Skip to content

Commit 30c4025

Browse files
kurtstohrerclaude
andcommitted
Add CodeQL, Dependabot, pnpm audit, and automated releases
- CodeQL: JS/TS static analysis on push, PRs, and weekly schedule - Dependabot: weekly npm + GitHub Actions dependency updates - pnpm audit: production dependency CVE check in CI - Release workflow: auto-creates GitHub release + tag on version bumps - Enabled secret scanning + push protection on the repo Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 parent 47c8d73 commit 30c4025

4 files changed

Lines changed: 85 additions & 0 deletions

File tree

.github/dependabot.yml

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
version: 2
2+
updates:
3+
- package-ecosystem: npm
4+
directory: /
5+
schedule:
6+
interval: weekly
7+
groups:
8+
minor-and-patch:
9+
update-types: [minor, patch]
10+
open-pull-requests-limit: 10
11+
12+
- package-ecosystem: github-actions
13+
directory: /
14+
schedule:
15+
interval: weekly
16+
open-pull-requests-limit: 5

.github/workflows/ci.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,9 @@ jobs:
2323

2424
- run: pnpm install --frozen-lockfile
2525

26+
- run: pnpm audit --prod --audit-level=high
27+
continue-on-error: true
28+
2629
- run: pnpm build
2730

2831
- run: pnpm typecheck

.github/workflows/codeql.yml

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
name: CodeQL
2+
3+
on:
4+
push:
5+
branches: [main]
6+
pull_request:
7+
branches: [main]
8+
schedule:
9+
- cron: '0 6 * * 1' # Weekly Monday 6am UTC
10+
11+
jobs:
12+
analyze:
13+
runs-on: ubuntu-latest
14+
permissions:
15+
security-events: write
16+
steps:
17+
- uses: actions/checkout@v4
18+
19+
- uses: github/codeql-action/init@v3
20+
with:
21+
languages: javascript-typescript
22+
23+
- uses: github/codeql-action/analyze@v3

.github/workflows/release.yml

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,43 @@
1+
name: Release
2+
3+
on:
4+
push:
5+
branches: [main]
6+
7+
jobs:
8+
release:
9+
runs-on: ubuntu-latest
10+
permissions:
11+
contents: write
12+
steps:
13+
- uses: actions/checkout@v4
14+
with:
15+
fetch-depth: 2
16+
17+
- name: Check for version change
18+
id: version
19+
run: |
20+
CURRENT=$(node -p "require('./package.json').version")
21+
git show HEAD~1:package.json > /tmp/prev-package.json 2>/dev/null || true
22+
PREVIOUS=$(node -p "try { require('/tmp/prev-package.json').version } catch { '' }")
23+
if [ "$CURRENT" != "$PREVIOUS" ] && [ -n "$CURRENT" ]; then
24+
echo "changed=true" >> "$GITHUB_OUTPUT"
25+
echo "version=$CURRENT" >> "$GITHUB_OUTPUT"
26+
echo "Version changed: $PREVIOUS -> $CURRENT"
27+
else
28+
echo "changed=false" >> "$GITHUB_OUTPUT"
29+
echo "No version change ($CURRENT)"
30+
fi
31+
32+
- name: Create tag and release
33+
if: steps.version.outputs.changed == 'true'
34+
env:
35+
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
36+
VERSION: ${{ steps.version.outputs.version }}
37+
run: |
38+
TAG="v${VERSION}"
39+
git tag "$TAG"
40+
git push origin "$TAG"
41+
gh release create "$TAG" \
42+
--title "$TAG" \
43+
--generate-notes

0 commit comments

Comments
 (0)