chore(security): enhance environment configuration, CI workflows, and wallet daemon with security improvements

- Restructure .env.example with security-focused documentation, service-specific environment file references, and AWS Secrets Manager integration - Update CLI tests workflow to single Python 3.13 version, add pytest-mock dependency, and consolidate test execution with coverage - Add comprehensive security validation to package publishing workflow with manual approval gates, secret scanning, and release
2026-03-03 10:33:46 +01:00
parent 00d00cb964
commit f353e00172
220 changed files with 42506 additions and 921 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -0,0 +1,138 @@
+version: 2
+enable-beta-ecosystems: true
+registries:
+  # Use default npm registry
+  npm-registry:
+    type: npm-registry
+    url: https://registry.npmjs.org
+    replaces-base: true
+
+updates:
+  # Python dependencies
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+    open-pull-requests-limit: 10
+    reviewers:
+      - "oib"
+    assignees:
+      - "oib"
+    commit-message:
+      prefix: "deps"
+      include: "scope"
+    labels:
+      - "dependencies"
+      - "python"
+    ignore:
+      # Allow patch updates for all dependencies
+      - dependency-name: "*"
+        update-types: ["version-update:semver-patch"]
+      # Allow minor updates for most dependencies
+      - dependency-name: "*"
+        update-types: ["version-update:semver-minor"]
+        # But be more conservative with critical dependencies
+        except:
+          - "fastapi"
+          - "uvicorn"
+          - "sqlalchemy"
+          - "alembic"
+          - "httpx"
+          - "click"
+          - "pytest"
+          - "cryptography"
+
+  # GitHub Actions dependencies
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+    open-pull-requests-limit: 5
+    reviewers:
+      - "oib"
+    assignees:
+      - "oib"
+    commit-message:
+      prefix: "ci"
+      include: "scope"
+    labels:
+      - "dependencies"
+      - "github-actions"
+
+  # Docker dependencies (if any)
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+    open-pull-requests-limit: 5
+    reviewers:
+      - "oib"
+    assignees:
+      - "oib"
+    commit-message:
+      prefix: "deps"
+      include: "scope"
+    labels:
+      - "dependencies"
+      - "docker"
+
+  # npm dependencies (for frontend components)
+  - package-ecosystem: "npm"
+    directory: "/apps/explorer-web"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+    open-pull-requests-limit: 10
+    reviewers:
+      - "oib"
+    assignees:
+      - "oib"
+    commit-message:
+      prefix: "deps"
+      include: "scope"
+    labels:
+      - "dependencies"
+      - "npm"
+      - "frontend"
+    ignore:
+      # Allow patch updates for all dependencies
+      - dependency-name: "*"
+        update-types: ["version-update:semver-patch"]
+      # Allow minor updates for most dependencies
+      - dependency-name: "*"
+        update-types: ["version-update:semver-minor"]
+        # But be conservative with major dependencies
+        except:
+          - "react"
+          - "vue"
+          - "angular"
+          - "typescript"
+          - "webpack"
+          - "babel"
+
+  # npm dependencies for website
+  - package-ecosystem: "npm"
+    directory: "/website"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+    open-pull-requests-limit: 10
+    reviewers:
+      - "oib"
+    assignees:
+      - "oib"
+    commit-message:
+      prefix: "deps"
+      include: "scope"
+    labels:
+      - "dependencies"
+      - "npm"
+      - "website"