Skip to content

ci: move security audits to nightly workflow and add dev status page#3190

Merged
QuantumExplorer merged 4 commits into
v3.1-devfrom
ci/nightly-security-audits
Mar 5, 2026
Merged

ci: move security audits to nightly workflow and add dev status page#3190
QuantumExplorer merged 4 commits into
v3.1-devfrom
ci/nightly-security-audits

Conversation

@QuantumExplorer

@QuantumExplorer QuantumExplorer commented Mar 5, 2026

Copy link
Copy Markdown
Member

Issue being fixed or feature implemented

Security audits (Rust crate audit, JS NPM audit, JS CodeQL) were running on every push and PR, adding unnecessary CI time. These checks don't need to gate individual PRs since they audit the dependency tree, not the diff.

What was done?

  • Extracted three security audit jobs from tests.yml into separate nightly workflows (11:30 PM UTC):
    • security-audit-rust.yml — Rust crates audit via rustsec/audit-check
    • security-audit-js-npm.yml — JS NPM audit via yarn npm audit
    • security-audit-js-codeql.yml — JS CodeQL analysis
  • Added security-audit-status.yml aggregator workflow that triggers on completion of any audit, checks all three, and fails if any is not passing — provides a single accurate badge for the README
  • Created DEV_STATUS.md page with per-audit badges for detailed status
  • Added Security Status badge to README linking to DEV_STATUS.md
  • Removed unnecessary sccache setup from Rust audit (cargo audit only parses Cargo.lock, no compilation occurs)

How Has This Been Tested?

Workflow YAML validated for correct syntax and job dependencies.

Breaking Changes

None. Security audits continue to run nightly. They are no longer blocking PR merges.

Checklist

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have added or updated relevant unit/integration/functional/e2e tests
  • I have made corresponding changes to the documentation

For repository code-owners and collaborators only

  • I have assigned this pull request to a milestone

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Established automated security audit workflows running nightly for JavaScript code, npm dependencies, and Rust crates, with manual trigger capability
    • Added aggregated security audit status reporting
    • Added development status documentation for security audits and CI visibility

- Extract rs-crates-security, js-npm-security, and js-codeql jobs from
  tests.yml into a new security-audits.yml that runs nightly + manually
- Create DEV_STATUS.md with badge-based audit and CI status tracking
- Add Security Audits badge to README linking to DEV_STATUS.md

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@github-actions github-actions Bot added this to the v3.1.0 milestone Mar 5, 2026
@coderabbitai

coderabbitai Bot commented Mar 5, 2026

Copy link
Copy Markdown
Contributor

Warning

Rate limit exceeded

@thepastaclaw has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 0 minutes and 27 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1574f501-5a15-4b1d-97e2-692074eb7b1e

📥 Commits

Reviewing files that changed from the base of the PR and between a669991 and a331f68.

📒 Files selected for processing (7)
  • .github/workflows/security-audit-js-codeql.yml
  • .github/workflows/security-audit-js-npm.yml
  • .github/workflows/security-audit-rust.yml
  • .github/workflows/security-audit-status.yml
  • .github/workflows/tests.yml
  • DEV_STATUS.md
  • README.md
📝 Walkthrough

Walkthrough

This pull request refactors CI/CD workflows by extracting security audit jobs from the main tests workflow into three dedicated, scheduled security audit workflows (Rust, JS NPM, JS CodeQL). A new aggregation workflow monitors completion of all audits and reports status. Documentation is added to track security audit health.

Changes

Cohort / File(s) Summary
Security Audit Workflows
.github/workflows/security-audit-js-codeql.yml, .github/workflows/security-audit-js-npm.yml, .github/workflows/security-audit-rust.yml
Three new GitHub Actions workflows that schedule daily security audits at 23:30 UTC with manual dispatch triggers. Each audits a different dependency type: JS CodeQL analysis, NPM packages, and Rust crates.
Security Audit Status Aggregation
.github/workflows/security-audit-status.yml
New workflow that triggers after the three security audits complete, queries each audit's latest run result via GitHub API, and fails if any audit did not pass.
Workflow Maintenance
.github/workflows/tests.yml
Removed three security audit jobs (rs-crates-security, js-npm-security, js-codeql) that are now in dedicated workflows.
Documentation
DEV_STATUS.md, README.md
Added new DEV_STATUS.md file documenting security audits and CI checks with status badges; linked from README.md under GitHub CI Status section.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 Three audit workflows hop and run,
Security checks beneath the sun,
A status watcher guards the gate,
Ensuring all dependencies are great!
Documentation shines so bright—
The Dash Platform burns secure tonight! 🔐

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch ci/nightly-security-audits

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

QuantumExplorer and others added 3 commits March 5, 2026 18:41
Better timing for team members in Asia.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…badges

- Split single security-audits.yml into 3 workflows:
  - security-audit-rust.yml
  - security-audit-js-npm.yml
  - security-audit-js-codeql.yml
- Each workflow gets its own badge in DEV_STATUS.md
- Remove unnecessary sccache setup from Rust audit (cargo audit
  only parses Cargo.lock, no compilation occurs)
- Use static shields.io badge in README linking to DEV_STATUS.md

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Wrapper workflow triggers on completion of any security audit and
checks the latest run of all three. Fails if any audit is not passing,
giving a single accurate badge for the README.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@QuantumExplorer QuantumExplorer merged commit 19989a7 into v3.1-dev Mar 5, 2026
23 checks passed
@QuantumExplorer QuantumExplorer deleted the ci/nightly-security-audits branch March 5, 2026 12:22
@thepastaclaw

Copy link
Copy Markdown
Collaborator

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Mar 6, 2026

Copy link
Copy Markdown
Contributor
✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@thepastaclaw

Copy link
Copy Markdown
Collaborator

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Mar 6, 2026

Copy link
Copy Markdown
Contributor
✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants