From e0a849a02d9406c6bb0b1de9b47f3639e03e0905 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 9 Jan 2026 03:05:03 +0000 Subject: [PATCH 1/6] Initial plan -- 2.49.1 From 05f2fca7f869225cc73c6e629ab481769d78f04b Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 9 Jan 2026 03:09:27 +0000 Subject: [PATCH 2/6] Add MokoStandards security and compliance workflows Co-authored-by: jmiller-moko <230051081+jmiller-moko@users.noreply.github.com> --- .github/workflows/codeql-analysis.yml | 87 +++++ .github/workflows/dependency-review.yml | 215 +++++++++++ .github/workflows/standards-compliance.yml | 425 +++++++++++++++++++++ 3 files changed, 727 insertions(+) create mode 100644 .github/workflows/codeql-analysis.yml create mode 100644 .github/workflows/dependency-review.yml create mode 100644 .github/workflows/standards-compliance.yml diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 0000000..0b8b004 --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,87 @@ +# Copyright (C) 2026 Moko Consulting +# +# This file is part of a Moko Consulting project. +# +# SPDX-License-Identifier: GPL-3.0-or-later +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +# FILE INFORMATION +# DEFGROUP: GitHub.Workflow +# INGROUP: Moko-Cassiopeia.Security +# REPO: https://github.com/mokoconsulting-tech/moko-cassiopeia +# PATH: /.github/workflows/codeql-analysis.yml +# VERSION: 01.00.00 +# BRIEF: CodeQL security scanning workflow for vulnerability detection +# NOTE: Runs on push to main and PRs, weekly scheduled scans + +name: "CodeQL Security Scanning" + +on: + push: + branches: + - main + - dev/** + - rc/** + - version/** + pull_request: + branches: + - main + - dev/** + - rc/** + - version/** + schedule: + # Run at 6:00 AM UTC every Monday + - cron: '0 6 * * 1' + workflow_dispatch: + +permissions: + actions: read + contents: read + security-events: write + +jobs: + analyze: + name: CodeQL Analysis + runs-on: ubuntu-latest + timeout-minutes: 360 + + strategy: + fail-fast: false + matrix: + language: [ 'javascript', 'python' ] + # CodeQL supports: 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' + # This repository contains PHP (not directly supported), JavaScript, and Python + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + queries: +security-extended,security-and-quality + + # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). + # If this step fails, then you should remove it and run the build manually + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" + upload: true diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000..644f843 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,215 @@ +# Copyright (C) 2026 Moko Consulting +# +# This file is part of a Moko Consulting project. +# +# SPDX-License-Identifier: GPL-3.0-or-later +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +# FILE INFORMATION +# DEFGROUP: GitHub.Workflow +# INGROUP: Moko-Cassiopeia.Security +# REPO: https://github.com/mokoconsulting-tech/moko-cassiopeia +# PATH: /.github/workflows/dependency-review.yml +# VERSION: 01.00.00 +# BRIEF: Dependency review workflow for vulnerability scanning in pull requests +# NOTE: Scans dependencies for security vulnerabilities and license compliance + +name: Dependency Review + +on: + pull_request: + branches: + - main + - dev/** + - rc/** + - version/** + +permissions: + contents: read + pull-requests: write + +jobs: + dependency-review: + name: Dependency Security Review + runs-on: ubuntu-latest + + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Dependency Review + uses: actions/dependency-review-action@v4 + with: + # Fail on critical or high severity vulnerabilities + fail-on-severity: moderate + + # Allow specific licenses (customize for your project) + # Common open-source licenses + allow-licenses: GPL-3.0, GPL-3.0-or-later, MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, LGPL-3.0 + + # Comment on PR with results + comment-summary-in-pr: always + + - name: Generate Dependency Report + if: always() + run: | + echo "# Dependency Review Summary" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "✅ Dependency review