Merge pull request #25 from speee/ci/add-security-scanning

takaokouji · web-flow · commit 29ec8d3cdff0 · 2026-01-21T23:36:13.000+09:00
Add security scanning and Dependabot configuration
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,27 @@
+version: 2
+updates:
+  - package-ecosystem: "bundler"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 10
+    groups:
+      development-dependencies:
+        dependency-type: "development"
+      production-dependencies:
+        dependency-type: "production"
+    commit-message:
+      prefix: "deps"
+    labels:
+      - "dependencies"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    commit-message:
+      prefix: "ci"
+    labels:
+      - "ci"
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -0,0 +1,28 @@
+name: Security
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+    branches: ['**']
+  schedule:
+    - cron: '0 0 * * 1'  # Every Monday at 00:00 UTC
+
+jobs:
+  bundle-audit:
+    name: Bundle Audit (Dependency Check)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.3'
+      - name: Install dependencies
+        run: bundle install --jobs 4 --retry 3
+      - name: Install bundle-audit
+        run: gem install bundler-audit
+      - name: Update vulnerability database
+        run: bundle-audit update
+      - name: Run bundle-audit
+        run: bundle-audit check
