-
Notifications
You must be signed in to change notification settings - Fork 5
Add security workflows pre-commit hooks, dependency review, CodeQL #196
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,24 @@ | ||
| # Dependency Review - blocks PRs that introduce known-vulnerable dependencies | ||
| name: Dependency Review | ||
|
|
||
|
Comment on lines
+1
to
+3
|
||
| on: | ||
| pull_request: | ||
| branches: [main] | ||
|
Comment on lines
+4
to
+6
|
||
|
|
||
| permissions: | ||
| contents: read | ||
| pull-requests: write | ||
|
|
||
| jobs: | ||
| dependency-review: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Dependency Review | ||
| uses: actions/dependency-review-action@v4 | ||
| with: | ||
| fail-on-severity: high | ||
| comment-summary-in-pr: always | ||
| deny-licenses: GPL-3.0-only, AGPL-3.0-only | ||
|
Comment on lines
+8
to
+24
|
||
| Original file line number | Diff line number | Diff line change | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,43 @@ | ||||||||||
| # Pre-commit hooks for Agent365-nodejs | ||||||||||
| # Install: pip install pre-commit && pre-commit install | ||||||||||
| # Run manually: pre-commit run --all-files | ||||||||||
|
Comment on lines
+1
to
+3
|
||||||||||
|
|
||||||||||
| repos: | ||||||||||
| # Gitleaks - detect secrets in code | ||||||||||
| - repo: https://github.com/gitleaks/gitleaks | ||||||||||
| rev: v8.18.4 | ||||||||||
| hooks: | ||||||||||
| - id: gitleaks | ||||||||||
|
|
||||||||||
| # Whitespace fixes | ||||||||||
| - repo: https://github.com/pre-commit/pre-commit-hooks | ||||||||||
| rev: v4.6.0 | ||||||||||
| hooks: | ||||||||||
| - id: trailing-whitespace | ||||||||||
| args: [--markdown-linebreak-ext=md] | ||||||||||
| - id: end-of-file-fixer | ||||||||||
| - id: mixed-line-ending | ||||||||||
| args: [--fix=lf] | ||||||||||
| - id: check-merge-conflict | ||||||||||
| - id: check-yaml | ||||||||||
| args: [--allow-multiple-documents] | ||||||||||
| - id: check-json | ||||||||||
|
|
||||||||||
| # Node.js/TypeScript specific | ||||||||||
| - repo: https://github.com/pre-commit/mirrors-eslint | ||||||||||
| rev: v9.39.1 | ||||||||||
| hooks: | ||||||||||
| - id: eslint | ||||||||||
| files: \.[jt]sx?$ | ||||||||||
| types: [file] | ||||||||||
| additional_dependencies: | ||||||||||
| - eslint@9.39.1 | ||||||||||
| - typescript | ||||||||||
| - "@typescript-eslint/parser" | ||||||||||
| - "@typescript-eslint/eslint-plugin" | ||||||||||
|
||||||||||
| - "@typescript-eslint/eslint-plugin" | |
| - "@typescript-eslint/eslint-plugin" | |
| - "@eslint/js" | |
| - "typescript-eslint" |
Copilot
AI
Feb 10, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The prettier hook is pinned to an alpha release (v4.0.0-alpha.8). Using prerelease formatter versions can cause unexpected formatting churn and makes it harder to keep contributors in sync. Consider pinning to the latest stable prettier (or aligning with a repo-managed prettier dependency if/when one is added).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PR title mentions adding CodeQL, but there’s no CodeQL workflow currently under .github/workflows (only CI and dependency-review). Either add the CodeQL workflow in this PR or adjust the PR title/description to match what’s actually being introduced.