Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 32 additions & 0 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
name: CodeQL

on:
pull_request:
branches:
- main
push:
branches:
- main
schedule:
- cron: "15 3 * * 2"

permissions:
contents: read
security-events: write

jobs:
analyze:
name: Analyze JavaScript and workflows
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v7

- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: javascript-typescript,actions
queries: security-extended,security-and-quality

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
51 changes: 51 additions & 0 deletions .github/workflows/lighthouse-ci.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
name: Lighthouse CI

on:
workflow_dispatch:
schedule:
- cron: "30 2 * * 1"
push:
branches:
- main
paths:
- ".github/workflows/lighthouse-ci.yml"
- "lighthouserc.cjs"
- "package.json"
- "package-lock.json"
- "docs/lighthouse-codeql.md"

permissions:
contents: read

jobs:
audit:
name: Audit gigworlds.net
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v7

- name: Setup Node
uses: actions/setup-node@v6
with:
node-version: 22
cache: npm

- name: Install dependencies
run: npm ci

- name: Setup Chrome
uses: browser-actions/setup-chrome@e574b4b3a21156ab45dd6b5f67e884fd26eed829
with:
chrome-version: stable

- name: Run Lighthouse CI
run: npm run lighthouse

- name: Upload Lighthouse reports
uses: actions/upload-artifact@v7
if: always()
with:
name: lighthouse-reports
path: lhci-reports
if-no-files-found: warn
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,7 @@ npm run audit:url -- https://example.com
| `npm run check:scripts` | Syntax-check local automation scripts |
| `npm run audit:new -- https://example.com` | Create an empty audit evidence workspace |
| `npm run audit:url -- https://example.com` | Generate a lightweight website audit report |
| `npm run lighthouse` | Run Lighthouse CI against `https://gigworlds.net` |

## Launch Standard

Expand Down Expand Up @@ -117,6 +118,7 @@ This repository is public for visibility and collaboration. The current license
- [Release Process](docs/release-process.md)
- [Operations Runbook](docs/operations-runbook.md)
- [Audit CLI](docs/audit-cli.md)
- [Lighthouse CI and CodeQL](docs/lighthouse-codeql.md)
- [Accessibility Playbook](docs/accessibility-playbook.md)
- [Analytics and Measurement](docs/analytics-measurement.md)

Expand Down
4 changes: 4 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
Expand Up @@ -63,3 +63,7 @@ Production web properties should enforce:
- Server-side validation and output encoding for forms and user-generated content.

See [Security Baseline](docs/security-baseline.md) for exact header examples.

## Automated Security Checks

This repository uses CodeQL for static analysis of JavaScript automation and GitHub Actions workflows. Findings should be reviewed from the GitHub Security tab before merging security-sensitive application, deployment, authentication, or data-handling changes.
59 changes: 59 additions & 0 deletions docs/lighthouse-codeql.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
# Lighthouse CI and CodeQL

This repository uses two GitHub automation checks for production readiness.

## Lighthouse CI

Lighthouse CI runs a real browser audit against:

```text
https://gigworlds.net
```

It checks performance, accessibility, best practices, and SEO signals. The current workflow is intentionally warning-based because it audits a live external website. Live network, hosting, CDN, and third-party script variance can change scores between runs.

Run locally:

```powershell
npm install
npm run lighthouse
```

Reports are written to:

```text
lhci-reports/
```

Local runs require Chrome. The GitHub workflow installs stable Chrome explicitly before running Lighthouse CI.
The Chrome setup action is pinned to a commit SHA because it is a third-party GitHub Action.

The GitHub workflow runs:

- Manually through `workflow_dispatch`.
- Weekly on Monday.
- When Lighthouse configuration changes on `main`.

When the target site and budgets are stable, warning thresholds can be changed to failing assertions.

## CodeQL

CodeQL is GitHub's static security analysis engine. It scans code for bug and vulnerability patterns before they become production issues.

This repo currently scans:

- JavaScript and TypeScript, including local `.mjs` automation scripts.
- GitHub Actions workflow code.

The GitHub workflow runs:

- On pull requests to `main`.
- On pushes to `main`.
- Weekly on Tuesday.

Findings appear in the repository's GitHub Security tab.

## Current Policy

- Lighthouse CI is an early-warning signal, not a deployment blocker yet.
- CodeQL findings should be reviewed before merging changes that introduce application code, deployment logic, authentication, or data processing.
2 changes: 2 additions & 0 deletions docs/roadmap.md
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,8 @@ Status: pending.
- Add accessibility checks to CI.
- Add SEO validation.

Initial Lighthouse CI and CodeQL workflows are already present. Future app work should tighten thresholds and expand analysis coverage.

## Phase 5: Public Launch

Status: pending.
Expand Down
27 changes: 27 additions & 0 deletions lighthouserc.cjs
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
module.exports = {
ci: {
collect: {
url: ["https://gigworlds.net"],
numberOfRuns: 3,
settings: {
chromeFlags: "--no-sandbox --headless=new",
preset: "desktop"
}
},
assert: {
preset: "lighthouse:recommended",
assertions: {
"categories:performance": ["warn", { minScore: 0.5 }],
"categories:accessibility": ["warn", { minScore: 0.8 }],
"categories:best-practices": ["warn", { minScore: 0.8 }],
"categories:seo": ["warn", { minScore: 0.8 }],
"uses-http2": "off",
"uses-long-cache-ttl": "warn"
}
},
upload: {
target: "filesystem",
outputDir: "./lhci-reports"
}
}
};
3 changes: 2 additions & 1 deletion package.json
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,8 @@
"check:docs": "node scripts/check-docs.mjs",
"check:links": "node scripts/check-links.mjs",
"check:scripts": "node scripts/check-scripts.mjs",
"check:secrets": "node scripts/check-secrets.mjs"
"check:secrets": "node scripts/check-secrets.mjs",
"lighthouse": "npx --yes @lhci/cli@0.15.1 autorun --config=./lighthouserc.cjs"
},
"engines": {
"node": ">=20"
Expand Down
1 change: 1 addition & 0 deletions scripts/check-docs.mjs
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ const requiredFiles = [
"docs/repository-setup.md",
"docs/owner-inputs.md",
"docs/audit-cli.md",
"docs/lighthouse-codeql.md",
"docs/launch-readiness.md",
"docs/performance-budget.md",
"docs/security-baseline.md",
Expand Down