docs(i6): solidify I5_I6 design markdown; add Dependabot and ci-security (Trivy, npm audit)

Made-with: Cursor
2026-06-09 10:00:30 +08:00 · 2026-04-06 22:48:58 +08:00
parent 499fef3c2f
commit ce49fe143c
7 changed files with 118 additions and 67 deletions
@@ -2,9 +2,9 @@ name: ci-java

 on:
  push:
-    branches: [main, master]
+    branches: [main, master, develop]
  pull_request:
-    branches: [main, master]
+    branches: [main, master, develop]

 jobs:
  maven:
@@ -2,14 +2,14 @@ name: ci-platform

 on:
  push:
-    branches: [main, master]
+    branches: [main, master, develop]
    paths:
      - "services/**"
      - "web/**"
      - "contracts/**"
      - ".github/workflows/ci-platform.yml"
  pull_request:
-    branches: [main, master]
+    branches: [main, master, develop]
    paths:
      - "services/**"
      - "web/**"
@@ -0,0 +1,53 @@
+name: ci-security
+
+on:
+  push:
+    branches: [main, master, develop]
+  pull_request:
+    branches: [main, master, develop]
+  workflow_dispatch:
+
+jobs:
+  trivy-maven-modules:
+    name: Trivy (Java / Maven manifests)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - scan-ref: services
+          - scan-ref: java
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run Trivy filesystem scan
+        uses: aquasecurity/trivy-action@0.28.0
+        with:
+          scan-type: fs
+          scan-ref: ${{ matrix.scan-ref }}
+          scanners: vuln
+          vuln-type: os,library
+          severity: CRITICAL,HIGH
+          exit-code: "1"
+          ignore-unfixed: true
+
+  npm-audit-ui:
+    name: npm audit (delivery-platform-ui)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    defaults:
+      run:
+        working-directory: web/delivery-platform-ui
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          cache: npm
+          cache-dependency-path: web/delivery-platform-ui/package-lock.json
+      - name: Install and audit
+        run: |
+          npm ci
+          npm audit --audit-level=high