Skip to content

[CI]: Add CodeQL SAST, Dependabot config, and OSSF Scorecard workflow#10

Merged
spencrr merged 2 commits into
mainfrom
spencrr/ci
Apr 22, 2026
Merged

[CI]: Add CodeQL SAST, Dependabot config, and OSSF Scorecard workflow#10
spencrr merged 2 commits into
mainfrom
spencrr/ci

Conversation

@spencrr

@spencrr spencrr commented Apr 14, 2026

Copy link
Copy Markdown
Contributor

Description

Add CodeQL SAST analysis, Dependabot dependency management, and OSSF Scorecard
supply-chain security workflow.

CodeQL (.github/workflows/codeql.yml):

  • Runs on push to main, PRs targeting main, and weekly (Wednesdays 14:25 UTC)
  • Python language analysis with pinned action SHAs (actions/checkout@v6.0.2,
    github/codeql-action@v4.35.1)
  • Minimal permissions scoped to actions: read, contents: read, security-events: write

Dependabot (.github/dependabot.yml):

  • Weekly update checks for uv, GitHub Actions, pre-commit, Docker, docker-compose,
    and devcontainers ecosystems
  • Commit messages prefixed with [MAINT] per repo convention
  • Minor/patch updates grouped for uv to reduce PR noise

OSSF Scorecard (.github/workflows/scorecard.yml):

  • Runs on push to main, PRs, and weekly (Saturdays 06:30 UTC)
  • Uploads SARIF results to GitHub code scanning dashboard
  • Pinned to ossf/scorecard-action@v2.4.3

All workflows use persist-credentials: false and empty default permissions: {}
following security best practices.

Breaking changes

None

Checklist

  • pre-commit run --all-files passes
  • Tests added or updated for changes
  • Documentation updated

@spencrr spencrr changed the base branch from main to spencrr/project-metadata April 14, 2026 02:37
@spencrr spencrr changed the base branch from spencrr/project-metadata to spencrr/workflows April 14, 2026 02:37
@spencrr spencrr changed the title spencrr/ci [CI]: Add CodeQL SAST, Dependabot config, and OSSF Scorecard workflow Apr 14, 2026
@spencrr spencrr force-pushed the spencrr/workflows branch from 0baca4a to da63a1e Compare April 17, 2026 09:32
@spencrr spencrr marked this pull request as ready for review April 17, 2026 22:20
Comment thread .github/workflows/codeql.yml Outdated
Comment thread .github/dependabot.yml
Comment thread .github/dependabot.yml Outdated

@nina-msft nina-msft left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM after comments are addressed :)

@spencrr spencrr changed the base branch from spencrr/workflows to main April 22, 2026 01:37
@spencrr spencrr merged commit a065d12 into main Apr 22, 2026
3 checks passed
@spencrr spencrr deleted the spencrr/ci branch April 22, 2026 04:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants