From fdde591208ea678c3298a2f80e8a47a06c6c5363 Mon Sep 17 00:00:00 2001 From: peixl Date: Sun, 10 May 2026 19:28:48 +0800 Subject: [PATCH 1/2] chore: harden repository security --- .github/dependabot.yml | 35 +++++++++++ .github/workflows/ci.yml | 2 + .github/workflows/security.yml | 109 +++++++++++++++++++++++++++++++++ .gitignore | 14 ++++- SECURITY.md | 38 ++++++++++++ package-lock.json | 39 ++---------- package.json | 5 +- 7 files changed, 204 insertions(+), 38 deletions(-) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/security.yml create mode 100644 SECURITY.md diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..51ea991 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,35 @@ +version: 2 +updates: + - package-ecosystem: npm + directory: / + schedule: + interval: weekly + open-pull-requests-limit: 5 + labels: + - dependencies + - security + groups: + next-stack: + patterns: + - next + - react + - react-dom + tooling: + patterns: + - eslint* + - typescript + - @types/* + - tailwindcss + - postcss + - autoprefixer + - wrangler + - @opennextjs/* + + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + open-pull-requests-limit: 5 + labels: + - dependencies + - security diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9e75915..70e6b91 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -29,6 +29,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup Node.js uses: actions/setup-node@v4 diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml new file mode 100644 index 0000000..30623b5 --- /dev/null +++ b/.github/workflows/security.yml @@ -0,0 +1,109 @@ +name: Security + +on: + workflow_dispatch: + pull_request: + branches: + - main + push: + branches: + - main + schedule: + - cron: '23 4 * * 1' + +permissions: + contents: read + +env: + FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true + +concurrency: + group: security-${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + dependency-review: + name: Dependency review + if: github.event_name == 'pull_request' + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: Dependency review + uses: actions/dependency-review-action@v4 + with: + fail-on-severity: high + + audit: + name: npm audit + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: 22 + cache: npm + + - name: Install dependencies + run: npm ci + + - name: Audit production dependencies + run: npm audit --omit=dev --audit-level=high + + secret-scan: + name: Secret scan + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + persist-credentials: false + + - name: Scan for secrets + uses: gitleaks/gitleaks-action@v2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITLEAKS_ENABLE_COMMENTS: false + + codeql: + name: CodeQL + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + strategy: + fail-fast: false + matrix: + language: + - javascript-typescript + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + persist-credentials: false + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + build-mode: none + + - name: Perform CodeQL analysis + uses: github/codeql-action/analyze@v3 diff --git a/.gitignore b/.gitignore index f232c5e..bc6ab5a 100644 --- a/.gitignore +++ b/.gitignore @@ -19,7 +19,6 @@ /.open-next/ /.wrangler/ /.mf/ -.dev.vars # misc .DS_Store @@ -32,9 +31,18 @@ yarn-debug.log* yarn-error.log* pnpm-debug.log* -# local env files -.env*.local +# local env files and secrets .env +.env.* +!.env.example +!.env*.example +.dev.vars +.dev.vars.* +!.dev.vars.example +.envrc +.direnv/ +secrets.json +*.secrets.json # vercel .vercel diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..e056c52 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,38 @@ +# Security Policy + +## Supported Versions + +This project currently supports security fixes on the latest state of the `main` branch. + +## Reporting a Vulnerability + +Please do not open a public issue for security reports, leaked secrets, or deployment credentials. + +Instead, use one of these channels: + +1. GitHub security advisory reporting for this repository, if available. +2. A private direct contact channel with the maintainer. + +When reporting, include: + +- a short summary of the issue +- affected files, routes, or workflows +- reproduction steps or proof of concept +- impact assessment +- any suggested remediation + +## Secret Handling + +- Never commit `.env*`, `.dev.vars*`, `secrets.json`, private keys, or cloud credentials. +- Use GitHub Actions secrets, Cloudflare dashboard secrets, or `wrangler secret put` for production secrets. +- Rotate exposed secrets immediately, then remove them from the repository history if they were ever committed. + +## Project Security Baseline + +- Branch protection on `main` +- Build validation in CI +- Dependency review on pull requests +- Production dependency audit in CI +- Secret scanning in CI +- CodeQL static analysis +- Dependabot updates for npm and GitHub Actions \ No newline at end of file diff --git a/package-lock.json b/package-lock.json index dce7174..037e9aa 100644 --- a/package-lock.json +++ b/package-lock.json @@ -23,7 +23,7 @@ "autoprefixer": "10.4.20", "eslint": "9.17.0", "eslint-config-next": "^15.5.18", - "postcss": "8.4.49", + "postcss": "8.5.14", "tailwindcss": "3.4.17", "typescript": "5.7.2", "wrangler": "^4.86.0" @@ -8878,34 +8878,6 @@ } } }, - "node_modules/next/node_modules/postcss": { - "version": "8.4.31", - "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.31.tgz", - "integrity": "sha512-PS08Iboia9mts/2ygV3eLpY5ghnUcfLV/EXTOW1E2qYxJKGGBUtNjN76FYHnMs36RmARn41bC0AZmn+rR0OVpQ==", - "funding": [ - { - "type": "opencollective", - "url": "https://opencollective.com/postcss/" - }, - { - "type": "tidelift", - "url": "https://tidelift.com/funding/github/npm/postcss" - }, - { - "type": "github", - "url": "https://github.com/sponsors/ai" - } - ], - "license": "MIT", - "dependencies": { - "nanoid": "^3.3.6", - "picocolors": "^1.0.0", - "source-map-js": "^1.0.2" - }, - "engines": { - "node": "^10 || ^12 || >=14" - } - }, "node_modules/node-domexception": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/node-domexception/-/node-domexception-1.0.0.tgz", @@ -9428,10 +9400,9 @@ } }, "node_modules/postcss": { - "version": "8.4.49", - "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.49.tgz", - "integrity": "sha512-OCVPnIObs4N29kxTjzLfUryOkvZEq+pf8jTF0lg8E7uETuWHA+v7j3c/xJmiqpX450191LlmZfUKkXxkTry7nA==", - "dev": true, + "version": "8.5.14", + "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.14.tgz", + "integrity": "sha512-SoSL4+OSEtR99LHFZQiJLkT59C5B1amGO1NzTwj7TT1qCUgUO6hxOvzkOYxD+vMrXBM3XJIKzokoERdqQq/Zmg==", "funding": [ { "type": "opencollective", @@ -9448,7 +9419,7 @@ ], "license": "MIT", "dependencies": { - "nanoid": "^3.3.7", + "nanoid": "^3.3.11", "picocolors": "^1.1.1", "source-map-js": "^1.2.1" }, diff --git a/package.json b/package.json index faef752..4b00ceb 100644 --- a/package.json +++ b/package.json @@ -14,6 +14,9 @@ "preview": "npm run build && opennextjs-cloudflare preview", "cf-typegen": "wrangler types" }, + "overrides": { + "postcss": "8.5.14" + }, "dependencies": { "clsx": "2.1.1", "next": "^15.5.18", @@ -29,7 +32,7 @@ "autoprefixer": "10.4.20", "eslint": "9.17.0", "eslint-config-next": "^15.5.18", - "postcss": "8.4.49", + "postcss": "8.5.14", "tailwindcss": "3.4.17", "typescript": "5.7.2", "wrangler": "^4.86.0" From c436dd16e79ce2249fcf9749ef6d5320c1ac7970 Mon Sep 17 00:00:00 2001 From: peixl Date: Sun, 10 May 2026 19:30:47 +0800 Subject: [PATCH 2/2] chore: rerun checks after enabling dependency graph