From b43cded2a1b464a4915bed4536f389b33ffba0c1 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 18 Mar 2026 03:26:50 +0000 Subject: [PATCH 1/3] feat: add missing security workflows (dependency-review, trivy, zizmor) Co-authored-by: chrismaz11 <24700273+chrismaz11@users.noreply.github.com> --- .github/workflows/dependency-review.yml | 26 ++++++++++++++ .github/workflows/trivy.yml | 46 +++++++++++++++++++++++++ .github/workflows/zizmor.yml | 34 ++++++++++++++++++ 3 files changed, 106 insertions(+) create mode 100644 .github/workflows/dependency-review.yml create mode 100644 .github/workflows/trivy.yml create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000..05a3149 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,26 @@ +name: Dependency diff review + +on: + pull_request: + branches: + - master + - work + +# Restrict to the minimum permissions needed for checkout and dependency review. +permissions: + contents: read + +jobs: + dependency-review: + name: Dependency diff review + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + + - name: Dependency diff review + uses: actions/dependency-review-action@da45c9571d1e7cdec26844a76b8e6b89e4f1ee6b # v4.7.1 + with: + fail-on-severity: high diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 0000000..8b97c9c --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,46 @@ +name: Trivy repository scan + +on: + push: + branches: + - master + - work + pull_request: + branches: + - master + - work + +# Restrict to minimum required permissions. +# security-events: write is required only for SARIF upload to code scanning. +permissions: + contents: read + security-events: write + +jobs: + trivy: + name: Trivy filesystem scan + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + + - name: Run Trivy filesystem scan + uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.30.0 + with: + scan-type: fs + scan-ref: "." + severity: HIGH,CRITICAL + ignore-unfixed: true + format: sarif + output: trivy-results.sarif + + - name: Upload Trivy SARIF to code scanning + # Skip on forked PRs — GitHub does not grant security-events: write to + # untrusted fork tokens, so SARIF upload would fail with a permissions error. + if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }} + uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 + with: + sarif_file: trivy-results.sarif + category: trivy diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..e58f7ee --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,34 @@ +name: zizmor advisory audit + +on: + pull_request: + paths: + - ".github/workflows/**" + +# Restrict to minimum required permissions. +permissions: + contents: read + +jobs: + zizmor: + name: zizmor workflow audit + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + + - name: Install zizmor + run: pip install zizmor==1.5.0 + + - name: Run zizmor workflow audit + # Advisory mode — findings are reported but do not fail the job. + # Maintainers should review and address findings before merging workflow changes. + run: | + zizmor --format plain .github/workflows/ + EXIT_CODE=$? + if [ $EXIT_CODE -ne 0 ]; then + echo "::warning::zizmor found workflow security findings (advisory). Review the output above before merging." + fi + exit 0 From 774b905bf7f81f2f8f1ceea9002fce3bf3e2b943 Mon Sep 17 00:00:00 2001 From: chrismaz11 Date: Thu, 19 Mar 2026 16:51:29 -0500 Subject: [PATCH 2/3] fix(ci): repair security workflow checks --- .github/workflows/dependency-review.yml | 2 +- .github/workflows/zizmor.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 05a3149..ed5dd8b 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -21,6 +21,6 @@ jobs: persist-credentials: false - name: Dependency diff review - uses: actions/dependency-review-action@da45c9571d1e7cdec26844a76b8e6b89e4f1ee6b # v4.7.1 + uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1 with: fail-on-severity: high diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index e58f7ee..8b6bf05 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -26,8 +26,8 @@ jobs: # Advisory mode — findings are reported but do not fail the job. # Maintainers should review and address findings before merging workflow changes. run: | - zizmor --format plain .github/workflows/ - EXIT_CODE=$? + EXIT_CODE=0 + zizmor --format plain .github/workflows/ || EXIT_CODE=$? if [ $EXIT_CODE -ne 0 ]; then echo "::warning::zizmor found workflow security findings (advisory). Review the output above before merging." fi From a6441e5c269df02a56dedac779d4a695f68b7790 Mon Sep 17 00:00:00 2001 From: chrismaz11 Date: Thu, 19 Mar 2026 23:44:48 -0500 Subject: [PATCH 3/3] fix(api): restore runtime env helpers --- apps/api/src/env.ts | 70 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 apps/api/src/env.ts diff --git a/apps/api/src/env.ts b/apps/api/src/env.ts new file mode 100644 index 0000000..ef134a7 --- /dev/null +++ b/apps/api/src/env.ts @@ -0,0 +1,70 @@ +import { readFileSync } from 'node:fs'; +import path from 'node:path'; + +import dotenv from 'dotenv'; + +let envLoaded = false; + +export function loadRuntimeEnv(envPathCandidates?: string[]): void { + if (envLoaded) return; + + const candidates = + envPathCandidates ?? + [ + path.resolve(process.cwd(), '.env.local'), + path.resolve(process.cwd(), '.env'), + path.resolve(process.cwd(), '../../.env.local'), + path.resolve(process.cwd(), '../../.env') + ]; + + for (const envPath of candidates) { + dotenv.config({ path: envPath, override: false }); + } + + envLoaded = true; +} + +export function resolveDatabaseUrl(env: NodeJS.ProcessEnv = process.env): string | null { + const direct = (env.DATABASE_URL || '').trim(); + if (direct) return direct; + + const candidates = [env.SUPABASE_DB_URL, env.SUPABASE_POOLER_URL, env.SUPABASE_DIRECT_URL]; + + for (const candidate of candidates) { + const value = (candidate || '').trim(); + if (value) { + env.DATABASE_URL = value; + return value; + } + } + + const supabasePassword = (env.SUPABASE_DB_PASSWORD || '').trim(); + if (supabasePassword) { + const poolerCandidates = [ + path.resolve(process.cwd(), 'supabase/.temp/pooler-url'), + path.resolve(process.cwd(), '../../supabase/.temp/pooler-url'), + path.resolve(process.env.HOME || '', 'supabase/.temp/pooler-url') + ]; + + for (const poolerPath of poolerCandidates) { + try { + const rawPoolerUrl = readFileSync(poolerPath, 'utf-8').trim(); + if (!rawPoolerUrl) continue; + + const parsed = new URL(rawPoolerUrl); + if (!parsed.password) { + parsed.password = encodeURIComponent(supabasePassword); + } + parsed.searchParams.set('sslmode', 'require'); + + const resolved = parsed.toString(); + env.DATABASE_URL = resolved; + return resolved; + } catch { + // Continue searching candidate pooler URLs. + } + } + } + + return null; +}