Add actions and security workflows #8265
Conversation
Unified gsplat rendering - changes to sorter job scheduling (playcanvas#7864)
Signed-off-by: JaclynCodes <[email protected]>
Added a security policy document outlining supported versions and vulnerability reporting. Signed-off-by: JaclynCodes <[email protected]>
There was a problem hiding this comment.
Pull request overview
This PR adds security infrastructure to the PlayCanvas Engine repository by introducing automated CodeQL security scanning and a security policy document. However, the SECURITY.md file requires customization to be effective.
- Added a CodeQL GitHub Actions workflow for automated security scanning of JavaScript/TypeScript code
- Added a SECURITY.md file (currently contains template placeholder text that needs customization)
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
.github/workflows/codeql.yml |
Adds CodeQL Advanced workflow for automated security scanning with JavaScript/TypeScript and Actions language support, configured to run on pushes, pull requests, and weekly schedule |
SECURITY.md |
Introduces security policy template (requires customization with actual version numbers and vulnerability reporting instructions) |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 |
There was a problem hiding this comment.
This workflow uses actions/checkout@v4, but other workflows in the repository (ci.yml, beta.yaml) use actions/checkout@v5. For consistency and to ensure the latest features and security updates, this should be updated to v5 to match the rest of the codebase.
SECURITY.md
Outdated
| Use this section to tell people about which versions of your project are | ||
| currently being supported with security updates. |
There was a problem hiding this comment.
The SECURITY.md file contains placeholder/template text that should be replaced with actual instructions. Lines 5-6 and 17-21 contain generic placeholder text ("Use this section to tell people...") that doesn't provide actionable information for users trying to report security vulnerabilities or understand the security policy.
Co-authored-by: Copilot <[email protected]>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Copilot <[email protected]>
This comment was marked as off-topic.
This comment was marked as off-topic.
Sorry, something went wrong.
1 participant
This pull request introduces two new files to improve project security and code quality. A GitHub Actions workflow for CodeQL analysis is added to automate code scanning for vulnerabilities, and a security policy document is provided to clarify supported versions and the process for reporting security issues.
Security and Code Quality Automation
.github/workflows/codeql.ymlworkflow to enable automated CodeQL analysis for JavaScript/TypeScript and Actions code on pushes, pull requests, and a weekly schedule. This helps identify vulnerabilities and maintain code quality.Security Policy Documentation
SECURITY.mdfile outlining supported versions for security updates and instructions for reporting vulnerabilities, improving transparency and guidance for users and contributors.DescriptionBrief description of what this PR does.
Fixes #
Checklist