Mirrors/super-productivity
1
0
Fork 0
mirror of https://github.com/johannesjo/super-productivity.git synced 2026-01-23 02:36:05 +00:00
Code Issues Projects Releases Wiki Activity
super-productivity/.github/CODEOWNERS
Johannes Millan ada53524b9 security: add CODEOWNERS, enhance Dependabot, document manual setup 
Add comprehensive security configuration to protect against unauthorized
workflow modifications and deployment tampering:

Changes:
1. CODEOWNERS (.github/CODEOWNERS)
   - Require @johannesjo approval for workflow changes
   - Protect build configs (Electron, Docker, Android, iOS)
   - Protect package management files (package.json, package-lock.json)
   - Prevent removal of security protections

2. Enhanced Dependabot (.github/dependabot.yml)
   - Weekly GitHub Actions SHA updates (security-critical)
   - Grouped minor/patch updates to reduce noise
   - Auto-label with security tags for visibility
   - Configured reviewers and commit message format

3. Setup Documentation (.github/SECURITY-SETUP.md)
   - Step-by-step guide for manual GitHub UI configuration
   - Branch protection rules (prevent direct workflow modification)
   - Environment protection (require approval for deployments)
   - Incident response procedures
   - Security impact assessment (75/100 → 30/100 risk score)

These changes complete the automated portion of Phase 1 security hardening.
Manual steps (branch protection, environments) documented in SECURITY-SETUP.md.

Refs: CVE-2025-30066, OWASP CI/CD Security Top 10
2026-01-21 14:30:24 +01:00

78 lines
2.5 KiB
Text
Raw Permalink Blame History

# CODEOWNERS - Define code ownership for security-critical files
# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
#
# Changes to files listed below require approval from @johannesjo
# This protects against unauthorized workflow modifications and supply chain attacks
# ==========================================
# GitHub Actions Workflows (CRITICAL)
# ==========================================
# All workflow changes require owner approval to prevent:
# - Secret exfiltration via workflow modification
# - Malicious deployment to production
# - Supply chain attacks on users
/.github/workflows/*.yml @johannesjo
/.github/workflows/*.yaml @johannesjo
# CODEOWNERS file itself (prevent removal of protections)
/.github/CODEOWNERS @johannesjo
# ==========================================
# Build & Deployment Configuration (HIGH)
# ==========================================
# Electron application entry point and build config
/electron/ @johannesjo
# Docker deployment configuration
/Dockerfile @johannesjo
/docker-entrypoint.sh @johannesjo
/docker-compose*.yml @johannesjo
/docker-compose*.yaml @johannesjo
# Mobile app build configuration
/android/ @johannesjo
/ios/ @johannesjo
/capacitor.config.ts @johannesjo
# Electron Builder configuration (code signing, auto-update)
/build/ @johannesjo
/electron-builder*.yml @johannesjo
/electron-builder*.yaml @johannesjo
# ==========================================
# Package Management (HIGH)
# ==========================================
# Dependencies and lock files (supply chain risk)
/package.json @johannesjo
/package-lock.json @johannesjo
# ==========================================
# Security & Environment (HIGH)
# ==========================================
# Security documentation
/SECURITY.md @johannesjo
# Environment configuration
/.env.example @johannesjo
/tools/load-env.js @johannesjo
# ==========================================
# Web Server Configuration (MEDIUM)
# ==========================================
# Nginx reverse proxy and web server config
/nginx/ @johannesjo
# ==========================================
# Git Configuration (MEDIUM)
# ==========================================
# Git hooks and configuration
/.husky/ @johannesjo
/.gitignore @johannesjo
# ==========================================
# Documentation Changes (LOW - Optional)
# ==========================================
# Uncomment if you want to review all README changes
# /README.md @johannesjo
# /CLAUDE.md @johannesjo
# /docs/ @johannesjo
Reference in a new issue View git blame Copy permalink