chore: harden repository security

Author: peixl

.github/dependabot.yml

@@ -0,0 +1,35 @@
+version: 2
+updates:
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 5
+    labels:
+      - dependencies
+      - security
+    groups:
+      next-stack:
+        patterns:
+          - next
+          - react
+          - react-dom
+      tooling:
+        patterns:
+          - eslint*
+          - typescript
+          - @types/*
+          - tailwindcss
+          - postcss
+          - autoprefixer
+          - wrangler
+          - @opennextjs/*
+
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 5
+    labels:
+      - dependencies
+      - security

.github/workflows/ci.yml

@@ -29,6 +29,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Setup Node.js
         uses: actions/setup-node@v4

.github/workflows/security.yml

@@ -0,0 +1,109 @@
+name: Security
+
+on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+  schedule:
+    - cron: '23 4 * * 1'
+
+permissions:
+  contents: read
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+
+concurrency:
+  group: security-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  dependency-review:
+    name: Dependency review
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Dependency review
+        uses: actions/dependency-review-action@v4
+        with:
+          fail-on-severity: high
+
+  audit:
+    name: npm audit
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Audit production dependencies
+        run: npm audit --omit=dev --audit-level=high
+
+  secret-scan:
+    name: Secret scan
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Scan for secrets
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITLEAKS_ENABLE_COMMENTS: false
+
+  codeql:
+    name: CodeQL
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        language:
+          - javascript-typescript
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: none
+
+      - name: Perform CodeQL analysis
+        uses: github/codeql-action/analyze@v3

.gitignore

@@ -19,7 +19,6 @@
 /.open-next/
 /.wrangler/
 /.mf/
-.dev.vars
 
 # misc
 .DS_Store
@@ -32,9 +31,18 @@ yarn-debug.log*
 yarn-error.log*
 pnpm-debug.log*
 
-# local env files
-.env*.local
+# local env files and secrets
 .env
+.env.*
+!.env.example
+!.env*.example
+.dev.vars
+.dev.vars.*
+!.dev.vars.example
+.envrc
+.direnv/
+secrets.json
+*.secrets.json
 
 # vercel
 .vercel

SECURITY.md

@@ -0,0 +1,38 @@
+# Security Policy
+
+## Supported Versions
+
+This project currently supports security fixes on the latest state of the `main` branch.
+
+## Reporting a Vulnerability
+
+Please do not open a public issue for security reports, leaked secrets, or deployment credentials.
+
+Instead, use one of these channels:
+
+1. GitHub security advisory reporting for this repository, if available.
+2. A private direct contact channel with the maintainer.
+
+When reporting, include:
+
+- a short summary of the issue
+- affected files, routes, or workflows
+- reproduction steps or proof of concept
+- impact assessment
+- any suggested remediation
+
+## Secret Handling
+
+- Never commit `.env*`, `.dev.vars*`, `secrets.json`, private keys, or cloud credentials.
+- Use GitHub Actions secrets, Cloudflare dashboard secrets, or `wrangler secret put` for production secrets.
+- Rotate exposed secrets immediately, then remove them from the repository history if they were ever committed.
+
+## Project Security Baseline
+
+- Branch protection on `main`
+- Build validation in CI
+- Dependency review on pull requests
+- Production dependency audit in CI
+- Secret scanning in CI
+- CodeQL static analysis
+- Dependabot updates for npm and GitHub Actions

package-lock.json

@@ -14,6 +14,9 @@
     "preview": "npm run build && opennextjs-cloudflare preview",
     "cf-typegen": "wrangler types"
   },
+  "overrides": {
+    "postcss": "8.5.14"
+  },
   "dependencies": {
     "clsx": "2.1.1",
     "next": "^15.5.18",
@@ -29,7 +32,7 @@
     "autoprefixer": "10.4.20",
     "eslint": "9.17.0",
     "eslint-config-next": "^15.5.18",
-    "postcss": "8.4.49",
+    "postcss": "8.5.14",
     "tailwindcss": "3.4.17",
     "typescript": "5.7.2",
     "wrangler": "^4.86.0"