Skip to content

chore(repo): SECURITY.md, Dependabot config, CodeQL workflow#3

Merged
furkankoykiran merged 1 commit into
mainfrom
chore/oss-repo-hardening
May 17, 2026
Merged

chore(repo): SECURITY.md, Dependabot config, CodeQL workflow#3
furkankoykiran merged 1 commit into
mainfrom
chore/oss-repo-hardening

Conversation

@furkankoykiran
Copy link
Copy Markdown
Owner

@furkankoykiran furkankoykiran commented May 17, 2026

Summary

Brings the repository up to a professional-OSS baseline alongside the GitHub-side settings already applied via the API.

What's in this PR

  • SECURITY.md — Documents supported version line, private reporting channels (GitHub Private Vulnerability Reporting first, email fallback), expected response SLA (72h ack / 7d triage / 30d fix for high/crit), and explicit in-scope vs. out-of-scope coverage. Discourages public issue filing for vulnerabilities.

  • .github/dependabot.yml — Weekly npm + GitHub Actions updates, grouped by logical cluster (typescript-toolchain, linters-and-formatters, testing, types, actions). One PR per group per week instead of one per package — proportional to a "no runtime deps" project.

  • .github/workflows/codeql.yml — JS/TS static analysis with security-extended + security-and-quality query packs. Runs on PR, on push to main, and on a weekly schedule (Mondays 06:00 UTC, same morning as Dependabot).

Already applied via the GitHub API (no diff)

  • Squash-only merges; rebase + merge-commit disabled
  • Auto-delete head branches on merge
  • Wiki and Projects disabled
  • GitHub Discussions enabled (referenced from ISSUE_TEMPLATE/config.yml)
  • Dependabot alerts + automated security updates enabled
  • Secret scanning + push protection + AI detection enabled
  • Auto-merge allowed (for Dependabot's weekly PRs once their checks pass)

Follow-up

Branch protection on main will require this PR's CodeQL workflow once the first run completes — set as a separate API call once the workflow registers a status context. Documented in the PR comment thread.

Test plan

  • Test (Node 20) passes
  • Test (Node 22) passes
  • CodeQL workflow runs and uploads SARIF without findings
  • Dependabot opens the first weekly batch on the next Monday (visible in PR tab)

Related

@furkankoykiran
chore(repo): add SECURITY.md, Dependabot config, and CodeQL workflow
41c8633 
Brings the repo up to professional-OSS baseline alongside the GitHub-side
settings (squash-only merges, delete-on-merge, Discussions enabled, secret
scanning + push protection on, Dependabot alerts + security updates on).

- SECURITY.md
  Documents the supported version line (0.5.x), the private reporting
  channels (GitHub PVR draft advisory first, email fallback), the expected
  response timeline (72h ack, 7d triage, 30d fix for high/crit), and the
  scope of what counts as in-scope (npm package, auto-update path,
  credential handling, hooks) vs. out-of-scope (hosted service, scanner-
  only reports). Also disables the implicit "just open an issue" path.

- .github/dependabot.yml
  Weekly npm + GitHub Actions updates, Monday 07:00 Europe/Istanbul (same
  morning as the CodeQL scheduled scan). Grouped by logical cluster
  (typescript-toolchain, linters, testing, types, actions) so one weekly
  PR per cluster instead of N PRs per package — keeps maintenance cost
  proportional to the project's "no runtime deps" stance.

- .github/workflows/codeql.yml
  JS/TS analysis with security-extended + security-and-quality query
  packs. Runs on PR + push to main + weekly schedule. Permissions scoped
  to the minimum CodeQL needs to upload SARIF.

Branch protection on main is configured separately via the GitHub API and
will require this workflow's check before merge once the first run completes.
@github-advanced-security
Copy link
Copy Markdown

github-advanced-security AI commented May 17, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@furkankoykiran furkankoykiran merged commit 54a6904 into main May 17, 2026
4 checks passed
@furkankoykiran furkankoykiran deleted the chore/oss-repo-hardening branch May 17, 2026 16:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@furkankoykiran @github-advanced-security