feat(ci): add reusable security scan workflow for Go, Python, and JS/TS audits (#148)

* feat(ci): add reusable security scan workflow for Go, Python, and JS/TS audits

* chore(workflows): remove names from security scan workflows for consistency

* chore(workflows): update Go version to 1.25.5 in CLI workflows

Author: GenerQAQ

.github/workflows/cli-release.yaml

@@ -9,7 +9,7 @@ permissions:
   contents: write 
 
 env:
-  GO_VERSION: '1.25.1'
+  GO_VERSION: '1.25.5'
 
 jobs:
   create-release:

.github/workflows/cli-test.yaml

@@ -17,7 +17,7 @@ on:
       - '.github/workflows/cli-test.yaml'
 
 env:
-  GO_VERSION: '1.25.1'
+  GO_VERSION: '1.25.5'
 
 jobs:
   test:
@@ -28,7 +28,7 @@ jobs:
         working-directory: src/client/acontext-cli
     strategy:
       matrix:
-        go-version: ['1.25.1']
+        go-version: ['1.25.5']
 
     steps:
       - name: Checkout code
@@ -106,7 +106,7 @@ jobs:
       fail-fast: false
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
-        go-version: ['1.25.1']
+        go-version: ['1.25.5']
 
     steps:
       - name: Checkout code

.github/workflows/security-reusable.yaml

@@ -0,0 +1,73 @@
+name: Security Scan (Reusable)
+
+on:
+  workflow_call:
+
+jobs:
+  go-vulncheck:
+    name: Go Vulnerability Check
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          - name: API
+            path: src/server/api/go
+          - name: CLI
+            path: src/client/acontext-cli
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: ${{ matrix.path }}/go.mod
+          cache: true
+      - name: Run govulncheck on ${{ matrix.name }}
+        working-directory: ${{ matrix.path }}
+        run: |
+          go install golang.org/x/vuln/cmd/govulncheck@latest
+          govulncheck ./...
+
+  python-audit:
+    name: Python Security Audit
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+      - name: Install pip-audit
+        run: pip install pip-audit
+      - name: Audit Projects
+        run: |
+          for dir in src/server/core src/client/acontext-py; do
+            echo "🔍 Auditing $dir..."
+            cd $dir
+            uv export --format requirements-txt --no-hashes --no-dev > reqs.txt
+            pip-audit -r reqs.txt
+            rm reqs.txt
+            cd - > /dev/null
+          done
+
+  js-audit:
+    name: JS/TS Security Audit
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+      - name: Setup pnpm
+        run: npm install -g pnpm
+      - name: Audit TS SDK
+        working-directory: src/client/acontext-ts
+        run: npm audit --audit-level=high
+      - name: Audit UI
+        working-directory: src/server/ui
+        run: pnpm audit --audit-level=high

.github/workflows/security-scan.yaml

@@ -5,79 +5,38 @@ on:
     branches: [main, dev]
     paths:
       - 'src/server/api/go/go.mod'
+      - 'src/server/api/go/go.sum'
+      - 'src/client/acontext-cli/go.mod'
+      - 'src/client/acontext-cli/go.sum'
       - 'src/server/core/pyproject.toml'
+      - 'src/server/core/uv.lock'
       - 'src/client/acontext-py/pyproject.toml'
+      - 'src/client/acontext-py/uv.lock'
       - 'src/client/acontext-ts/package.json'
+      - 'src/client/acontext-ts/package-lock.json'
       - 'src/server/ui/package.json'
+      - 'src/server/ui/pnpm-lock.yaml'
       - '.github/workflows/security-scan.yaml'
+      - '.github/workflows/security-reusable.yaml'
   pull_request:
     branches: [main, dev]
     paths:
       - 'src/server/api/go/go.mod'
+      - 'src/server/api/go/go.sum'
+      - 'src/client/acontext-cli/go.mod'
+      - 'src/client/acontext-cli/go.sum'
       - 'src/server/core/pyproject.toml'
+      - 'src/server/core/uv.lock'
       - 'src/client/acontext-py/pyproject.toml'
+      - 'src/client/acontext-py/uv.lock'
       - 'src/client/acontext-ts/package.json'
+      - 'src/client/acontext-ts/package-lock.json'
       - 'src/server/ui/package.json'
+      - 'src/server/ui/pnpm-lock.yaml'
       - '.github/workflows/security-scan.yaml'
+      - '.github/workflows/security-reusable.yaml'
   workflow_dispatch:
 
