potiuk opened a new pull request, #4: URL: https://github.com/apache/comdev/pull/4
## Summary Adds repo-level security hardening. All changes are additive — no existing code is touched. - **`.github/dependabot.yml`** — npm + github-actions ecosystems, with **cooldowns** (3-day patch / 7-day minor / 21-day major) so brand-new releases have time to be flagged by the ecosystem before we pull them in. Security advisories bypass cooldown automatically. The npm ecosystem is scoped to `/mcp/ponymail-mcp` (where `package.json` lives). Minor + patch updates grouped into single PRs to cut noise. - **`.github/workflows/codeql.yml`** — CodeQL on push / PR / weekly, with the `security-extended` and `security-and-quality` query suites for JS/TS. - **`.github/workflows/scorecard.yml`** — OpenSSF Scorecard; publishes results to code scanning + SARIF artifact. - **`.github/workflows/dependency-review.yml`** — blocks PRs introducing deps with ≥moderate CVEs or GPL/AGPL licenses. - **`.github/workflows/zizmor.yml`** — static analysis of the workflows themselves (script injection, overbroad permissions, unpinned refs, cache poisoning, etc.). - **`SECURITY.md`** — directs reporters to **[email protected]** first (the canonical ASF channel), with GitHub Private Vulnerability Reporting as a secondary channel for issues isolated to this repo's tooling. ### Workflow hardening applied throughout - Top-level `permissions: {}` (deny-all) with per-job minimum grants. - All third-party actions pinned to **full commit SHAs** (dereferenced from annotated tags) with version comments — Dependabot keeps them current. - `actions/checkout` sets `persist-credentials: false` so a stashed token can't be exfiltrated by later steps. - Timeouts on every job. ## Notes for ASF context - `SECURITY.md` follows ASF convention: [email protected] is preferred, GitHub PVR is secondary. Adjust language if comdev has a different preferred process. - The repo also contains Python scripts (`asf-highlights/`, `project-activity/`). I left CodeQL scoped to `javascript-typescript` to mirror the original; happy to add `python` to the matrix in a follow-up. - Independent of and complementary to #2 / #3 — no overlap with `mcp/ponymail-mcp/` source changes. ## Repo-level actions that can't be set via files These require admin access in the GitHub UI (**Settings → Code security**): - [ ] Enable **Private vulnerability reporting** (so the SECURITY.md PVR link works) - [ ] Enable **Secret scanning** + **Push protection** - [ ] Enable **Dependabot alerts** and **Dependabot security updates** - [ ] Enable **CodeQL code scanning** (the workflow here uses advanced setup; default setup can coexist or be disabled) **Branch protection on `main`** (Settings → Rules → Rulesets or Branches): - [ ] Require PR + at least one review before merge - [ ] Require status checks to pass: `CodeQL`, `Dependency Review`, `Zizmor` - [ ] Require branches to be up to date before merge - [ ] Require signed commits - [ ] Dismiss stale approvals on new pushes - [ ] Restrict who can push directly (admins only, or nobody) - [ ] Block force pushes and deletions **Optional but recommended:** - [ ] Add a `CODEOWNERS` file so reviews auto-request the right people - [ ] Apply for **OpenSSF Best Practices badge** once Scorecard is running ## Test plan - [ ] Merge and confirm Dependabot opens grouped npm/actions PRs on the next weekly run - [ ] Confirm CodeQL / Scorecard / zizmor appear in the **Security → Code scanning** tab - [ ] Open a test PR with a deliberately vulnerable dep to verify `dependency-review` blocks it - [ ] Verify the SECURITY.md PVR link resolves once PVR is enabled 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