completed" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "This workflow checks:" >> $GITHUB_STEP_SUMMARY + echo "- Security vulnerabilities in new dependencies" >> $GITHUB_STEP_SUMMARY + echo "- License compatibility" >> $GITHUB_STEP_SUMMARY + echo "- Dependency changes between base and head" >> $GITHUB_STEP_SUMMARY + + composer-audit: + name: Composer Audit + runs-on: ubuntu-latest + if: hashFiles('composer.json') != '' + + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Setup PHP + uses: shivammathur/setup-php@v2 + with: + php-version: '8.1' + tools: composer:v2 + + - name: Install Dependencies + run: composer install --no-interaction --prefer-dist + + - name: Run Composer Audit + run: | + echo "### Composer Audit Results" >> $GITHUB_STEP_SUMMARY + + # Run audit and capture results + if composer audit; then + echo "✅ No vulnerabilities found in Composer dependencies" >> $GITHUB_STEP_SUMMARY + else + echo "⚠️ Vulnerabilities detected - please review" >> $GITHUB_STEP_SUMMARY + composer audit || true + fi + + - name: Check for Outdated Packages + run: | + echo "" >> $GITHUB_STEP_SUMMARY + echo "### Outdated Composer Packages" >> $GITHUB_STEP_SUMMARY + composer outdated --direct || echo "All packages are up to date" >> $GITHUB_STEP_SUMMARY + + python-safety: + name: Python Safety Check + runs-on: ubuntu-latest + if: hashFiles('requirements.txt', 'pyproject.toml', 'Pipfile') != '' + + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Setup Python + uses: actions/setup-python@v5 + with: + python-version: '3.11' + + - name: Install Safety + run: pip install safety + + - name: Run Safety Check + run: | + echo "### Python Safety Check Results" >> $GITHUB_STEP_SUMMARY + + # Check requirements.txt if exists + if [ -f "requirements.txt" ]; then + if safety check -r requirements.txt; then + echo "✅ No known vulnerabilities in Python dependencies" >> $GITHUB_STEP_SUMMARY + else + echo "⚠️ Vulnerabilities detected in Python dependencies" >> $GITHUB_STEP_SUMMARY + safety check -r requirements.txt || true + fi + else + echo "ℹ️ No requirements.txt found" >> $GITHUB_STEP_SUMMARY + fi + + license-check: + name: License Compliance Check + runs-on: ubuntu-latest + + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Check License File + run: | + echo "### License Compliance" >> $GITHUB_STEP_SUMMARY + + if [ -f "LICENSE" ] || [ -f "LICENSE.md" ] || [ -f "LICENSE.txt" ]; then + echo "✅ LICENSE file present" >> $GITHUB_STEP_SUMMARY + + # Check for GPL-3.0 (MokoStandards default) + if grep -qi "GNU GENERAL PUBLIC LICENSE" LICENSE* 2>/dev/null; then + echo "✅ GPL-3.0 or compatible license detected" >> $GITHUB_STEP_SUMMARY + else + echo "ℹ️ Non-GPL license detected - verify compatibility" >> $GITHUB_STEP_SUMMARY + fi + else + echo "❌ LICENSE file missing" >> $GITHUB_STEP_SUMMARY + echo "Please add a LICENSE file to the repository root" >> $GITHUB_STEP_SUMMARY + exit 1 + fi + + - name: Check SPDX Headers (Optional) + run: | + echo "" >> $GITHUB_STEP_SUMMARY + echo "### SPDX Header Compliance" >> $GITHUB_STEP_SUMMARY + + # Check for SPDX identifiers in source files + MISSING_HEADERS=0 + + # Check PHP files + if find . -name "*.php" -type f ! -path "./vendor/*" | head -1 | grep -q .; then + TOTAL_PHP=$(find . -name "*.php" -type f ! -path "./vendor/*" | wc -l) + WITH_SPDX=$(find . -name "*.php" -type f ! -path "./vendor/*" -exec grep -l "SPDX-License-Identifier" {} \; | wc -l) + echo "- PHP files: $WITH_SPDX/$TOTAL_PHP with SPDX headers" >> $GITHUB_STEP_SUMMARY + fi + + # Check JavaScript files + if find . -name "*.js" -type f ! -path "./node_modules/*" ! -path "./vendor/*" | head -1 | grep -q .; then + TOTAL_JS=$(find . -name "*.js" -type f ! -path "./node_modules/*" ! -path "./vendor/*" | wc -l) + WITH_SPDX_JS=$(find . -name "*.js" -type f ! -path "./node_modules/*" ! -path "./vendor/*" -exec grep -l "SPDX-License-Identifier" {} \; | wc -l) + echo "- JavaScript files: $WITH_SPDX_JS/$TOTAL_JS with SPDX headers" >> $GITHUB_STEP_SUMMARY + fi + + echo "ℹ️ SPDX headers are recommended but not required for this check" >> $GITHUB_STEP_SUMMARY + + summary: + name: Review Summary + runs-on: ubuntu-latest + needs: [dependency-review, composer-audit, python-safety, license-check] + if: always() + + steps: + - name: Generate Final Summary + run: | + echo "# Dependency Review Complete" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "All dependency security and license checks have been executed." >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "## Checks Performed:" >> $GITHUB_STEP_SUMMARY + echo "- ✅ GitHub Dependency Review" >> $GITHUB_STEP_SUMMARY + echo "- ✅ Package Manager Audits (composer, pip)" >> $GITHUB_STEP_SUMMARY + echo "- ✅ License Compliance" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "Review the job results above for any issues that need attention." >> $GITHUB_STEP_SUMMARY diff --git a/.github/workflows/standards-compliance.yml b/.github/workflows/standards-compliance.yml new file mode 100644 index 0000000..e15de58 --- /dev/null +++ b/.github/workflows/standards-compliance.yml @@ -0,0 +1,425 @@ +# Copyright (C) 2026 Moko Consulting +# +# This file is part of a Moko Consulting project. +# +# SPDX-License-Identifier: GPL-3.0-or-later +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +# FILE INFORMATION +# DEFGROUP: GitHub.Workflow +# INGROUP: Moko-Cassiopeia.Compliance +# REPO: https://github.com/mokoconsulting-tech/moko-cassiopeia +# PATH: /.github/workflows/standards-compliance.yml +# VERSION: 01.00.00 +# BRIEF: MokoStandards compliance validation workflow +# NOTE: Validates repository structure, documentation, and coding standards + +name: Standards Compliance + +on: + push: + branches: + - main + - dev/** + - rc/** + - version/** + pull_request: + branches: + - main + - dev/** + - rc/** + - version/** + workflow_dispatch: + +permissions: + contents: read + pull-requests: write + +jobs: + repository-structure: + name: Repository Structure Validation + runs-on: ubuntu-latest + + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Check Required Directories + run: | + echo "### Required Directories" >> $GITHUB_STEP_SUMMARY + + MISSING=0 + + # Check required directories + for dir in docs tests scripts .github; do + if [ -d "$dir" ]; then + echo "✅ $dir/" >> $GITHUB_STEP_SUMMARY + else + echo "❌ $dir/ (missing)" >> $GITHUB_STEP_SUMMARY + MISSING=$((MISSING + 1)) + fi + done + + if [ $MISSING -gt 0 ]; then + echo "" >> $GITHUB_STEP_SUMMARY + echo "⚠️ $MISSING required directories are missing" >> $GITHUB_STEP_SUMMARY + exit 1 + fi + + - name: Check Required Files + run: | + echo "" >> $GITHUB_STEP_SUMMARY + echo "### Required Files" >> $GITHUB_STEP_SUMMARY + + MISSING=0 + + # Check required files + for file in README.md LICENSE CONTRIBUTING.md SECURITY.md CHANGELOG.md .editorconfig; do + if [ -f "$file" ]; then + echo "✅ $file" >> $GITHUB_STEP_SUMMARY + else + echo "❌ $file (missing)" >> $GITHUB_STEP_SUMMARY + MISSING=$((MISSING + 1)) + fi + done + + if [ $MISSING -gt 0 ]; then + echo "" >> $GITHUB_STEP_SUMMARY + echo "⚠️ $MISSING required files are missing" >> $GITHUB_STEP_SUMMARY + echo "See: https://github.com/mokoconsulting-tech/MokoStandards/tree/main/templates/docs/required" >> $GITHUB_STEP_SUMMARY + exit 1 + fi + + documentation-quality: + name: Documentation Quality Check + runs-on: ubuntu-latest + + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Validate README.md + run: | + echo "### README.md Validation" >> $GITHUB_STEP_SUMMARY + + if [ ! -f "README.md" ]; then + echo "❌ README.md not found" >> $GITHUB_STEP_SUMMARY + exit 1 + fi + + # Check minimum length + SIZE=$(wc -c < README.md) + if [ $SIZE -lt 500 ]; then + echo "⚠️ README.md is too short ($SIZE bytes, minimum 500)" >> $GITHUB_STEP_SUMMARY + else + echo "✅ README.md has adequate content ($SIZE bytes)" >> $GITHUB_STEP_SUMMARY + fi + + # Check for key sections + MISSING_SECTIONS="" + grep -qi "# \|## " README.md || MISSING_SECTIONS="${MISSING_SECTIONS}- No headings found\n" + + if [ -n "$MISSING_SECTIONS" ]; then + echo "⚠️ README.md may be missing important sections" >> $GITHUB_STEP_SUMMARY + else + echo "✅ README.md appears well-structured" >> $GITHUB_STEP_SUMMARY + fi + + - name: Validate CHANGELOG.md + run: | + echo "" >> $GITHUB_STEP_SUMMARY + echo "### CHANGELOG.md Validation" >> $GITHUB_STEP_SUMMARY + + if [ ! -f "CHANGELOG.md" ]; then + echo "❌ CHANGELOG.md not found" >> $GITHUB_STEP_SUMMARY + exit 1 + fi + + # Check for Keep a Changelog format markers + if grep -qi "## \[.*\]" CHANGELOG.md; then + echo "✅ CHANGELOG.md follows Keep a Changelog format" >> $GITHUB_STEP_SUMMARY + else + echo "⚠️ CHANGELOG.md may not follow Keep a Changelog format" >> $GITHUB_STEP_SUMMARY + echo "See: https://keepachangelog.com/" >> $GITHUB_STEP_SUMMARY + fi + + - name: Check Documentation Index + run: | + echo "" >> $GITHUB_STEP_SUMMARY + echo "### Documentation Index" >> $GITHUB_STEP_SUMMARY + + if [ -f "docs/index.md" ] || [ -f "docs/README.md" ]; then + echo "✅ Documentation index found" >> $GITHUB_STEP_SUMMARY + else + echo "⚠️ No documentation index (docs/index.md or docs/README.md)" >> $GITHUB_STEP_SUMMARY + fi + + coding-standards: + name: Coding Standards Check + runs-on: ubuntu-latest + + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Check for Tab Characters + run: | + echo "### Tab Character Detection" >> $GITHUB_STEP_SUMMARY + + # Find files with tabs (excluding certain file types) + TABS_FOUND=$(find . -type f \ + ! -path "./vendor/*" \ + ! -path "./node_modules/*" \ + ! -path "./.git/*" \ + ! -name "Makefile*" \ + ! -name "*.tsv" \ + -exec grep -l $'\t' {} \; 2>/dev/null | head -10) + + if [ -n "$TABS_FOUND" ]; then + echo "⚠️ Tab characters found in files:" >> $GITHUB_STEP_SUMMARY + echo "\`\`\`" >> $GITHUB_STEP_SUMMARY + echo "$TABS_FOUND" >> $GITHUB_STEP_SUMMARY + echo "\`\`\`" >> $GITHUB_STEP_SUMMARY + echo "MokoStandards requires spaces over tabs (except in Makefiles)" >> $GITHUB_STEP_SUMMARY + else + echo "✅ No inappropriate tab characters found" >> $GITHUB_STEP_SUMMARY + fi + + - name: Check File Encoding + run: | + echo "" >> $GITHUB_STEP_SUMMARY + echo "### File Encoding Check" >> $GITHUB_STEP_SUMMARY + + # Check for UTF-8 encoding + NON_UTF8=$(find . -type f \( -name "*.php" -o -name "*.js" -o -name "*.md" \) \ + ! -path "./vendor/*" \ + ! -path "./node_modules/*" \ + ! -path "./.git/*" \ + -exec file {} \; | grep -v "UTF-8" | head -5) + + if [ -n "$NON_UTF8" ]; then + echo "⚠️ Non-UTF-8 files detected:" >> $GITHUB_STEP_SUMMARY + echo "\`\`\`" >> $GITHUB_STEP_SUMMARY + echo "$NON_UTF8" >> $GITHUB_STEP_SUMMARY + echo "\`\`\`" >> $GITHUB_STEP_SUMMARY + else + echo "✅ All source files appear to be UTF-8 encoded" >> $GITHUB_STEP_SUMMARY + fi + + - name: Check Line Endings + run: | + echo "" >> $GITHUB_STEP_SUMMARY + echo "### Line Ending Check" >> $GITHUB_STEP_SUMMARY + + # Check for CRLF line endings + CRLF_FILES=$(find . -type f \( -name "*.php" -o -name "*.js" -o -name "*.md" \) \ + ! -path "./vendor/*" \ + ! -path "./node_modules/*" \ + ! -path "./.git/*" \ + -exec file {} \; | grep "CRLF" | head -5) + + if [ -n "$CRLF_FILES" ]; then + echo "⚠️ Files with CRLF line endings found:" >> $GITHUB_STEP_SUMMARY + echo "\`\`\`" >> $GITHUB_STEP_SUMMARY + echo "$CRLF_FILES" >> $GITHUB_STEP_SUMMARY + echo "\`\`\`" >> $GITHUB_STEP_SUMMARY + echo "MokoStandards requires LF line endings" >> $GITHUB_STEP_SUMMARY + else + echo "✅ Line endings are consistent (LF)" >> $GITHUB_STEP_SUMMARY + fi + + license-compliance: + name: License Header Validation + runs-on: ubuntu-latest + + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Check SPDX Headers + run: | + echo "### SPDX License Header Check" >> $GITHUB_STEP_SUMMARY + + # Count source files with and without SPDX headers + TOTAL_PHP=0 + WITH_SPDX_PHP=0 + + if find . -name "*.php" -type f ! -path "./vendor/*" | head -1 | grep -q .; then + TOTAL_PHP=$(find . -name "*.php" -type f ! -path "./vendor/*" | wc -l) + WITH_SPDX_PHP=$(find . -name "*.php" -type f ! -path "./vendor/*" -exec grep -l "SPDX-License-Identifier" {} \; | wc -l) + fi + + if [ $TOTAL_PHP -gt 0 ]; then + PERCENT=$((WITH_SPDX_PHP * 100 / TOTAL_PHP)) + echo "- PHP files: $WITH_SPDX_PHP/$TOTAL_PHP ($PERCENT%) with SPDX headers" >> $GITHUB_STEP_SUMMARY + + if [ $PERCENT -lt 80 ]; then + echo "⚠️ Less than 80% of PHP files have SPDX headers" >> $GITHUB_STEP_SUMMARY + else + echo "✅ Good SPDX header coverage" >> $GITHUB_STEP_SUMMARY + fi + fi + + - name: Validate