d-oit
diff --git a/‎.github/branch-protection-config.json‎
Lines changed: 90 additions & 53 deletions b/‎.github/branch-protection-config.json‎
Lines changed: 90 additions & 53 deletions
diff --git a/‎.github/workflows/security-consolidated.yml‎
Lines changed: 59 additions & 42 deletions b/‎.github/workflows/security-consolidated.yml‎
Lines changed: 59 additions & 42 deletions
@@ -1,59 +1,96 @@
 {
-  "main": {
-    "required_status_checks": {
-      "strict": true,
-      "contexts": [
-        "Test (ubuntu-latest, stable)",
-        "Test (windows-latest, stable)", 
-        "Test (macos-latest, stable)",
-        "Coverage",
-        "Security Audit",
-        "Performance Benchmark",
-        "CodeQL / Analyze (rust)",
-        "CodeQL / Analyze (javascript)",
-        "Lint",
-        "Build"
-      ]
+  "name": "main-protection",
+  "target": "branch",
+  "enforcement": "active",
+  "conditions": {
+    "ref_name": {
+      "include": ["refs/heads/main"],
+      "exclude": []
+    }
+  },
+  "rules": [
+    {
+      "type": "deletion"
     },
-    "enforce_admins": true,
-    "required_pull_request_reviews": {
-      "required_approving_review_count": 1,
-      "dismiss_stale_reviews": true,
-      "require_code_owner_reviews": true,
-      "require_last_push_approval": false
+    {
+      "type": "non_fast_forward"
     },
-    "restrictions": null,
-    "allow_force_pushes": false,
-    "allow_deletions": false,
-    "block_creations": false,
-    "required_conversation_resolution": true,
-    "lock_branch": false,
-    "allow_fork_syncing": true
-  },
-  "develop": {
-    "required_status_checks": {
-      "strict": true,
-      "contexts": [
-        "Test (ubuntu-latest, stable)",
-        "Coverage",
-        "Security Audit",
-        "Lint",
-        "Build"
-      ]
+    {
+      "type": "required_linear_history"
+    },
+    {
+      "type": "required_signatures"
+    },
+    {
+      "type": "pull_request",
+      "parameters": {
+        "required_approving_review_count": 0,
+        "dismiss_stale_reviews_on_push": true,
+        "require_code_owner_review": true,
+        "require_last_push_approval": true,
+        "required_review_thread_resolution": true
+      }
     },
-    "enforce_admins": false,
-    "required_pull_request_reviews": {
-      "required_approving_review_count": 1,
-      "dismiss_stale_reviews": true,
-      "require_code_owner_reviews": false,
-      "require_last_push_approval": false
+    {
+      "type": "required_status_checks",
+      "parameters": {
+        "strict_required_status_checks_policy": true,
+        "required_status_checks": [
+          {
+            "context": "Test (ubuntu-latest, stable)",
+            "integration_id": null
+          },
+          {
+            "context": "Test (windows-latest, stable)",
+            "integration_id": null
+          },
+          {
+            "context": "Test (macos-latest, stable)",
+            "integration_id": null
+          },
+          {
+            "context": "Coverage",
+            "integration_id": null
+          },
+          {
+            "context": "Security Audit",
+            "integration_id": null
+          },
+          {
+            "context": "Performance Benchmark",
+            "integration_id": null
+          },
+          {
+            "context": "CodeQL / Analyze (rust)",
+            "integration_id": null
+          },
+          {
+            "context": "CodeQL / Analyze (javascript)",
+            "integration_id": null
+          },
+          {
+            "context": "Lint",
+            "integration_id": null
+          },
+          {
+            "context": "Build",
+            "integration_id": null
+          }
+        ]
+      }
     },
-    "restrictions": null,
-    "allow_force_pushes": false,
-    "allow_deletions": false,
-    "block_creations": false,
-    "required_conversation_resolution": true,
-    "lock_branch": false,
-    "allow_fork_syncing": true
-  }
+    {
+      "type": "required_deployments",
+      "parameters": {
+        "required_deployment_environments": []
+      }
+    }
+  ],
+  "bypass_actors": [
+    {
+      "actor_id": 5,
+      "actor_type": "RepositoryRole",
+      "bypass_mode": "pull_request"
+    }
+  ]
 }
@@ -40,22 +40,28 @@ env:
   CARGO_TERM_COLOR: always
   SCCACHE_GHA_ENABLED: "false"
   # Disable sccache due to service instability
+  SECURITY_LEVEL: ${{ github.event.inputs.security_level || 'standard' }}
+  CREATE_ISSUE_ON_FAILURE: ${{ github.event.inputs.create_issue_on_failure || true }}
 
 jobs:
   # Dependency and vulnerability scanning
   vulnerability-scan:
     name: Vulnerability & Dependency Scan
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     steps:
-    - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955
+    - uses: actions/checkout@v4
+      timeout-minutes: 5
 
     - name: Setup Rust
       uses: ./.github/actions/setup-rust
+      timeout-minutes: 5
       with:
         toolchain: stable
 
     - name: Setup Cache
       uses: ./.github/actions/setup-cache
+      timeout-minutes: 5
       with:
         cache-key-suffix: security
 
@@ -85,7 +91,7 @@ jobs:
       run: |
         cargo license --json > licenses.json
         echo "## 📄 License Report" >> $GITHUB_STEP_SUMMARY
-        if grep -q "GPL" licenses.json; then
+        if jq -e '[.[] | select(.license | contains("GPL"))] | length > 0' licenses.json; then
           echo "::warning::GPL licensed dependencies found"
           echo "⚠️ GPL dependencies detected - review for compliance" >> $GITHUB_STEP_SUMMARY
         else
@@ -94,6 +100,7 @@ jobs:
 
