mirror of
https://github.com/johannesjo/super-productivity.git
synced 2026-01-22 18:30:09 +00:00
ada53524b9
Add comprehensive security configuration to protect against unauthorized workflow modifications and deployment tampering: Changes: 1. CODEOWNERS (.github/CODEOWNERS) - Require @johannesjo approval for workflow changes - Protect build configs (Electron, Docker, Android, iOS) - Protect package management files (package.json, package-lock.json) - Prevent removal of security protections 2. Enhanced Dependabot (.github/dependabot.yml) - Weekly GitHub Actions SHA updates (security-critical) - Grouped minor/patch updates to reduce noise - Auto-label with security tags for visibility - Configured reviewers and commit message format 3. Setup Documentation (.github/SECURITY-SETUP.md) - Step-by-step guide for manual GitHub UI configuration - Branch protection rules (prevent direct workflow modification) - Environment protection (require approval for deployments) - Incident response procedures - Security impact assessment (75/100 → 30/100 risk score) These changes complete the automated portion of Phase 1 security hardening. Manual steps (branch protection, environments) documented in SECURITY-SETUP.md. Refs: CVE-2025-30066, OWASP CI/CD Security Top 10
67 lines
1.7 KiB
YAML
67 lines
1.7 KiB
YAML
# Dependabot configuration for automated dependency updates
|
|
# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
|
|
|
|
version: 2
|
|
updates:
|
|
# ==========================================
|
|
# npm Dependencies (Monthly Updates)
|
|
# ==========================================
|
|
- package-ecosystem: 'npm'
|
|
directory: '/'
|
|
schedule:
|
|
interval: 'monthly'
|
|
day: 'monday'
|
|
time: '09:00'
|
|
timezone: 'Europe/Berlin'
|
|
|
|
open-pull-requests-limit: 10
|
|
|
|
reviewers:
|
|
- 'johannesjo'
|
|
|
|
labels:
|
|
- 'dependencies'
|
|
- 'npm'
|
|
|
|
commit-message:
|
|
prefix: 'chore(deps)'
|
|
|
|
# ==========================================
|
|
# GitHub Actions (Weekly Updates - SECURITY)
|
|
# ==========================================
|
|
# Automatically updates pinned action SHAs when new versions release
|
|
# This is critical for security: keeps SHA pins up-to-date with patches
|
|
- package-ecosystem: 'github-actions'
|
|
directory: '/'
|
|
schedule:
|
|
interval: 'weekly'
|
|
day: 'monday'
|
|
time: '09:00'
|
|
timezone: 'Europe/Berlin'
|
|
|
|
# Limit concurrent PRs to avoid overwhelming maintainers
|
|
open-pull-requests-limit: 5
|
|
|
|
# Require @johannesjo approval (matches CODEOWNERS)
|
|
reviewers:
|
|
- 'johannesjo'
|
|
|
|
# Label PRs for easy filtering and security awareness
|
|
labels:
|
|
- 'dependencies'
|
|
- 'security'
|
|
- 'github-actions'
|
|
|
|
# Consistent commit message format
|
|
commit-message:
|
|
prefix: 'chore(deps)'
|
|
include: 'scope'
|
|
|
|
# Group minor and patch updates together to reduce PR noise
|
|
groups:
|
|
github-actions-minor:
|
|
patterns:
|
|
- '*'
|
|
update-types:
|
|
- 'minor'
|
|
- 'patch'
|