Add security CI workflows by BukeLy · Pull Request #248 · VectifyAI/PageIndex

BukeLy · 2026-04-24T16:29:03Z

Summary

Add an explicit CodeQL advanced setup workflow for Actions and Python analysis.
Add a Dependency Review workflow to gate pull requests that introduce vulnerable dependencies.
Disable CodeQL default setup so the CodeQL Action workflow can upload results without the default-setup SARIF rejection.

CodeQL runs on pull_request, push to main, and a weekly schedule, matching GitHub's guidance that PR/push scans prevent new issues and scheduled scans catch newly discovered vulnerabilities later: https://docs.github.com/en/code-security/reference/code-scanning/workflow-configuration-options#configuring-frequency
Dependency Review runs on pull_request, matching GitHub's documented PR dependency-diff gate: https://docs.github.com/en/code-security/concepts/supply-chain-security/about-dependency-review and https://github.com/actions/dependency-review-action#installation-standard
CodeQL default setup was disabled before relying on this workflow because GitHub documents that default setup blocks CodeQL Action SARIF uploads: https://docs.github.com/en/code-security/reference/code-scanning/sarif-files/troubleshoot-sarif-uploads/default-setup-enabled

Ruby YAML parser loaded all .github/workflows/*.yml successfully.
The planned PyYAML validation command could not run locally because this environment does not have the yaml Python module installed.

Add security CI workflows

dea1767

BukeLy marked this pull request as ready for review April 24, 2026 16:32

Remove duplicate Python CodeQL workflow

b2b4387

BukeLy merged commit a51d97f into main Apr 24, 2026
4 checks passed

BukeLy deleted the chore/add-security-ci branch April 24, 2026 16:46