Skip to content

feat: add action and ci#1

Merged
lhoupert merged 5 commits intomainfrom
feat--add-action-and-ci
Apr 24, 2026
Merged

feat: add action and ci#1
lhoupert merged 5 commits intomainfrom
feat--add-action-and-ci

Conversation

@lhoupert
Copy link
Copy Markdown
Contributor

@lhoupert lhoupert commented Apr 3, 2026
edited
Loading

Summary

Introduces security-action, a composite GitHub Action that gives any Development Seed repository default security scanning with a single uses: line.

What's included

action.yml — composite action

Four independent scanners, each running with continue-on-error: true. A final aggregation step fails the job if any enabled scanner reports issues.

Scanner Default What it checks
zizmor ON GitHub Actions workflow security
osv-scanner ON Dependency vulnerabilities (SARIF → Code Scanning)
bandit + pip-audit OFF Python-specific security (opt-in)
OSSF Scorecard OFF Repository security posture (opt-in)

.github/workflows/ci.yml

Self-hosted CI: the action runs against itself on every push/PR to main, with zizmor_persona: pedantic and Scorecard disabled (handled separately below).

.github/workflows/scorecard.yml

Dedicated Scorecard workflow triggered on push to main and weekly (Saturdays). Runs only enable_scorecard: 'true' with enable_zizmor: 'false' and enable_osv: 'false' to keep the tighter id-token: write / actions: read permissions isolated from the main CI job.

.github/workflows/release-please.yml

Automated release pipeline:

  • Opens/updates a Release Please PR on every push to main
  • After a release is cut: moves the major version tag (e.g. v1) and auto-opens a PR to pin README SHA references to the new release SHA

.github/dependabot.yml

Weekly Dependabot updates for all GitHub Actions dependencies, prefixed ci:.

How to adopt

- uses: actions/checkout@<sha>
- uses: developmentseed/security-action@v1

@github-advanced-security
Copy link
Copy Markdown

github-advanced-security AI commented Apr 3, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

github-advanced-security[bot]
github-advanced-security AI found potential problems Apr 3, 2026
View reviewed changes
Comment thread .github/workflows/ci.yml Fixed
github-advanced-security[bot]
github-advanced-security AI found potential problems Apr 3, 2026
View reviewed changes
Comment thread .github/workflows/ci.yml Fixed
Comment thread .github/workflows/ci.yml Fixed
Comment thread .github/workflows/ci.yml Fixed
github-advanced-security[bot]
github-advanced-security AI found potential problems Apr 24, 2026
View reviewed changes
Comment thread action.yml Fixed
Comment thread action.yml Fixed
@lhoupert lhoupert merged commit 60e65e7 into main Apr 24, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lhoupert @github-advanced-security