jaypatrick · jaypatrick · Dec 24, 2025 · Dec 24, 2025 · Dec 24, 2025 · Dec 24, 2025
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
diff --git a/.github/workflows/devskim.yml b/.github/workflows/devskim.yml
diff --git a/.github/workflows/dotnet.yml b/.github/workflows/dotnet.yml
@@ -1,13 +1,12 @@
-# This workflow will build a .NET project
-# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-net
+# This workflow will build and test .NET projects
 
 name: .NET
 
 on:
   push:
-    branches: [ "main" ]
+    branches: ["main"]
   pull_request:
-    branches: [ "main" ]
+    branches: ["main"]
 
 jobs:
   build-api-client:
@@ -18,14 +17,34 @@ jobs:
         working-directory: ./src/adguard-api-dotnet
 
     steps:
-    - uses: actions/checkout@v4
-    - name: Setup .NET
-      uses: actions/setup-dotnet@v4
-      with:
-        dotnet-version: 10.0.x
-    - name: Restore dependencies
-      run: dotnet restore AdGuard.ApiClient.slnx
-    - name: Build
-      run: dotnet build AdGuard.ApiClient.slnx --no-restore
-    - name: Test
-      run: dotnet test AdGuard.ApiClient.slnx --no-build --verbosity normal
+      - uses: actions/checkout@v4
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: 10.0.x
+      - name: Restore dependencies
+        run: dotnet restore AdGuard.ApiClient.slnx
+      - name: Build
+        run: dotnet build AdGuard.ApiClient.slnx --no-restore
+      - name: Test
+        run: dotnet test AdGuard.ApiClient.slnx --no-build --verbosity normal
+
+  build-rules-compiler:
+    name: Build Rules Compiler
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ./src/rules-compiler-dotnet
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: 10.0.x
+      - name: Restore dependencies
+        run: dotnet restore RulesCompiler.slnx
+      - name: Build
+        run: dotnet build RulesCompiler.slnx --no-restore
+      - name: Test
+        run: dotnet test RulesCompiler.slnx --no-build --verbosity normal
diff --git a/.github/workflows/powershell.yml b/.github/workflows/powershell.yml
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -0,0 +1,90 @@
+# Consolidated security scanning workflow
+# Combines CodeQL, DevSkim, and PSScriptAnalyzer
+
+name: Security
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["main"]
+  schedule:
+    - cron: "28 16 * * 6" # Weekly on Saturday
+
+permissions:
+  contents: read
+
+jobs:
+  codeql:
+    name: CodeQL Analysis
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["csharp", "javascript"]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{matrix.language}}"
+
+  devskim:
+    name: DevSkim Analysis
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run DevSkim scanner
+        uses: microsoft/DevSkim-Action@v1
+
+      - name: Upload DevSkim scan results
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: devskim-results.sarif
+
+  psscriptanalyzer:
+    name: PSScriptAnalyzer
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+      actions: read
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run PSScriptAnalyzer
+        uses: microsoft/psscriptanalyzer-action@6b2948b1944407914a58661c49941824d149734f
+        with:
+          path: .\
+          recurse: true
+          includeRule: '"PSAvoidGlobalAliases", "PSAvoidUsingConvertToSecureStringWithPlainText"'
+          output: results.sarif
+
+      - name: Upload SARIF results
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -420,14 +420,13 @@ RemoveComments, Compress, RemoveModifiers, Validate, ValidateAllowIp, Deduplicat
 ## CI/CD Alignment
 
 GitHub Actions workflows validate:
-- `.github/workflows/dotnet.yml` - Builds/tests .NET projects with .NET 8
-- `.github/workflows/typescript.yml` - Node 20, tsc --noEmit, eslint for rules-compiler-typescript
+- `.github/workflows/dotnet.yml` - Builds/tests .NET projects (API client and rules compiler) with .NET 10
+- `.github/workflows/typescript.yml` - Node 20, tsc --noEmit, eslint for rules-compiler-typescript and website
 - `.github/workflows/gatsby.yml` - Builds website and deploys to GitHub Pages
-- `.github/workflows/powershell.yml` - PSScriptAnalyzer on PowerShell scripts
-- `.github/workflows/codeql.yml` - CodeQL security scanning
-- `.github/workflows/devskim.yml` - DevSkim security analysis
-- `.github/workflows/claude.yml` - Claude AI integration
-- `.github/workflows/claude-code-review.yml` - Automated code review
+- `.github/workflows/security.yml` - Consolidated security scanning (CodeQL, DevSkim, PSScriptAnalyzer)
+- `.github/workflows/release.yml` - Builds and publishes release binaries (.NET, Rust, Python)
+- `.github/workflows/claude.yml` - Claude AI integration for @claude mentions
+- `.github/workflows/claude-code-review.yml` - Automated PR code review
 
 ## Prerequisites