Skip to content

[codex] Add GitHub DevSecOps workflows#40

Closed
ganesh47 wants to merge 2 commits into
mainfrom
codex/devsecops-security-baseline
Closed

[codex] Add GitHub DevSecOps workflows#40
ganesh47 wants to merge 2 commits into
mainfrom
codex/devsecops-security-baseline

Conversation

@ganesh47

Copy link
Copy Markdown
Owner

What changed

This PR adds a GitHub-based DevSecOps baseline for cstack.

  • adds Dependabot updates for npm and GitHub Actions
  • adds PR security gates for dependency review, CodeQL, and Gitleaks
  • adds a scheduled security-intelligence workflow for npm audit, OSV-Scanner, SBOM generation, and OSSF Scorecard
  • hardens release preparation and release publication with required-check waiting, SBOM generation, and provenance attestation
  • documents the required checks and repository settings in docs/devsecops.md
  • aligns package.json package-manager metadata with the repo's actual npm-based workflow contract

Why

The repo already had CI and release automation, but it did not have durable dependency automation, PR-level security gates, scheduled security evidence, or release supply-chain hardening. This closes that gap without changing the existing core build/test/release intent.

Impact

  • PRs can now require validate, dependency-review, CodeQL, and Gitleaks
  • release preparation can wait for the full required-check set before tagging
  • releases can publish SBOM evidence and provenance attestations alongside existing assets
  • security maintenance becomes ongoing rather than ad hoc

Validation

  • npx --yes actionlint
  • npm run build
  • npx vitest run test/deliver.test.ts --reporter=dot

@ganesh47 ganesh47 marked this pull request as ready for review March 27, 2026 15:48
@ganesh47

Copy link
Copy Markdown
Owner Author

Superseded by #39, which has already been merged into main.

@ganesh47 ganesh47 closed this Mar 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants