🔍 Evaluate GitHub Actions security workflows relevance #8
Description
Context
Currently have two security-focused workflows that were added for learning/practice:
codeql.yml- CodeQL security scanning (scans GitHub Actions workflows only)dependency-review.yml- Dependency vulnerability scanning
These workflows require GitHub Advanced Security (available on public repos) and were implemented to explore these features.
Question
Are these workflows providing value for a static Hugo portfolio site?
Current State
- CodeQL: Only scanning
actionslanguage (3 workflow YAML files) - Dependency Review: Scanning PR dependencies (Hugo theme, npm packages)
- Use Case: Static portfolio site with no application code or user input
Considerations
Keep if:
- Catching real security issues in theme dependencies
- Providing useful learning/resume value
- Low maintenance overhead
Remove/Archive if:
- Just noise with no actionable findings
- Overkill for static site with no application code
- Better suited as learning artifacts in archive
Action Items
- Monitor workflow runs for 1-2 months
- Review findings (if any)
- Evaluate if CodeQL should scan
javascript-typescript(theme code) - Decide: Keep, Archive, or Remove
- Document decision and rationale
Related
- Added in commits
4af0073and2dc8ac7(June 2025) - Part of GitHub Advanced Security exploration
- See PR ⬆️ Maintenance: Upgrade Hugo v0.147.7 & Congo v2.13.0 #7 discussion for initial evaluation