feat: use osv, add pr checks, extend dependabot

.github/dependabot.yml

@@ -1,28 +1,70 @@
 version: 2
 updates:
-  # Enable version updates for Node.js dependencies
+  # Frontend dependencies (root package.json)
   - package-ecosystem: "npm"
     directory: "/"
     schedule:
       interval: "weekly"
+      day: "monday"
+      time: "09:00"
     allow:
       - dependency-type: "all"
     groups:
-      all:
+      frontend-dependencies:
         patterns:
           - "*"
     ignore:
       - dependency-name: "eslint"
         versions: ">= 9"
+    commit-message:
+      prefix: "deps"
+      include: "scope"
 
-  # Enable version updates for rust
+  # Nodecar dependencies
+  - package-ecosystem: "npm"
+    directory: "/nodecar"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+    allow:
+      - dependency-type: "all"
+    groups:
+      nodecar-dependencies:
+        patterns:
+          - "*"
+    commit-message:
+      prefix: "deps(nodecar)"
+      include: "scope"
+
+  # Rust dependencies
   - package-ecosystem: "cargo"
     directory: "/src-tauri"
     schedule:
       interval: "weekly"
+      day: "monday"
+      time: "09:00"
     allow:
       - dependency-type: "all"
     groups:
-      all:
+      rust-dependencies:
         patterns:
           - "*"
+    commit-message:
+      prefix: "deps(rust)"
+      include: "scope"
+
+  # GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+    groups:
+      github-actions:
+        patterns:
+          - "*"
+    commit-message:
+      prefix: "ci"
+      include: "scope"

.github/workflows/dependabot-automerge.yml

@@ -1,21 +0,0 @@
-# Automatically squashes and merges Dependabot dependency upgrades if tests pass
-
-name: Dependabot Auto-merge
-
-on: pull_request_target
-
-permissions:
-  pull-requests: write
-  contents: write
-
-jobs:
-  dependabot:
-    runs-on: ubuntu-latest
-
-    if: ${{ github.actor == 'dependabot[bot]' }}
-    steps:
-      - name: Fetch Dependabot metadata
-        id: dependabot-metadata
-        uses: dependabot/fetch-metadata@v2
-        with:
-          github-token: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/lint-js.yml

@@ -13,6 +13,8 @@ on:
     paths-ignore:
       - "src-tauri/**"
       - "README.md"
+      - ".github/workflows/lint-rs.yml"
+      - ".github/workflows/osv.yml"
 
 jobs:
   build:

.github/workflows/lint-rs.yml

@@ -12,11 +12,18 @@ on:
   pull_request:
     paths-ignore:
       - "src/**"
+      - "nodecar/**"
       - "package.json"
       - "package-lock.json"
       - "yarn.lock"
       - "pnpm-lock.yaml"
       - "README.md"
+      - ".github/workflows/lint-js.yml"
+      - ".github/workflows/osv.yml"
+      - "next.config.js"
+      - "tailwind.config.js"
+      - "tsconfig.json"
+      - "biome.json"
 
 jobs:
   build:

.github/workflows/osv.yml

@@ -0,0 +1,79 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# A sample workflow which sets up periodic OSV-Scanner scanning for vulnerabilities,
+# in addition to a PR check which fails if new vulnerabilities are introduced.
+#
+# For more examples and options, including how to ignore specific vulnerabilities,
+# see https://google.github.io/osv-scanner/github-action/
+
+# Security vulnerability scanning for Donut Browser
+# Scans dependencies in package managers (npm/pnpm, Cargo) for known vulnerabilities
+# Runs on schedule and when dependencies change
+
+name: Security Vulnerability Scan
+
+on:
+  pull_request:
+    branches: ["main"]
+    paths:
+      - "package.json"
+      - "pnpm-lock.yaml"
+      - "package-lock.json"
+      - "src-tauri/Cargo.toml"
+      - "src-tauri/Cargo.lock"
+      - "nodecar/package.json"
+      - "nodecar/package-lock.json"
+      - ".github/workflows/osv.yml"
+  merge_group:
+    branches: ["main"]
+  schedule:
+    # Run weekly on Tuesdays at 2:20 PM UTC
+    - cron: "20 14 * * 2"
+  push:
+    branches: ["main"]
+    paths:
+      - "package.json"
+      - "pnpm-lock.yaml"
+      - "package-lock.json"
+      - "src-tauri/Cargo.toml"
+      - "src-tauri/Cargo.lock"
+      - "nodecar/package.json"
+      - "nodecar/package-lock.json"
+
+permissions:
+  # Require writing security events to upload SARIF file to security tab
+  security-events: write
+  # Read commit contents
+  contents: read
+
+jobs:
+  scan-scheduled:
+    name: Scheduled Security Scan
+    if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@1f1242919d8a60496dd1874b24b62b2370ed4c78" # v1.7.1
+    with:
+      scan-args: |-
+        -r
+        --skip-git
+        --lockfile=package-lock.json
+        --lockfile=pnpm-lock.yaml
+        --lockfile=src-tauri/Cargo.lock
+        --lockfile=nodecar/package-lock.json
+        ./
+
+  scan-pr:
+    name: PR Security Scan
+    if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@1f1242919d8a60496dd1874b24b62b2370ed4c78" # v1.7.1
+    with:
+      scan-args: |-
+        -r
+        --skip-git
+        --lockfile=package-lock.json
+        --lockfile=pnpm-lock.yaml
+        --lockfile=src-tauri/Cargo.lock
+        --lockfile=nodecar/package-lock.json
+        ./

.github/workflows/pr-checks.yml

@@ -0,0 +1,51 @@
+name: Pull Request Checks
+
+on:
+  pull_request:
+    branches: ["main"]
+  merge_group:
+    branches: ["main"]
+
+permissions:
+  # Required for OSV scanner to upload SARIF file to security tab
+  security-events: write
+  # Read commit contents
+  contents: read
+
+jobs:
+  lint-js:
+    name: Lint JavaScript/TypeScript
+    uses: ./.github/workflows/lint-js.yml
+    secrets: inherit
+
+  lint-rust:
+    name: Lint Rust
+    uses: ./.github/workflows/lint-rs.yml
+    secrets: inherit
+
+  security-scan:
+    name: Security Vulnerability Scan
+    if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@1f1242919d8a60496dd1874b24b62b2370ed4c78" # v1.7.1
+    with:
+      scan-args: |-
+        -r
+        --skip-git
+        --lockfile=pnpm-lock.yaml
+        --lockfile=nodecar/pnpm-lock.yaml
+        --lockfile=src-tauri/Cargo.lock
+        ./
+
+  pr-status:
+    name: PR Status Check
+    runs-on: ubuntu-latest
+    needs: [lint-js, lint-rust, security-scan]
+    if: always()
+    steps:
+      - name: Check all jobs succeeded
+        run: |
+          if [[ "${{ needs.lint-js.result }}" != "success" || "${{ needs.lint-rust.result }}" != "success" || "${{ needs.security-scan.result }}" != "success" ]]; then
+            echo "One or more checks failed"
+            exit 1
+          fi
+          echo "All checks passed!"