chore(ci): add security baseline (SECURITY.md, audit, CodeQL, dependabot, concurrency)#2306
Open
ruflin wants to merge 1 commit into
Open
chore(ci): add security baseline (SECURITY.md, audit, CodeQL, dependabot, concurrency)#2306ruflin wants to merge 1 commit into
ruflin wants to merge 1 commit into
Conversation
…bot, concurrency) Establish a supply-chain and security baseline for the repository: - SECURITY.md documents the supported branches and the private vulnerability-disclosure process (GitHub Security Advisories or email). - A new `audit` job in continuous-integration.yaml runs `composer audit` on every push and pull request so known advisories surface early. - A new CodeQL workflow scans the repository's GitHub Actions with the `security-and-quality` query suite on push, pull request, and weekly. PHP support stays out of scope for now (CodeQL PHP analysis is still in beta as of 2026-04). - A `concurrency` group cancels in-progress runs when a new commit lands on the same pull request, reducing CI cost and noise. - A `dependabot.yml` keeps Composer, GitHub Actions, and the Docker base image up to date with grouped weekly Composer updates. No production code changes.
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (5)
📝 WalkthroughWalkthroughIntroduces repository-wide security and dependency maintenance infrastructure: Dependabot configuration for automated dependency updates, CodeQL workflow for security scanning, composer audit automation in CI, a security vulnerability disclosure policy, and updated changelog documentation. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Review rate limit: 2/8 reviews remaining, refill in 41 minutes and 6 seconds.Comment |
ruflin
commented
Apr 30, 2026
| @@ -0,0 +1,54 @@ | |||
| # Security Policy | |||
Owner
Author
There was a problem hiding this comment.
Remove the SECURITY.md file
There was a problem hiding this comment.
Pull request overview
Establishes a repository security/supply-chain baseline by adding a security policy, automated dependency auditing, CodeQL scanning for GitHub Actions, and Dependabot updates, along with CI run-concurrency controls.
Changes:
- Add
SECURITY.mddocumenting supported versions and private vulnerability reporting. - Add
composer auditto CI plus workflow-levelconcurrencysettings to reduce redundant PR runs. - Add CodeQL workflow and Dependabot configuration for Composer, GitHub Actions, and Docker.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| SECURITY.md | Adds security policy, supported versions table, and reporting process. |
| CHANGELOG.md | Documents the new security baseline work under Unreleased → Security. |
| .github/workflows/continuous-integration.yaml | Adds composer audit job and workflow-level concurrency control. |
| .github/workflows/codeql.yml | Adds CodeQL workflow for GitHub Actions with schedule + concurrency control. |
| .github/dependabot.yml | Adds Dependabot update rules for Composer, Actions, and Docker. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+19
to
+23
| * Added a `SECURITY.md` file describing the supported branches and the private vulnerability-disclosure process. | ||
| * Added a `composer audit` job to the CI pipeline so PRs surface known advisories early. | ||
| * Added a CodeQL workflow that runs `security-and-quality` queries on the repository's GitHub Actions on every push, pull request, and weekly on a schedule. | ||
| * Added Dependabot configuration to keep Composer, GitHub Actions, and Docker dependencies up to date. | ||
| * Added a workflow `concurrency` group to cancel in-progress runs when a new commit lands on the same pull request. |
| on: ['push', 'pull_request'] | ||
|
|
||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.ref }} |
| - cron: '17 6 * * 1' | ||
|
|
||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.ref }} |
| pull_request: | ||
| branches: ['9.x'] | ||
| schedule: | ||
| # Run weekly to catch newly published advisories. |
Comment on lines
+21
to
+27
| a public GitHub issue**. Instead use one of the following private channels: | ||
|
|
||
| - Open a [GitHub Security Advisory](https://github.com/ruflin/Elastica/security/advisories/new) | ||
| on the repository (preferred). | ||
| - Or email the maintainer directly at `spam@ruflin.com` with the subject | ||
| prefix `[Elastica security]`. | ||
|
|
2 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Establish a supply-chain and security baseline for the repository:
SECURITY.md— documents supported branches and the privatevulnerability-disclosure process (GitHub Security Advisories preferred,
email fallback).
composer auditjob incontinuous-integration.yamlruns on everypush and pull request so newly published advisories block the build
early.
security-and-qualityquery suite on push, pull request, and weekly(Mondays 06:17 UTC). PHP support is still in beta as of 2026-04, so it
stays out of the matrix for now; the comment in the workflow explains
how to enable it later.
concurrencygroup in CI cancels in-progress runs when a newcommit lands on the same PR, reducing CI cost and noise.
dependabot.ymlkeeps Composer, GitHub Actions, and the Dockerbase image up to date. Composer updates are grouped (static-analysis,
testing) to limit PR churn.
No production code changes.
Identified during a P0/P1 code-review pass.
Test plan
python3 -c \"import yaml; yaml.safe_load(open(...))\"validates each YAML file.auditjob runscomposer auditcleanly on the current lockfile.Summary by CodeRabbit
Documentation
Chores