From 89ecebfcac596048825218f53cabb6e0ec81ada7 Mon Sep 17 00:00:00 2001
From: Mike Odnis <airwolf635@gmail.com>
Date: Tue, 14 Apr 2026 18:10:32 -0400
Subject: [PATCH] ci: wire org-wide security-scan workflow + dependabot +
 CODEOWNERS
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Standardization pass across public ResQ repos:

  .github/workflows/security.yml  Thin caller for the reusable workflow
                                  in resq-software/.github. Passes the
                                  language list appropriate for this
                                  repo (["actions"] — bash-only repo,
                                  CodeQL analyzes workflow YAML).
  .github/dependabot.yml           Weekly grouped github-actions
                                  updates, Monday 06:17 UTC.
  .github/CODEOWNERS               Default owner + explicit rules for
                                  the installer + hooks surface.

Inherits CoC / Contributing / Security / Support / issue + PR templates
from resq-software/.github (landed in that repo's #2).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/CODEOWNERS             |  8 ++++++++
 .github/dependabot.yml         | 18 ++++++++++++++++++
 .github/workflows/security.yml | 28 ++++++++++++++++++++++++++++
 3 files changed, 54 insertions(+)
 create mode 100644 .github/CODEOWNERS
 create mode 100644 .github/dependabot.yml
 create mode 100644 .github/workflows/security.yml

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 0000000..7257ea5
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1,8 @@
+# Default owner for everything not matched by a more specific rule.
+*                         @WomB0ComB0
+
+# Installer + canonical git hooks — the blast-radius surface.
+/install.sh               @WomB0ComB0
+/install.ps1              @WomB0ComB0
+/scripts/                 @WomB0ComB0
+/.github/workflows/       @WomB0ComB0
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..cfce571
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,18 @@
+# Copyright 2026 ResQ Software
+# SPDX-License-Identifier: Apache-2.0
+#
+# Weekly dependency updates, grouped to keep PR noise low.
+
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+      day: monday
+      time: "06:17"
+    groups:
+      actions:
+        patterns: ["*"]
+    labels: [chore, deps]
+    open-pull-requests-limit: 5
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
new file mode 100644
index 0000000..3c8bd21
--- /dev/null
+++ b/.github/workflows/security.yml
@@ -0,0 +1,28 @@
+# Copyright 2026 ResQ Software
+# SPDX-License-Identifier: Apache-2.0
+#
+# Thin caller for the org-wide reusable security-scan workflow in
+# resq-software/.github. Update the `languages` list to match this repo's
+# primary code; everything else inherits.
+
+name: security
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+  schedule:
+    - cron: '17 6 * * 1'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  security-events: write
+  pull-requests: read
+
+jobs:
+  scan:
+    uses: resq-software/.github/.github/workflows/security-scan.yml@main
+    with:
+      languages: '["actions"]'
+    secrets: inherit