Security #104

	name: Security

	on:
	push:
	branches: [main]
	paths:
	- '**/pyproject.toml'
	- '**/Cargo.toml'
	- '**/Cargo.lock'

	schedule:
	# Run weekly security scans
	- cron: '0 2 * * 1'
	workflow_dispatch:

	jobs:
	security:
	name: Security Scan
	runs-on: ubuntu-latest
	# issues: write — rustsec/audit-check creates issues for new advisories.
	# checks: write — rustsec/audit-check posts check annotations.
	permissions:
	issues: write
	checks: write
	steps:
	- uses: actions/checkout@v5

	- name: Run Rust security audit
	uses: rustsec/audit-check@v2.0.0
	with:
	token: ${{ secrets.GITHUB_TOKEN }}

	- name: Install uv
	uses: astral-sh/setup-uv@v7
	with:
	version: "latest"

	- name: Set up Python
	run: uv python install 3.12

	- name: Install dependencies
	run: uv sync --dev

	- name: Run Python security scan
	run: \|
	uv add --dev safety
	uv run safety check --ignore 70612
	continue-on-error: true # Don't fail CI on security advisories, just report

	codeql:
	name: CodeQL Analysis
	runs-on: ubuntu-latest
	permissions:
	actions: read
	contents: read
	security-events: write
	steps:
	- name: Checkout repository
	uses: actions/checkout@v5

	- name: Initialize CodeQL
	uses: github/codeql-action/init@v3
	with:
	languages: python

	- name: Autobuild
	uses: github/codeql-action/autobuild@v3

	- name: Perform CodeQL Analysis
	uses: github/codeql-action/analyze@v3

Provide feedback