GitHub Configuration

This directory contains GitHub-specific configuration files including workflows, security policies, and automation settings.

Required Secrets

To use all GitHub Actions workflows, you need to configure the following secrets in your repository settings:

Repository Secrets

Go to Settings → Secrets and variables → Actions → Secrets

1. SUPABASE_SERVICE_ROLE_KEY (Required)

   • Your Supabase service role key for backend operations
   • Used by: Monthly billing, counter reset, health monitor workflows

2. SUPABASE_PROJECT_ID (Optional)

   • Your Supabase project ID
   • Used by: Deploy workflow

3. SUPABASE_ACCESS_TOKEN (Optional)

   • Personal access token for Supabase CLI
   • Used by: Deploy workflow

4. LIVEDEMO_API_KEY (Recommended)

   • The API key for LiveDemo functionality
   • Previously hardcoded, now should be a secret

Environment Configuration

Configure environments in Settings → Environments:

1. development

   • No special protection rules

2. staging

   • Optional: Require reviewers

3. production

   • Require reviewers
   • Add yourself as required reviewer
   • Consider adding deployment branch restrictions

Workflow Overview

Automated Workflows (run on push/PR)

• CI Pipeline: Linting, type checking, building, testing
• Security Scan: Comprehensive security analysis
• Deploy UOP v3: Deployment pipeline (requires manual approval for production)

Scheduled Workflows

• Daily Health Monitor: Runs daily at 06:00 UTC
• Monthly Billing Cron: Runs on 1st of month at 00:00 UTC
• Monthly Counter Reset: Runs on 1st of month at 02:00 UTC
• Fix NPM Vulnerabilities: Runs weekly on Mondays

Manual Workflows

All workflows can be triggered manually from the Actions tab.

Security Features

• Dependabot: Automated dependency updates
• CodeQL: Static code analysis
• Secret Scanning: Prevents accidental secret commits
• License Compliance: Ensures OSS license compatibility
• OWASP Scanning: Additional vulnerability detection

Monitoring

Check the Actions tab regularly for:

• Failed workflows (red X)
• Security alerts
• Dependabot PRs
• Vulnerability fix PRs

Troubleshooting

Common Issues

1. "Bad credentials" error

   • Check that all required secrets are set
   • Ensure tokens haven't expired

2. CodeQL failing on first run

   • This is normal, it will work on subsequent runs

3. npm audit showing vulnerabilities

   • Run the "Fix NPM Vulnerabilities" workflow
   • Or manually run npm audit fix

4. License check failing

   • Review the allowed licenses in security.yml
   • Update if your organization allows additional licenses