Security-first: CodeQL, Secret Scanning, automated releases, and more are now live

[santifer]

Following up on Discussion #228 where we announced CI/CD basics (tests + auto-labeling + welcome bot), today we shipped a significant infrastructure upgrade.

career-ops now runs with the same security and automation practices used by projects like Next.js, Astro, and curl.

What's new

Security

• CodeQL Analysis — Every PR and push to main is scanned for vulnerabilities (injection, XSS, path traversal) in both JavaScript and Go. Runs weekly on main to catch newly discovered CVEs.
• Secret Scanning + Push Protection — If a commit contains an API key, token, or password, GitHub blocks it before it reaches the repo.
• Dependency Review — PRs that introduce dependencies with known high-severity vulnerabilities will fail automatically.

Releases

• Release Please — Changelogs and version bumps are now automated. When we merge commits with feat: or fix: prefixes, a release PR is generated automatically with a full changelog. No more manual VERSION edits.
• SBOM Generation — Every release now includes a Software Bill of Materials (SPDX format), so anyone can audit the full dependency tree.

Maintenance

• Stale bot — Issues inactive for 60 days and PRs inactive for 30 days are automatically marked as stale and closed after 14 more days of silence. This keeps the backlog clean without manual effort.
• Renovate — Replaces individual Dependabot PRs. Dependencies are now grouped into a single weekly PR instead of 3-5 separate ones that conflict with each other.
• CodeRabbit — AI-powered code review on every PR. It catches logic errors, security issues, and edge cases before a human reviewer looks at the code.

What this means for contributors

Before	Now
Vulnerabilities caught only in manual review	CodeQL + dependency review catch them in CI
Stale PRs sat open indefinitely	Auto-closed after 30 days of inactivity
3 separate Dependabot PRs conflicting	1 grouped Renovate PR per week
Manual changelogs	Automated from commit messages
No secret protection	Blocked before push

What this means for users

Your data stays safe. Every release is auditable. The project is maintained with the same rigor as enterprise-grade infrastructure — except it's free and always will be.

The full CI/CD stack

For reference, here's everything running on career-ops today:

Workflow	Purpose
test.yml	61+ tests on every PR
labeler.yml	Auto-labels by risk level
welcome.yml	Greets first-time contributors
codeql.yml	Security analysis (JS + Go)
dependency-review.yml	Blocks vulnerable dependencies
release.yml	Automated changelogs + releases
sbom.yml	Dependency inventory per release
stale.yml	Auto-closes inactive issues/PRs
Secret Scanning	Blocks leaked credentials
CodeRabbit	AI code review
Renovate	Grouped dependency updates

If you're building your own OSS project, feel free to use our .github/workflows/ as a reference.

Let's build together.