     - name: Upload vulnerability reports
       uses: actions/upload-artifact@v4
+      timeout-minutes: 5
       with:
         name: vulnerability-reports
         path: |
@@ -105,17 +112,21 @@ jobs:
   code-security:
     name: Code Security Analysis
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     steps:
-    - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955
+    - uses: actions/checkout@v4
+      timeout-minutes: 5
 
     - name: Setup Rust
       uses: ./.github/actions/setup-rust
+      timeout-minutes: 5
       with:
         toolchain: stable
         components: clippy
 
     - name: Setup Cache
       uses: ./.github/actions/setup-cache
+      timeout-minutes: 5
 
     - name: Security-focused clippy
       run: |
@@ -144,7 +155,7 @@ jobs:
           2>&1 | tee clippy-security.log
 
     - name: Enhanced security checks (if strict mode)
-      if: inputs.security_level == 'strict'
+      if: env.SECURITY_LEVEL == 'strict'
       run: |
         echo "Running enhanced security analysis..."
         # Additional strict checks for production
@@ -157,6 +168,7 @@ jobs:
 
     - name: Upload security analysis
       uses: actions/upload-artifact@v4
+      timeout-minutes: 5
       with:
         name: code-security-analysis
         path: clippy-security.log
@@ -165,16 +177,22 @@ jobs:
   secrets-scan:
     name: Secrets Detection
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     steps:
-    - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955
+    - uses: actions/checkout@v4
+      timeout-minutes: 5
 
     - name: Scan for secrets with Gitleaks
-      uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7
+      uses: gitleaks/gitleaks-action@v2
+      timeout-minutes: 5
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        GITLEAKS_CONFIG: .gitleaks.toml
+        GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
 
     - name: TruffleHog OSS scan
-      uses: trufflesecurity/trufflehog@ad6fc8fb446b8fafbf7ea8193d2d6bfd42f45690
+      uses: trufflesecurity/[email protected]
+      timeout-minutes: 5
       with:
         path: ./
         base: main
@@ -185,11 +203,13 @@ jobs:
   security-summary:
     name: Security Summary & Reporting
     runs-on: ubuntu-latest
+    timeout-minutes: 5
     needs: [vulnerability-scan, code-security, secrets-scan]
     if: always()
     steps:
     - name: Download all reports
       uses: actions/download-artifact@v4
+      timeout-minutes: 5
 
     - name: Compile security summary
       run: |
@@ -217,43 +237,40 @@ jobs:
         fi
 
     - name: Create security incident issue
-      if: |
-        (failure() || needs.vulnerability-scan.result == 'failure' || 
-         needs.code-security.result == 'failure' || needs.secrets-scan.result == 'failure') 
-        && inputs.create_issue_on_failure == true
-      uses: actions/github-script@00f12e3e20659f42342b1c0226afda7f7c042325
-      with:
-        script: |
-          const title = `Security Check Failed - ${new Date().toISOString().split('T')[0]}`;
-          const body = `## 🚨 Security Incident Report
-
-          **Workflow Run:** [#${{ github.run_number }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})
-          **Branch:** ${{ github.ref_name }}
-          **Commit:** ${{ github.sha }}
+       if: (failure() || needs.vulnerability-scan.result == 'failure' || needs.code-security.result == 'failure' || needs.secrets-scan.result == 'failure') && env.CREATE_ISSUE_ON_FAILURE == 'true'
+       uses: actions/github-script@v6
+       with:
+         script: |
+           const title = `Security Check Failed - Run #${{ github.run_number }}`;
+           const body = `
+           **Workflow Run:** [#${{ github.run_number }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})
+           **Branch:** ${{ github.ref_name }}
+           **Commit:** ${{ github.sha }}
 
-          ### Failed Checks
-          - Vulnerability Scan: ${{ needs.vulnerability-scan.result }}
-          - Code Security: ${{ needs.code-security.result }}  
-          - Secrets Scan: ${{ needs.secrets-scan.result }}
+           ### Failed Checks
+           - Vulnerability Scan: ${{ needs.vulnerability-scan.result }}
+           - Code Security: ${{ needs.code-security.result }}
+           - Secrets Scan: ${{ needs.secrets-scan.result }}
 
-          ### Next Steps
-          1. Review the workflow run details and artifacts
-          2. Address identified security issues
-          3. Re-run security checks after fixes
-          4. Close this issue once resolved
+           ### Next Steps
+           1. Review the workflow run details and artifacts
+           2. Address identified security issues
+           3. Re-run security checks after fixes
+           4. Close this issue once resolved
 
-          ### Security Thresholds
-          - Critical/High vulnerabilities: 0 allowed
-          - Exposed secrets: 0 allowed
-          - Security-related clippy errors: 0 allowed
+           ### Security Thresholds
+           - Critical/High vulnerabilities: 0 allowed
+           - Exposed secrets: 0 allowed
+           - Security-related clippy errors: 0 allowed
 
-          ---
-          *This issue was auto-generated by the security workflow.*`;
+           ---
+           *This issue was auto-generated by the security workflow.*
+           `;
 
-          await github.rest.issues.create({
-            owner: context.repo.owner,
-            repo: context.repo.repo,
-            title: title,
-            body: body,
-            labels: ['security', 'incident', 'automated']
-          });
+           await github.rest.issues.create({
+             owner: context.repo.owner,
+             repo: context.repo.repo,
+             title: title,
+             body: body,
+             labels: ['security', 'incident', 'automated']
+           });