From 2ca21b51a1848040bb1fcf074ee409f53ebeb937 Mon Sep 17 00:00:00 2001
From: gnought <1684105+gnought@users.noreply.github.com>
Date: Sat, 13 Aug 2022 19:28:19 +0800
Subject: [PATCH 1/2] chore: update ci

---
 .github/workflows/ci.yml | 25 ++++++++++++++++++++++---
 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e3ff4e11..0a878830 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -11,16 +11,33 @@ on:
       - '*.md'
 
 jobs:
+  dependency-review:
+    name: Dependency Review
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+        - name: Check out repo
+          uses: actions/checkout@v3
+          with:
+            persist-credentials: false
+
+        - name: Dependency review
+          uses: actions/dependency-review-action@v2
+
   test:
     runs-on: ${{ matrix.os }}
-
+    permissions:
+      contents: read
     strategy:
       matrix:
-        node-version: [14.x, 16.x, "*"]
+        node-version: [14, 16, '*']
         os: [ubuntu-latest, windows-latest, macOS-latest]
-
     steps:
       - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
 
       - name: Use Node.js
         uses: actions/setup-node@v3
@@ -50,6 +67,8 @@ jobs:
   coverage:
     needs: test
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Coveralls Finished
         uses: coverallsapp/github-action@master

From 7204681ddb9a77e0d0f9296a68cb48c8e9b65bac Mon Sep 17 00:00:00 2001
From: gnought <1684105+gnought@users.noreply.github.com>
Date: Sat, 13 Aug 2022 19:29:16 +0800
Subject: [PATCH 2/2] feat: add sast

---
 .github/workflows/sast.yml | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 .github/workflows/sast.yml

diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml
new file mode 100644
index 00000000..f618657f
--- /dev/null
+++ b/.github/workflows/sast.yml
@@ -0,0 +1,29 @@
+name: sast
+
+on:
+  push:
+    branches-ignore:
+      - 'dependabot/**'
+  pull_request:
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    strategy:
+      fail-fast: true
+      matrix:
+        language: [ 'javascript' ]
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
+
+      - uses: github/codeql-action/init@v2
+        with:
+          languages: ${{ matrix.language }}
+
+      - uses: github/codeql-action/analyze@v2