diff --git a/.github/WORKFLOWS_BEST_PRACTICES.md b/.github/WORKFLOWS_BEST_PRACTICES.md index 7c269a1a2b..12fe19f486 100644 --- a/.github/WORKFLOWS_BEST_PRACTICES.md +++ b/.github/WORKFLOWS_BEST_PRACTICES.md @@ -101,6 +101,18 @@ All workflows follow a consistent structure: - **Triggers:** Manual dispatch and weekday schedule - **Timeout:** 20 minutes +### dependency-review.yml - Dependency Review +- **Purpose:** Reviews dependency changes in pull requests for vulnerabilities +- **Triggers:** Pull requests to master +- **Timeout:** 10 minutes +- **Features:** Fails on high/critical vulnerabilities, checks licenses, comments on PR + +### codeql.yml - CodeQL Security Analysis +- **Purpose:** Performs comprehensive security analysis using CodeQL +- **Triggers:** Push, pull requests, weekly schedule, and manual dispatch +- **Timeout:** 30 minutes +- **Features:** Uses security-and-quality queries, automated vulnerability detection + ## Guidelines for Creating New Workflows When creating a new workflow, ensure you: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000000..4253f4e3ed --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,54 @@ +# CodeQL Security Analysis +# This workflow performs automated security analysis using CodeQL +name: CodeQL Analysis + +on: + push: + branches: ['master'] + pull_request: + branches: ['master'] + schedule: + # Run at 3:00 AM UTC every Monday + - cron: '0 3 * * 1' + workflow_dispatch: + +permissions: + actions: read + contents: read + security-events: write + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ github.event_name == 'pull_request' }} + +jobs: + analyze: + name: Analyze Code + runs-on: ubuntu-latest + timeout-minutes: 30 + + strategy: + fail-fast: false + matrix: + # CodeQL supports JavaScript/TypeScript analysis + language: ['javascript-typescript'] + + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + # Use default queries plus security-extended for comprehensive scanning + queries: security-and-quality + + # Autobuild attempts to build any compiled languages + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{ matrix.language }}" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000000..f7d45b4e55 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,33 @@ +# Dependency Review Workflow +# This workflow checks pull requests for dependency changes and alerts on vulnerabilities +name: Dependency Review + +on: + pull_request: + branches: ['master'] + +permissions: + contents: read + pull-requests: write + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + dependency-review: + runs-on: ubuntu-latest + timeout-minutes: 10 + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Dependency Review + uses: actions/dependency-review-action@v4 + with: + # Fail the build on critical and high vulnerabilities + fail-on-severity: high + # Allow licenses that are commonly used in open source + allow-licenses: MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, 0BSD + # Add a comment to the PR with the review results + comment-summary-in-pr: on-failure diff --git a/.gitignore b/.gitignore index 69e99142be..83a2664099 100644 --- a/.gitignore +++ b/.gitignore @@ -143,4 +143,140 @@ Thumbs.db # Test coverage **/coverage/ -.nyc_output/ \ No newline at end of file +.nyc_output/ + +# Playwright test artifacts +test-results/ +playwright-report/ +playwright/.cache/ +**/test-results/ +**/playwright-report/ + +# Build system caches +.turbo/ +.swc/ +.eslintcache +.tsbuildinfo +*.tsbuildinfo + +# Next.js specific +.next/ +out/ +.vercel/ + +# Yarn Berry specific (already partially covered) +.pnp.* +.yarn/* +!.yarn/patches +!.yarn/plugins +!.yarn/releases +!.yarn/sdks +!.yarn/versions + +# Package manager locks (keep yarn.lock but ignore others) +package-lock.json +pnpm-lock.yaml + +# Storybook +storybook-static/ +.storybook-out/ + +# Webpack +.webpack/ +webpack-stats.json + +# Vite +.vite/ + +# Parcel +.parcel-cache/ + +# Million Lint (from app-specific gitignore) +.million/ + +# Editor backups and temp files +*.bak +*.tmp +*.temp +*~ +.#* +\#*\# +.*.sw[a-z] +*.un~ +Session.vim +.netrwhist + +# macOS +.AppleDouble +.LSOverride +.DocumentRevisions-V100 +.fseventsd +.Spotlight-V100 +.TemporaryItems +.Trashes +.VolumeIcon.icns +.com.apple.timemachine.donotpresent +.AppleDB +.AppleDesktop +Network Trash Folder +Temporary Items +.apdisk + +# Windows +Desktop.ini +ehthumbs.db +ehthumbs_vista.db +*.stackdump +$RECYCLE.BIN/ +*.cab +*.msi +*.msix +*.msm +*.msp +*.lnk + +# Linux +.directory +.Trash-* +.nfs* + +# Logs +lerna-debug.log* +.pnpm-debug.log* + +# Diagnostic reports +report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json + +# Runtime data +pids/ +*.pid +*.seed +*.pid.lock + +# Optional npm cache directory +.npm/ + +# Optional stylelint cache +.stylelintcache + +# Optional REPL history +.node_repl_history + +# Output of 'npm pack' +*.tgz + +# dotenv environment variable files (explicit entries for clarity) +.env.development.local +.env.test.local +.env.production.local +.env.local + +# Optional Nx cache +.nx/cache/ + +# Sentry +.sentryclirc + +# Debug +debug.log +debug.*.log \ No newline at end of file