Implement enhanced security workflows in GitHub Actions

master3395 · master3395 · commit d7c1bee6d43e · 2025-09-13T22:44:06.000+02:00
- Replaced the existing OSS Security SAST job with a comprehensive CodeQL Analysis job for improved code security scanning.
- Added Dependency Review, Secrets Scan, and Cargo Audit jobs to further enhance security measures and dependency management.
- Each job is configured to run on Ubuntu and includes necessary steps for repository checkout and tool execution.

These updates significantly strengthen the security posture of the project by integrating multiple scanning and auditing tools into the CI/CD pipeline.
diff --git a/.github/workflows/README.md b/.github/workflows/README.md
@@ -0,0 +1,64 @@
+# GitHub Actions Workflows
+
+This directory contains GitHub Actions workflows for the Roblox Studio MCP Server project.
+
+## Workflows
+
+### Security Scan (`security-scan.yml`)
+
+Performs comprehensive security scanning on every push and pull request:
+
+- **CodeQL Analysis**: Static Application Security Testing (SAST) for Rust code
+- **Dependency Review**: Scans dependencies for known vulnerabilities (PRs only)
+- **Secrets Scan**: Detects accidentally committed secrets using Gitleaks
+- **Cargo Audit**: Checks Rust dependencies for security vulnerabilities
+
+### Code Quality Checks (`checks.yml`)
+
+Ensures code quality and formatting standards:
+
+- **Clippy**: Rust linter for catching common mistakes
+- **Format Check**: Ensures code follows consistent formatting
+- **Selene**: Luau linter for the plugin code
+- **StyLua**: Luau code formatter
+
+### Build (`build.yml`)
+
+Cross-platform builds and releases:
+
+- **macOS Build**: Universal binary for both Intel and Apple Silicon
+- **Windows Build**: Native Windows executable
+- **Code Signing**: Signs binaries for both platforms
+- **Release**: Creates GitHub releases with signed artifacts
+
+### Linux Build (`build-linux.yml`)
+
+Specialized Linux binary build process.
+
+## Required Secrets
+
+The following secrets need to be configured in your repository settings:
+
+### Security Workflow
+- `GITLEAKS_KEY` (optional): License key for Gitleaks if you have one
+
+### Build Workflow
+- `APPLE_API_KEY_ID`: Apple Developer API Key ID
+- `APPLE_API_ISSUER`: Apple Developer API Issuer
+- `APPLE_API_KEY_CONTENT`: Apple Developer API Key content
+- `APPLE_CERT_PASSWORD`: Certificate password for macOS signing
+- `AZURE_TENANT_ID`: Azure tenant ID for Windows signing
+- `AZURE_CLIENT_ID`: Azure client ID for Windows signing
+- `AZURE_CLIENT_SECRET`: Azure client secret for Windows signing
+- `SIGNING_ACCOUNT`: Signing account identifier
+
+## Security Features
+
+The security workflow implements multiple layers of protection:
+
+1. **Static Analysis**: CodeQL analyzes the Rust source code for potential security issues
+2. **Dependency Scanning**: Automatically checks for vulnerable dependencies
+3. **Secret Detection**: Prevents accidental exposure of API keys, passwords, and tokens
+4. **Rust-Specific Security**: Cargo audit checks for known vulnerabilities in Rust crates
+
+All security checks must pass before code can be merged into the main branch.
diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
@@ -7,11 +7,76 @@ on:
         - main
 
 jobs:
-    security:
-        name: OSS Security SAST
-        uses: Roblox/security-workflows/.github/workflows/oss-security-sast.yaml@main
-        with:
-            skip-ossf: true
-        secrets:
-            GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_KEY }}
-            ROBLOX_SEMGREP_GHC_POC_APP_TOKEN: ${{ secrets.ROBLOX_SEMGREP_GHC_POC_APP_TOKEN }}
+    codeql-analysis:
+        name: CodeQL Analysis
+        runs-on: ubuntu-latest
+        permissions:
+            actions: read
+            contents: read
+            security-events: write
+
+        strategy:
+            fail-fast: false
+            matrix:
+                language: [ 'rust' ]
+
+        steps:
+        - name: Checkout repository
+          uses: actions/checkout@v4
+
+        - name: Initialize CodeQL
+          uses: github/codeql-action/init@v3
+          with:
+            languages: ${{ matrix.language }}
+            queries: security-extended,security-and-quality
+
+        - name: Autobuild
+          uses: github/codeql-action/autobuild@v3
+
+        - name: Perform CodeQL Analysis
+          uses: github/codeql-action/analyze@v3
+          with:
+            category: "/language:${{matrix.language}}"
+
+    dependency-review:
+        name: Dependency Review
+        runs-on: ubuntu-latest
+        if: github.event_name == 'pull_request'
+        steps:
+          - name: Checkout repository
+            uses: actions/checkout@v4
+          - name: Dependency Review
+            uses: actions/dependency-review-action@v4
+
+    secrets-scan:
+        name: Secrets Scan
+        runs-on: ubuntu-latest
+        steps:
+          - name: Checkout repository
+            uses: actions/checkout@v4
+            with:
+              fetch-depth: 0
+
+          - name: Run Gitleaks
+            uses: gitleaks/gitleaks-action@v2
+            env:
+              GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+              GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_KEY }}
+
+    cargo-audit:
+        name: Cargo Audit
+        runs-on: ubuntu-latest
+        steps:
+          - name: Checkout repository
+            uses: actions/checkout@v4
+          
+          - name: Install Rust
+            uses: dtolnay/rust-toolchain@stable
+            with:
+              components: rust-src
+          
+          - name: Install cargo-audit
+            run: cargo install cargo-audit
+          
+          - name: Run cargo audit
+            run: cargo audit