 jobs:
-  go-vulncheck:
-    name: Go Vulnerability Check
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version-file: src/server/api/go/go.mod
-          cache: true
-      - name: Run govulncheck
-        working-directory: src/server/api/go
-        run: |
-          go install golang.org/x/vuln/cmd/govulncheck@latest
-          govulncheck ./...
-
-  python-audit:
-    name: Python Security Audit
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Install uv
-        uses: astral-sh/setup-uv@v5
-      - name: Setup Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: '3.12'
-      - name: Install pip-audit
-        run: pip install pip-audit
-      - name: Audit Projects
-        run: |
-          for dir in src/server/core src/client/acontext-py; do
-            cd $dir
-            uv export --format requirements-txt --no-hashes --no-dev > reqs.txt
-            pip-audit -r reqs.txt
-            rm reqs.txt
-            cd - > /dev/null
-          done
-
-  js-audit:
-    name: JS/TS Security Audit
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Setup Node
-        uses: actions/setup-node@v4
-        with:
-          node-version: '20'
-      - name: Audit TS SDK
-        working-directory: src/client/acontext-ts
-        run: npm audit --audit-level=high
-      - name: Audit UI
-        working-directory: src/server/ui
-        run: |
-          npm install -g pnpm
-          pnpm audit --audit-level=high
+  security:
+    uses: ./.github/workflows/security-reusable.yaml

.github/workflows/security-scheduled.yaml

@@ -2,66 +2,9 @@ name: Security Scheduled Scan
 
 on:
   schedule:
-    - cron: '0 0 * * 1'
+    - cron: '0 0 * * 1'  # Every Monday at midnight UTC
   workflow_dispatch:
 
 jobs:
-  go-vulncheck:
-    name: Go Vulnerability Check
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version-file: src/server/api/go/go.mod
-          cache: true
-      - name: Run govulncheck
-        working-directory: src/server/api/go
-        run: |
-          go install golang.org/x/vuln/cmd/govulncheck@latest
-          govulncheck ./...
-
-  python-audit:
-    name: Python Security Audit
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Install uv
-        uses: astral-sh/setup-uv@v5
-      - name: Setup Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: '3.12'
-      - name: Install pip-audit
-        run: pip install pip-audit
-      - name: Audit Projects
-        run: |
-          for dir in src/server/core src/client/acontext-py; do
-            cd $dir
-            uv export --format requirements-txt --no-hashes --no-dev > reqs.txt
-            pip-audit -r reqs.txt
-            rm reqs.txt
-            cd - > /dev/null
-          done
-
-  js-audit:
-    name: JS/TS Security Audit
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Setup Node
-        uses: actions/setup-node@v4
-        with:
-          node-version: '20'
-      - name: Audit TS SDK
-        working-directory: src/client/acontext-ts
-        run: npm audit --audit-level=high
-      - name: Audit UI
-        working-directory: src/server/ui
-        run: |
-          npm install -g pnpm
-          pnpm audit --audit-level=high
+  security:
+    uses: ./.github/workflows/security-reusable.yaml

src/client/acontext-cli/go.mod

@@ -1,6 +1,6 @@
 module github.com/memodb-io/Acontext/acontext-cli
 
-go 1.25.1
+go 1.25.5
 
 require (
 	github.com/AlecAivazis/survey/v2 v2.3.7