chore(github): add security checks

contrem · contrem · commit 38a4e8958f46 · 2025-12-16T09:51:12.000-08:00
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -0,0 +1,29 @@
+name: Security
+
+on: [push, workflow_dispatch]
+
+jobs:
+  vuln-dep-check:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Install node
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: '.nvmrc'
+          cache: npm
+      - name: npm audit
+        run: npx audit-ci@^6 --config ./audit-ci.jsonc
+  semgrep:
+    runs-on: ubuntu-latest
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.ref }}
+    env:
+      SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
+    container:
+      image: returntocorp/semgrep
+    steps:
+      - uses: actions/checkout@v4
+      - run: semgrep ci
+
diff --git a/audit-ci.jsonc b/audit-ci.jsonc
@@ -0,0 +1,4 @@
+{
+  "high": true,
+  "allowlist": [],
+}

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +{
 +  "high": true,
 +  "allowlist": [],
 +}