License File + run: | + echo "" >> $GITHUB_STEP_SUMMARY + echo "### License File Validation" >> $GITHUB_STEP_SUMMARY + + if [ ! -f "LICENSE" ]; then + echo "❌ LICENSE file not found" >> $GITHUB_STEP_SUMMARY + exit 1 + fi + + # Check license type + if grep -qi "GNU GENERAL PUBLIC LICENSE" LICENSE; then + VERSION=$(grep -i "Version 3" LICENSE || echo "") + if [ -n "$VERSION" ]; then + echo "✅ GPL-3.0-or-later license detected" >> $GITHUB_STEP_SUMMARY + else + echo "⚠️ GPL license detected but version unclear" >> $GITHUB_STEP_SUMMARY + fi + elif grep -qi "MIT License" LICENSE; then + echo "✅ MIT license detected" >> $GITHUB_STEP_SUMMARY + elif grep -qi "Apache License" LICENSE; then + echo "✅ Apache license detected" >> $GITHUB_STEP_SUMMARY + else + echo "ℹ️ License type could not be automatically detected" >> $GITHUB_STEP_SUMMARY + fi + + git-hygiene: + name: Git Repository Hygiene + runs-on: ubuntu-latest + + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Check .gitignore + run: | + echo "### .gitignore Validation" >> $GITHUB_STEP_SUMMARY + + if [ ! -f ".gitignore" ]; then + echo "⚠️ .gitignore file not found" >> $GITHUB_STEP_SUMMARY + exit 0 + fi + + # Check for common exclusions + MISSING="" + grep -q "vendor/" .gitignore || MISSING="${MISSING}vendor/ " + grep -q "node_modules/" .gitignore || MISSING="${MISSING}node_modules/ " + + if [ -n "$MISSING" ]; then + echo "⚠️ .gitignore may be missing common exclusions: $MISSING" >> $GITHUB_STEP_SUMMARY + else + echo "✅ .gitignore appears complete" >> $GITHUB_STEP_SUMMARY + fi + + - name: Check for Large Files + run: | + echo "" >> $GITHUB_STEP_SUMMARY + echo "### Large File Detection" >> $GITHUB_STEP_SUMMARY + + # Find files larger than 1MB + LARGE_FILES=$(find . -type f -size +1M ! -path "./.git/*" ! -path "./vendor/*" ! -path "./node_modules/*" | head -5) + + if [ -n "$LARGE_FILES" ]; then + echo "⚠️ Large files detected (>1MB):" >> $GITHUB_STEP_SUMMARY + echo "\`\`\`" >> $GITHUB_STEP_SUMMARY + echo "$LARGE_FILES" >> $GITHUB_STEP_SUMMARY + echo "\`\`\`" >> $GITHUB_STEP_SUMMARY + echo "Consider using Git LFS for large binary files" >> $GITHUB_STEP_SUMMARY + else + echo "✅ No unusually large files detected" >> $GITHUB_STEP_SUMMARY + fi + + workflow-validation: + name: Workflow Configuration Check + runs-on: ubuntu-latest + + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Check Required Workflows + run: | + echo "### GitHub Actions Workflows" >> $GITHUB_STEP_SUMMARY + + WORKFLOWS_DIR=".github/workflows" + + if [ ! -d "$WORKFLOWS_DIR" ]; then + echo "❌ No workflows directory found" >> $GITHUB_STEP_SUMMARY + exit 1 + fi + + # Check for recommended workflows + if [ -f "$WORKFLOWS_DIR/ci.yml" ] || [ -f "$WORKFLOWS_DIR/build.yml" ]; then + echo "✅ CI workflow present" >> $GITHUB_STEP_SUMMARY + else + echo "⚠️ No CI workflow found (ci.yml or build.yml)" >> $GITHUB_STEP_SUMMARY + fi + + if [ -f "$WORKFLOWS_DIR/codeql-analysis.yml" ]; then + echo "✅ CodeQL security scanning present" >> $GITHUB_STEP_SUMMARY + else + echo "⚠️ CodeQL workflow not found" >> $GITHUB_STEP_SUMMARY + fi + + - name: Validate Workflow Syntax + run: | + echo "" >> $GITHUB_STEP_SUMMARY + echo "### Workflow YAML Syntax" >> $GITHUB_STEP_SUMMARY + + INVALID=0 + for workflow in .github/workflows/*.yml .github/workflows/*.yaml 2>/dev/null; do + if [ -f "$workflow" ]; then + if python3 -c "import yaml; yaml.safe_load(open('$workflow'))" 2>/dev/null; then + echo "✅ $(basename $workflow)" >> $GITHUB_STEP_SUMMARY + else + echo "❌ $(basename $workflow) - invalid YAML" >> $GITHUB_STEP_SUMMARY + INVALID=$((INVALID + 1)) + fi + fi + done + + if [ $INVALID -gt 0 ]; then + exit 1 + fi + + summary: + name: Compliance Summary + runs-on: ubuntu-latest + needs: [repository-structure, documentation-quality, coding-standards, license-compliance, git-hygiene, workflow-validation] + if: always() + + steps: + - name: Generate Compliance Report + run: | + echo "# MokoStandards Compliance Report" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "All compliance checks have been executed." >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "## Validation Areas:" >> $GITHUB_STEP_SUMMARY + echo "- Repository Structure" >> $GITHUB_STEP_SUMMARY + echo "- Documentation Quality" >> $GITHUB_STEP_SUMMARY + echo "- Coding Standards" >> $GITHUB_STEP_SUMMARY + echo "- License Compliance" >> $GITHUB_STEP_SUMMARY + echo "- Git Repository Hygiene" >> $GITHUB_STEP_SUMMARY + echo "- Workflow Configuration" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "For detailed results, review individual job outputs above." >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "📚 Learn more: https://github.com/mokoconsulting-tech/MokoStandards" >> $GITHUB_STEP_SUMMARY -- 2.49.1 From 75a5185d6d8f02a1edbb23a768d24c6f168aa498 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 9 Jan 2026 03:11:19 +0000 Subject: [PATCH 3/6] Add Dependabot config and documentation index for MokoStandards compliance Co-authored-by: jmiller-moko <230051081+jmiller-moko@users.noreply.github.com> --- .github/dependabot.yml | 65 ++++++++++++++++++++++ docs/README.md | 123 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 188 insertions(+) create mode 100644 .github/dependabot.yml create mode 100644 docs/README.md diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..6395644 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,65 @@ +# Copyright (C) 2026 Moko Consulting +# +# This file is part of a Moko Consulting project. +# +# SPDX-License-Identifier: GPL-3.0-or-later +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +# FILE INFORMATION +# DEFGROUP: GitHub.Dependabot +# INGROUP: Moko-Cassiopeia.Security +# REPO: https://github.com/mokoconsulting-tech/moko-cassiopeia +# PATH: /.github/dependabot.yml +# VERSION: 01.00.00 +# BRIEF: Dependabot configuration for automated dependency updates and security patches +# NOTE: Monitors GitHub Actions and Composer for vulnerabilities + +version: 2 +updates: + # Monitor GitHub Actions for security updates + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "monthly" + open-pull-requests-limit: 10 + labels: + - "dependencies" + - "security" + - "automated" + commit-message: + prefix: "chore(deps)" + include: "scope" + + # Monitor Composer dependencies for security updates + - package-ecosystem: "composer" + directory: "/" + schedule: + interval: "weekly" + open-pull-requests-limit: 10 + labels: + - "dependencies" + - "security" + - "automated" + - "php" + commit-message: + prefix: "chore(deps)" + include: "scope" + # Group all patch updates together + groups: + php-patches: + patterns: + - "*" + update-types: + - "patch" diff --git a/docs/README.md b/docs/README.md new file mode 100644 index 0000000..ad7cdd4 --- /dev/null +++ b/docs/README.md @@ -0,0 +1,123 @@ + + +# Moko-Cassiopeia Documentation + +This directory contains comprehensive documentation for the Moko-Cassiopeia Joomla template. + +## Documentation Overview + +### Developer Documentation + +* **[Quick Start Guide](QUICK_START.md)** - Get up and running in 5 minutes + * Development environment setup + * Essential commands and workflows + * First-time contributor guide + +* **[Workflow Guide](WORKFLOW_GUIDE.md)** - Complete workflow reference + * Git branching strategy + * Development workflow + * Release process + * Pull request guidelines + +* **[Joomla Development Guide](JOOMLA_DEVELOPMENT.md)** - Joomla-specific development + * Testing with Codeception + * PHP quality checks (PHPStan, PHPCS) + * Joomla extension packaging + * Multi-version testing + +### User Documentation + +For end-user documentation, installation instructions, and feature guides, see the main [README.md](../README.md) in the repository root. + +## Project Structure + +``` +moko-cassiopeia/ +├── docs/ # Documentation (you are here) +│ ├── README.md # This file - documentation index +│ ├── QUICK_START.md # Quick start guide for developers +│ ├── WORKFLOW_GUIDE.md # Development workflow guide +│ └── JOOMLA_DEVELOPMENT.md # Joomla-specific development guide +├── src/ # Template source code +│ ├── templates/ # Joomla template files +│ └── media/ # Assets (CSS, JS, images) +├── scripts/ # Build and automation scripts +├── tests/ # Automated tests +└── .github/ # GitHub configuration and workflows +``` + +## Contributing + +Before contributing, please read: + +1. **[CONTRIBUTING.md](../CONTRIBUTING.md)** - Contribution guidelines and standards +2. **[CODE_OF_CONDUCT.md](../CODE_OF_CONDUCT.md)** - Community standards and expectations +3. **[SECURITY.md](../SECURITY.md)** - Security policy and reporting procedures + +## Standards Compliance + +This project adheres to [MokoStandards](https://github.com/mokoconsulting-tech/MokoStandards) for: + +* Coding standards and formatting +* Documentation requirements +* Git workflow and branching +* CI/CD pipeline configuration +* Security scanning and dependency management + +## Additional Resources + +* **Repository**: [https://github.com/mokoconsulting-tech/moko-cassiopeia](https://github.com/mokoconsulting-tech/moko-cassiopeia) +* **Issue Tracker**: [GitHub Issues](https://github.com/mokoconsulting-tech/moko-cassiopeia/issues) +* **Changelog**: [CHANGELOG.md](../CHANGELOG.md) +* **License**: [GPL-3.0-or-later](../LICENSE) + +## Support + +* **Email**: hello@mokoconsulting.tech +* **Website**: https://mokoconsulting.tech/support/joomla-cms/moko-cassiopeia-roadmap + +--- + +## Metadata + +* Document: docs/README.md +* Repository: [https://github.com/mokoconsulting-tech/moko-cassiopeia](https://github.com/mokoconsulting-tech/moko-cassiopeia) +* Path: /docs/README.md +* Owner: Moko Consulting +* Version: 01.00.00 +* Status: Active +* Effective Date: 2026-01-09 + +## Revision History + +| Date | Change Summary | Author | +| ---------- | ----------------------------------------------------- | --------------- | +| 2026-01-09 | Initial documentation index created for MokoStandards compliance. | GitHub Copilot | -- 2.49.1 From d0bcf790e17fb41c03c1d55bc7633788d001c5c0 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 9 Jan 2026 03:12:57 +0000 Subject: [PATCH 4/6] Update CHANGELOG with MokoStandards compliance changes Co-authored-by: jmiller-moko <230051081+jmiller-moko@users.noreply.github.com> --- CHANGELOG.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index daef112..3b18c3a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -21,6 +21,18 @@ # Changelog — Moko-Cassiopeia (VERSION: 03.05.00) +## [03.05.01] 2026-01-09 +### Added +- Added `codeql-analysis.yml` workflow for security scanning +- Added `dependency-review.yml` workflow for dependency vulnerability scanning +- Added `standards-compliance.yml` workflow for MokoStandards validation +- Added `.github/dependabot.yml` configuration for automated security updates +- Added `docs/README.md` as documentation index + +### Changed +- Enforced repository compliance with MokoStandards requirements +- Improved security posture with automated scanning and dependency management + ## [03.05.00] 2026-01-04 - Created `.github/workflows` - Replaced `./CODE_OF_CONDUCT.md` from `MokoStandards` -- 2.49.1 From dcaabd0c53e54c22af9cd9d6a3bb58fe4aee3c0f Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 9 Jan 2026 03:15:02 +0000 Subject: [PATCH 5/6] Fix code review issues: version consistency, glob pattern, and redundant execution Co-authored-by: jmiller-moko <230051081+jmiller-moko@users.noreply.github.com> --- .github/workflows/dependency-review.yml | 7 +++++-- .github/workflows/standards-compliance.yml | 3 ++- docs/README.md | 2 +- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 644f843..8f3d3ac 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -133,12 +133,15 @@ jobs: # Check requirements.txt if exists if [ -f "requirements.txt" ]; then - if safety check -r requirements.txt; then + if safety check -r requirements.txt 2>&1 | tee safety_output.txt; then echo "✅ No known vulnerabilities in Python dependencies" >> $GITHUB_STEP_SUMMARY else echo "⚠️ Vulnerabilities detected in Python dependencies" >> $GITHUB_STEP_SUMMARY - safety check -r requirements.txt || true + cat safety_output.txt >> $GITHUB_STEP_SUMMARY || true + rm -f safety_output.txt + exit 0 fi + rm -f safety_output.txt else echo "ℹ️ No requirements.txt found" >> $GITHUB_STEP_SUMMARY fi diff --git a/.github/workflows/standards-compliance.yml b/.github/workflows/standards-compliance.yml index e15de58..a6a4354 100644 --- a/.github/workflows/standards-compliance.yml +++ b/.github/workflows/standards-compliance.yml @@ -384,7 +384,8 @@ jobs: echo "### Workflow YAML Syntax" >> $GITHUB_STEP_SUMMARY INVALID=0 - for workflow in .github/workflows/*.yml .github/workflows/*.yaml 2>/dev/null; do + shopt -s nullglob + for workflow in .github/workflows/*.yml .github/workflows/*.yaml; do if [ -f "$workflow" ]; then if python3 -c "import yaml; yaml.safe_load(open('$workflow'))" 2>/dev/null; then echo "✅ $(basename $workflow)" >> $GITHUB_STEP_SUMMARY diff --git a/docs/README.md b/docs/README.md index ad7cdd4..053e4ff 100644 --- a/docs/README.md +++ b/docs/README.md @@ -23,7 +23,7 @@ INGROUP: Moko-Cassiopeia.Documentation REPO: https://github.com/mokoconsulting-tech/moko-cassiopeia FILE: docs/README.md - VERSION: 03.05.00 + VERSION: 01.00.00 BRIEF: Documentation index for Moko-Cassiopeia template PATH: /docs/README.md --> -- 2.49.1 From 1201ee3444f0f38585d3b509da2e3e21874a3e76 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 9 Jan 2026 03:27:38 +0000 Subject: [PATCH 6/6] Remove custom CodeQL workflow - repository uses GitHub default setup Co-authored-by: jmiller-moko <230051081+jmiller-moko@users.noreply.github.com> --- .github/workflows/codeql-analysis.yml | 87 --------------------------- CHANGELOG.md | 4 +- 2 files changed, 3 insertions(+), 88 deletions(-) delete mode 100644 .github/workflows/codeql-analysis.yml diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml deleted file mode 100644 index 0b8b004..0000000 --- a/.github/workflows/codeql-analysis.yml +++ /dev/null @@ -1,87 +0,0 @@ -# Copyright (C) 2026 Moko Consulting -# -# This file is part of a Moko Consulting project. -# -# SPDX-License-Identifier: GPL-3.0-or-later -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -# -# FILE INFORMATION -# DEFGROUP: GitHub.Workflow -# INGROUP: Moko-Cassiopeia.Security -# REPO: https://github.com/mokoconsulting-tech/moko-cassiopeia -# PATH: /.github/workflows/codeql-analysis.yml -# VERSION: 01.00.00 -# BRIEF: CodeQL security scanning workflow for vulnerability detection -# NOTE: Runs on push to main and PRs, weekly scheduled scans - -name: "CodeQL Security Scanning" - -on: - push: - branches: - - main - - dev/** - - rc/** - - version/** - pull_request: - branches: - - main - - dev/** - - rc/** - - version/** - schedule: - # Run at 6:00 AM UTC every Monday - - cron: '0 6 * * 1' - workflow_dispatch: - -permissions: - actions: read - contents: read - security-events: write - -jobs: - analyze: - name: CodeQL Analysis - runs-on: ubuntu-latest - timeout-minutes: 360 - - strategy: - fail-fast: false - matrix: - language: [ 'javascript', 'python' ] - # CodeQL supports: 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' - # This repository contains PHP (not directly supported), JavaScript, and Python - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Initialize CodeQL - uses: github/codeql-action/init@v3 - with: - languages: ${{ matrix.language }} - # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - queries: +security-extended,security-and-quality - - # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). - # If this step fails, then you should remove it and run the build manually - - name: Autobuild - uses: github/codeql-action/autobuild@v3 - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 - with: - category: "/language:${{matrix.language}}" - upload: true diff --git a/CHANGELOG.md b/CHANGELOG.md index 3b18c3a..4c45e72 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,12 +23,14 @@ ## [03.05.01] 2026-01-09 ### Added -- Added `codeql-analysis.yml` workflow for security scanning - Added `dependency-review.yml` workflow for dependency vulnerability scanning - Added `standards-compliance.yml` workflow for MokoStandards validation - Added `.github/dependabot.yml` configuration for automated security updates - Added `docs/README.md` as documentation index +### Changed +- Removed custom `codeql-analysis.yml` workflow (repository uses GitHub's default CodeQL setup) + ### Changed - Enforced repository compliance with MokoStandards requirements - Improved security posture with automated scanning and dependency management -- 2.49.1