From f64af9b6885639f21f557158e3ed93e72e8db0d8 Mon Sep 17 00:00:00 2001 From: Sasa Junuzovic Date: Fri, 13 Mar 2026 16:59:50 -0700 Subject: [PATCH] ci: add CodeQL and dependency review workflows - CodeQL: Python code scanning on PRs + weekly Monday schedule - Dependency review: blocks PRs introducing vulnerable dependencies Closes #7 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/codeql.yml | 20 ++++++++++++++++++++ .github/workflows/dependency-review.yml | 14 ++++++++++++++ 2 files changed, 34 insertions(+) create mode 100644 .github/workflows/codeql.yml create mode 100644 .github/workflows/dependency-review.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..e344493 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,20 @@ +name: CodeQL +on: + pull_request: + branches: [main] + schedule: + - cron: "0 6 * * 1" # Weekly Monday 6am UTC + +jobs: + analyze: + runs-on: ubuntu-latest + permissions: + security-events: write + contents: read + actions: read + steps: + - uses: actions/checkout@v4 + - uses: github/codeql-action/init@v3 + with: + languages: python + - uses: github/codeql-action/analyze@v3 diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000..e999e4d --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,14 @@ +name: Dependency Review +on: + pull_request: + branches: [main] + +permissions: + contents: read + +jobs: + review: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/dependency-review-action@v4