Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
62 changes: 62 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
# Dependabot configuration.
#
# This file configures the cadence and grouping of Dependabot pull requests
# (npm version updates, GitHub Actions version updates). It does NOT
# by itself enable Dependabot security alerts — that Settings toggle must be
# flipped under:
#
# `https://github.com/geevapp/geev/settings/security_analysis`
#
# Once a maintainer enables Dependabot (alerts + version updates + security
# updates) the settings below will begin producing PRs.
#
# Reference: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates
version: 2

updates:
- package-ecosystem: "npm"
directory: "/app"
schedule:
interval: "weekly"
day: "monday"
time: "09:00"
timezone: "UTC"
open-pull-requests-limit: 8
groups:
app-minor-and-patch:
applies-to: version-updates
patterns: ["*"]
update-types: ["minor", "patch"]
labels:
- "dependencies"
- "app"
- "area: app"
commit-message:
prefix: "chore(deps)"
# Auto-rebase once conflicts appear so we don't accumulate stale PRs.
rebase-strategy: "auto"

- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
time: "09:00"
timezone: "UTC"
open-pull-requests-limit: 5
groups:
actions-minor-and-patch:
applies-to: version-updates
patterns: ["*"]
update-types: ["minor", "patch"]
labels:
- "dependencies"
- "ci"
commit-message:
prefix: "chore(ci)"
rebase-strategy: "auto"

# NOTE: The `contracts/` Cargo workspace is not currently covered by this
# config because Dependabot does not yet ship robust first-class cargo
# support. We will add a `cargo audit` (and ideally `cargo update` review)
# CI workflow in a separate follow-up — see SECURITY.md "Supply Chain".
63 changes: 63 additions & 0 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
name: "CodeQL Analysis"

# Triggers:
# - On every push to `main`
# - On every PR targeting `main`
# - Weekly schedule (matches GitHub-default CodeQL cadence)
#
# NOTE: Code Scanning itself must be enabled at the repo level by a
# maintainer under `Settings → Code security and analysis → Code scanning`.
# Until then, this workflow will run but SARIF uploads will not surface
# alerts in the Security tab. The configure-side has a "Default setup"
# option that picks this file up automatically.

on:
push:
branches: ["main"]
pull_request:
branches: ["main"]
schedule:
# Every Monday at 06:17 UTC.
- cron: "17 6 * * 1"

# Minimal permissions — CodeQL only needs to write security events and
# read repo contents. This narrows the workflow's blast radius.
permissions:
security-events: write
contents: read
# Avoid elevating to write-all; don't grant packages / actions / id-token
# by default.

jobs:
analyze:
name: "Analyze (${{ matrix.language }})"
runs-on: ubuntu-latest
timeout-minutes: 30
strategy:
fail-fast: false
matrix:
# The Next.js app lives in `app/`. Rust (Soroban) contracts are
# analyzed separately via Cargo + clippy in the existing
# `.github/workflows/rust.yml` workflow; CodeQL doesn't analyze
# Rust directly here, so we keep this matrix narrow.
language: ["javascript-typescript"]
steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
# Use the bundled "security-and-quality" query pack — covers the
# default OWASP/CWE categories without writing our own packs.
queries: security-and-quality
# JS/TS analysis runs without explicit build because CodeQL
# can drive its own extraction. If adding C/C++ or Go later,
# switch this back to "autobuild".
build-mode: none

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{ matrix.language }}"
Loading