Johannes Millan
|
ada53524b9
|
security: add CODEOWNERS, enhance Dependabot, document manual setup
Add comprehensive security configuration to protect against unauthorized
workflow modifications and deployment tampering:
Changes:
1. CODEOWNERS (.github/CODEOWNERS)
- Require @johannesjo approval for workflow changes
- Protect build configs (Electron, Docker, Android, iOS)
- Protect package management files (package.json, package-lock.json)
- Prevent removal of security protections
2. Enhanced Dependabot (.github/dependabot.yml)
- Weekly GitHub Actions SHA updates (security-critical)
- Grouped minor/patch updates to reduce noise
- Auto-label with security tags for visibility
- Configured reviewers and commit message format
3. Setup Documentation (.github/SECURITY-SETUP.md)
- Step-by-step guide for manual GitHub UI configuration
- Branch protection rules (prevent direct workflow modification)
- Environment protection (require approval for deployments)
- Incident response procedures
- Security impact assessment (75/100 → 30/100 risk score)
These changes complete the automated portion of Phase 1 security hardening.
Manual steps (branch protection, environments) documented in SECURITY-SETUP.md.
Refs: CVE-2025-30066, OWASP CI/CD Security Top 10
|
2026-01-21 14:30:24 +01:00 |
|