chore: harden repository security

[peixl]

Summary

• harden .gitignore so env files, Cloudflare local vars, and common secret files are ignored by default
• add a dedicated security workflow for dependency review, npm audit, gitleaks secret scanning, and CodeQL
• add Dependabot for npm and GitHub Actions updates
• add a public SECURITY.md policy for disclosure and secret handling
• patch the PostCSS advisory by overriding to 8.5.14

Validation

• npm audit --omit=dev --audit-level=high
• npm run build
• verified .env.example and .dev.vars.example remain trackable while secret variants are ignored

Summary by CodeRabbit

• Chores
  • Configured Dependabot for automated weekly dependency updates with intelligent package grouping for frameworks and tooling.
  • Implemented comprehensive security scanning workflows including CodeQL analysis, npm audit, secret detection, and pull request dependency reviews.
  • Added security policy documentation detailing vulnerability reporting procedures, supported versions, and security practices.
  • Enhanced gitignore configuration for better local environment and secrets file handling.

[coderabbitai]

📝 Walkthrough

Walkthrough

PR adds comprehensive security infrastructure: Dependabot configuration for automated npm and GitHub Actions updates with package grouping, new security workflow running dependency review, npm audit, secret scanning, and CodeQL analysis, improved .gitignore for environment/secrets files, postcss version pinning, CI credential hardening, and SECURITY.md policy documentation.

Changes

Security Infrastructure and Dependency Management Setup

Layer / File(s)	Summary
Dependency Management Configuration .github/dependabot.yml, package.json	Dependabot configured for weekly npm and GitHub Actions updates with package grouping rules for Next/React and tooling. Postcss pinned to 8.5.14 via overrides and devDependencies.
Environment and Secrets File Handling .gitignore	Consolidated local environment file exclusions for .env, .dev.vars, .envrc, .direnv/, and secret files, with selective exceptions for example files.
Automated Security Checks Workflow .github/workflows/security.yml	New security workflow with four parallel jobs: dependency-review (PRs only, high severity), npm audit (high severity), gitleaks secret scanning (full history), and CodeQL analysis for JavaScript/TypeScript. Triggered on-demand, PRs to main, pushes to main, and weekly schedule.
CI Credential Hardening .github/workflows/ci.yml	CI workflow checkout step updated with persist-credentials: false to reduce credential exposure.
Security Policy Documentation SECURITY.md	Security policy document defining supported versions (latest main), private vulnerability reporting process, secret-handling guidelines, and baseline security practices.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 Dependencies dance with Dependabot's care,
Security checks scan the code everywhere,
Secrets locked tight in our gitignore nest,
CodeQL and gitleaks put safety to test,
A policy penned for protection most fair! 🔐

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore: harden repository security' accurately summarizes the main objective of the pull request, which encompasses security hardening measures including security workflows, Dependabot configuration, gitignore updates, and SECURITY.md documentation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch security-hardening

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	codex-getting-started-tutorial	c436dd1	Commit Preview URL Branch Preview URL	May 10 2026, 11:31 AM

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/dependabot.yml:
- Line 21: Dependabot config uses unquoted scalars starting with @ (e.g.,
`@types/`*) which breaks YAML parsing; update the list entries that begin with @
to be quoted (for example change `@types/`* to "@types/*") so the YAML parser
accepts those patterns—locate the entries under the package update patterns (the
array containing `@types/`*) and wrap any `@-prefixed` strings in quotes.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c23497c6-d528-4d2a-8628-4888f277a73d

📥 Commits

Reviewing files that changed from the base of the PR and between ae2c267 and fdde591.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (6)

• .github/dependabot.yml
• .github/workflows/ci.yml
• .github/workflows/security.yml
• .gitignore
• SECURITY.md
• package.json

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

dep_file="$(fd -a '^dependabot\.yml$' .github | head -n1)"
echo "Validating: ${dep_file}"

python - <<'PY' "$dep_file"
import sys, pathlib
p = pathlib.Path(sys.argv[1])
text = p.read_text(encoding="utf-8")
try:
    import yaml
except Exception:
    raise SystemExit("PyYAML missing. Install with: pip install pyyaml")
try:
    yaml.safe_load(text)
    print("YAML parse OK")
except Exception as e:
    print("YAML parse FAILED:")
    print(e)
    raise SystemExit(1)
PY

Repository: peixl/Codex-Getting-Started-Tutorial

Length of output: 323

---

Quote @-prefixed Dependabot patterns to fix YAML parse failure.

Lines 21 and 26 use unquoted scalars starting with @, which is invalid YAML. The parser fails with "found character '@' that cannot start any token" and prevents Dependabot from loading the config.

Suggested fix

       tooling:
         patterns:
           - eslint*
           - typescript
-          - `@types/`*
+          - "@types/*"
           - tailwindcss
           - postcss
           - autoprefixer
           - wrangler
-          - `@opennextjs/`*
+          - "@opennextjs/*"

🧰 Tools

🪛 YAMLlint (1.38.0)

[error] 21-21: syntax error: found character '@' that cannot start any token

(syntax)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/dependabot.yml at line 21, Dependabot config uses unquoted scalars
starting with @ (e.g., `@types/`*) which breaks YAML parsing; update the list
entries that begin with @ to be quoted (for example change `@types/`* to
"@types/*") so the YAML parser accepts those patterns—locate the entries under
the package update patterns (the array containing `@types/`*) and wrap any
`@-prefixed` strings in quotes.

[Copilot]

Pull request overview

Hardens the repository’s security posture by reducing the chance of secret leakage, adding automated security checks in CI, and ensuring a vulnerable PostCSS version is not used.

Changes:

• Tighten .gitignore to ignore common secret/env file variants while keeping example templates trackable.
• Add a dedicated Security GitHub Actions workflow (dependency review, npm audit, gitleaks, CodeQL) and add Dependabot configuration.
• Patch the PostCSS advisory by upgrading and enforcing postcss@8.5.14 via package.json and lockfile updates, plus an npm overrides guard.

Reviewed changes

Copilot reviewed 5 out of 7 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
SECURITY.md	Adds a public security policy with reporting guidance and secret-handling expectations.
package.json	Pins PostCSS to 8.5.14 and adds an npm overrides entry to enforce it transitively.
package-lock.json	Updates the lockfile to resolve PostCSS to 8.5.14 (including transitive resolution effects).
.gitignore	Ignores .env*, .dev.vars*, and other common secret files while explicitly allowing *.example templates.
.github/workflows/security.yml	Introduces scheduled + PR/push security automation (dependency review, audit, secret scan, CodeQL).
.github/workflows/ci.yml	Hardens checkout configuration by disabling persisted credentials.
.github/dependabot.yml	Enables weekly Dependabot updates for npm and GitHub Actions, with grouping/labeling.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: fdde591208

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Pass GITLEAKS_LICENSE to gitleaks-action

This secret-scan job will fail in organization-owned repositories because gitleaks/gitleaks-action@v2 requires a GITLEAKS_LICENSE environment variable in that context; only GITHUB_TOKEN is currently provided. In org repos this turns the new security workflow red on every run (PR/push/schedule), which can block merges if required checks are enabled.

Useful? React with 👍 / 👎.