == 'success' || needs.wait-for-frontend.result == 'skipped')
     permissions: