From a5003f29796136b7caec0749efc4c73759ec7289 Mon Sep 17 00:00:00 2001 From: Bappa Mandal Date: Sat, 27 Jun 2026 07:14:56 +0530 Subject: [PATCH 1/2] Add Lighthouse CI and CodeQL workflows --- .github/workflows/codeql.yml | 32 ++++++++++++++++ .github/workflows/lighthouse-ci.yml | 51 +++++++++++++++++++++++++ README.md | 2 + SECURITY.md | 4 ++ docs/lighthouse-codeql.md | 58 +++++++++++++++++++++++++++++ docs/roadmap.md | 2 + lighthouserc.cjs | 27 ++++++++++++++ package.json | 3 +- scripts/check-docs.mjs | 1 + 9 files changed, 179 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/codeql.yml create mode 100644 .github/workflows/lighthouse-ci.yml create mode 100644 docs/lighthouse-codeql.md create mode 100644 lighthouserc.cjs diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..2fa942b --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,32 @@ +name: CodeQL + +on: + pull_request: + branches: + - main + push: + branches: + - main + schedule: + - cron: "15 3 * * 2" + +permissions: + contents: read + security-events: write + +jobs: + analyze: + name: Analyze JavaScript and workflows + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v7 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v4 + with: + languages: javascript-typescript,actions + queries: security-extended,security-and-quality + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v4 diff --git a/.github/workflows/lighthouse-ci.yml b/.github/workflows/lighthouse-ci.yml new file mode 100644 index 0000000..b36d1a9 --- /dev/null +++ b/.github/workflows/lighthouse-ci.yml @@ -0,0 +1,51 @@ +name: Lighthouse CI + +on: + workflow_dispatch: + schedule: + - cron: "30 2 * * 1" + push: + branches: + - main + paths: + - ".github/workflows/lighthouse-ci.yml" + - "lighthouserc.cjs" + - "package.json" + - "package-lock.json" + - "docs/lighthouse-codeql.md" + +permissions: + contents: read + +jobs: + audit: + name: Audit gigworlds.net + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v7 + + - name: Setup Node + uses: actions/setup-node@v6 + with: + node-version: 22 + cache: npm + + - name: Install dependencies + run: npm ci + + - name: Setup Chrome + uses: browser-actions/setup-chrome@v2 + with: + chrome-version: stable + + - name: Run Lighthouse CI + run: npm run lighthouse + + - name: Upload Lighthouse reports + uses: actions/upload-artifact@v7 + if: always() + with: + name: lighthouse-reports + path: lhci-reports + if-no-files-found: warn diff --git a/README.md b/README.md index a8e5695..1632b0b 100644 --- a/README.md +++ b/README.md @@ -82,6 +82,7 @@ npm run audit:url -- https://example.com | `npm run check:scripts` | Syntax-check local automation scripts | | `npm run audit:new -- https://example.com` | Create an empty audit evidence workspace | | `npm run audit:url -- https://example.com` | Generate a lightweight website audit report | +| `npm run lighthouse` | Run Lighthouse CI against `https://gigworlds.net` | ## Launch Standard @@ -117,6 +118,7 @@ This repository is public for visibility and collaboration. The current license - [Release Process](docs/release-process.md) - [Operations Runbook](docs/operations-runbook.md) - [Audit CLI](docs/audit-cli.md) +- [Lighthouse CI and CodeQL](docs/lighthouse-codeql.md) - [Accessibility Playbook](docs/accessibility-playbook.md) - [Analytics and Measurement](docs/analytics-measurement.md) diff --git a/SECURITY.md b/SECURITY.md index 8a1f0d3..845cc90 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -63,3 +63,7 @@ Production web properties should enforce: - Server-side validation and output encoding for forms and user-generated content. See [Security Baseline](docs/security-baseline.md) for exact header examples. + +## Automated Security Checks + +This repository uses CodeQL for static analysis of JavaScript automation and GitHub Actions workflows. Findings should be reviewed from the GitHub Security tab before merging security-sensitive application, deployment, authentication, or data-handling changes. diff --git a/docs/lighthouse-codeql.md b/docs/lighthouse-codeql.md new file mode 100644 index 0000000..2d94f7c --- /dev/null +++ b/docs/lighthouse-codeql.md @@ -0,0 +1,58 @@ +# Lighthouse CI and CodeQL + +This repository uses two GitHub automation checks for production readiness. + +## Lighthouse CI + +Lighthouse CI runs a real browser audit against: + +```text +https://gigworlds.net +``` + +It checks performance, accessibility, best practices, and SEO signals. The current workflow is intentionally warning-based because it audits a live external website. Live network, hosting, CDN, and third-party script variance can change scores between runs. + +Run locally: + +```powershell +npm install +npm run lighthouse +``` + +Reports are written to: + +```text +lhci-reports/ +``` + +Local runs require Chrome. The GitHub workflow installs stable Chrome explicitly before running Lighthouse CI. + +The GitHub workflow runs: + +- Manually through `workflow_dispatch`. +- Weekly on Monday. +- When Lighthouse configuration changes on `main`. + +When the target site and budgets are stable, warning thresholds can be changed to failing assertions. + +## CodeQL + +CodeQL is GitHub's static security analysis engine. It scans code for bug and vulnerability patterns before they become production issues. + +This repo currently scans: + +- JavaScript and TypeScript, including local `.mjs` automation scripts. +- GitHub Actions workflow code. + +The GitHub workflow runs: + +- On pull requests to `main`. +- On pushes to `main`. +- Weekly on Tuesday. + +Findings appear in the repository's GitHub Security tab. + +## Current Policy + +- Lighthouse CI is an early-warning signal, not a deployment blocker yet. +- CodeQL findings should be reviewed before merging changes that introduce application code, deployment logic, authentication, or data processing. diff --git a/docs/roadmap.md b/docs/roadmap.md index 0be0241..b76a66f 100644 --- a/docs/roadmap.md +++ b/docs/roadmap.md @@ -46,6 +46,8 @@ Status: pending. - Add accessibility checks to CI. - Add SEO validation. +Initial Lighthouse CI and CodeQL workflows are already present. Future app work should tighten thresholds and expand analysis coverage. + ## Phase 5: Public Launch Status: pending. diff --git a/lighthouserc.cjs b/lighthouserc.cjs new file mode 100644 index 0000000..cb7cdd7 --- /dev/null +++ b/lighthouserc.cjs @@ -0,0 +1,27 @@ +module.exports = { + ci: { + collect: { + url: ["https://gigworlds.net"], + numberOfRuns: 3, + settings: { + chromeFlags: "--no-sandbox --headless=new", + preset: "desktop" + } + }, + assert: { + preset: "lighthouse:recommended", + assertions: { + "categories:performance": ["warn", { minScore: 0.5 }], + "categories:accessibility": ["warn", { minScore: 0.8 }], + "categories:best-practices": ["warn", { minScore: 0.8 }], + "categories:seo": ["warn", { minScore: 0.8 }], + "uses-http2": "off", + "uses-long-cache-ttl": "warn" + } + }, + upload: { + target: "filesystem", + outputDir: "./lhci-reports" + } + } +}; diff --git a/package.json b/package.json index 87caf26..18034fd 100644 --- a/package.json +++ b/package.json @@ -12,7 +12,8 @@ "check:docs": "node scripts/check-docs.mjs", "check:links": "node scripts/check-links.mjs", "check:scripts": "node scripts/check-scripts.mjs", - "check:secrets": "node scripts/check-secrets.mjs" + "check:secrets": "node scripts/check-secrets.mjs", + "lighthouse": "npx --yes @lhci/cli@0.15.1 autorun --config=./lighthouserc.cjs" }, "engines": { "node": ">=20" diff --git a/scripts/check-docs.mjs b/scripts/check-docs.mjs index 7439531..b8a4032 100644 --- a/scripts/check-docs.mjs +++ b/scripts/check-docs.mjs @@ -17,6 +17,7 @@ const requiredFiles = [ "docs/repository-setup.md", "docs/owner-inputs.md", "docs/audit-cli.md", + "docs/lighthouse-codeql.md", "docs/launch-readiness.md", "docs/performance-budget.md", "docs/security-baseline.md", From 0372f99af6c188711b6af2314ee102628092e64e Mon Sep 17 00:00:00 2001 From: Bappa Mandal Date: Sat, 27 Jun 2026 07:20:31 +0530 Subject: [PATCH 2/2] Pin Chrome setup action --- .github/workflows/lighthouse-ci.yml | 2 +- docs/lighthouse-codeql.md | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/lighthouse-ci.yml b/.github/workflows/lighthouse-ci.yml index b36d1a9..e9f47a0 100644 --- a/.github/workflows/lighthouse-ci.yml +++ b/.github/workflows/lighthouse-ci.yml @@ -35,7 +35,7 @@ jobs: run: npm ci - name: Setup Chrome - uses: browser-actions/setup-chrome@v2 + uses: browser-actions/setup-chrome@e574b4b3a21156ab45dd6b5f67e884fd26eed829 with: chrome-version: stable diff --git a/docs/lighthouse-codeql.md b/docs/lighthouse-codeql.md index 2d94f7c..8a59203 100644 --- a/docs/lighthouse-codeql.md +++ b/docs/lighthouse-codeql.md @@ -26,6 +26,7 @@ lhci-reports/ ``` Local runs require Chrome. The GitHub workflow installs stable Chrome explicitly before running Lighthouse CI. +The Chrome setup action is pinned to a commit SHA because it is a third-party GitHub Action. The GitHub workflow runs: