Merge pull request #18 from kristiyan-velkov/develop

Develop

Author: kristiyan-velkov

.github/SECRETS_AND_VARIABLES.md

@@ -77,10 +77,18 @@ If you want to deploy images to Docker Hub, you need these secrets:
 
 **Impact if not set:**
 
-- CI workflows (lint, test, build, security) will work fine
+- CI workflows (lint, test, build) will work fine
+- Security workflow will work with limitations (Docker Scout may fail)
 - Only CD workflow (deployment) will fail
 - You can skip these if you don't need to push images to Docker Hub
 
+**Docker Scout Note:**
+
+- Docker Scout requires authentication to work properly
+- The same `DOCKER_USERNAME` and `DOCKERHUB_TOKEN` are used for Scout
+- Without these secrets, Scout will show "not entitled" error
+- The workflow continues with graceful fallback (doesn't block CI)
+
 ---
 
 ## 🔐 Automatic Secrets
@@ -486,12 +494,14 @@ git push origin v1.0.0
 | Secret                   | Required    | Used By            | Purpose                     | Get From            |
 | ------------------------ | ----------- | ------------------ | --------------------------- | ------------------- |
 | `GITHUB_TOKEN`           | ✅ Auto     | All workflows      | GitHub API access           | Automatic           |
-| `DOCKER_USERNAME`        | ✅ For CD   | cd.yml             | Docker Hub login            | hub.docker.com      |
-| `DOCKERHUB_TOKEN`        | ✅ For CD   | cd.yml             | Docker Hub push access      | hub.docker.com      |
+| `DOCKER_USERNAME`        | ✅ For CD   | cd.yml, security.yml | Docker Hub login          | hub.docker.com      |
+| `DOCKERHUB_TOKEN`        | ✅ For CD   | cd.yml, security.yml | Docker Hub push access    | hub.docker.com      |
 | `DOCKERHUB_PROJECT_NAME` | ✅ For CD   | cd.yml             | Docker Hub project name     | hub.docker.com      |
 | `SNYK_TOKEN`             | ⚠️ Optional | security.yml       | Snyk vulnerability scanning | snyk.io             |
 | `OPENAI_API_KEY`         | ⚠️ Optional | ai-code-review.yml | AI-powered code reviews     | platform.openai.com |
 
+> **Note:** `DOCKER_USERNAME` and `DOCKERHUB_TOKEN` are also used by `security.yml` to authenticate Docker Scout scans.
+
 ---
 
 ## 🎯 Workflow Capabilities by Setup Level

.github/dependabot.yml

@@ -7,11 +7,12 @@ updates:
   - package-ecosystem: "npm"
     directory: "/"
     schedule:
-      interval: "weekly"
+      interval: "monthly" # Changed from weekly to monthly
       day: "monday"
       time: "09:00"
       timezone: "UTC"
-    open-pull-requests-limit: 5
+    target-branch: "develop" # Only create PRs against develop branch
+    open-pull-requests-limit: 3 # Reduced from 5 to 3
     labels:
       - "dependencies"
       - "npm"
@@ -22,15 +23,24 @@ updates:
       include: "scope"
     # Group updates for better PR management
     groups:
+      # Group ALL development dependencies into ONE PR
       development-dependencies:
         dependency-type: "development"
         update-types:
           - "minor"
           - "patch"
+          - "major" # Include major updates too
+      # Group ALL production dependencies into ONE PR
       production-dependencies:
         dependency-type: "production"
         update-types:
           - "patch"
+          - "minor"
+      # Separate group for major production updates
+      production-major-dependencies:
+        dependency-type: "production"
+        update-types:
+          - "major"
     # Version update strategy
     versioning-strategy: increase
     # Ignore specific packages if needed
@@ -49,19 +59,20 @@ updates:
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "weekly"
+      interval: "monthly" # Changed from weekly to monthly
       day: "monday"
       time: "09:00"
       timezone: "UTC"
-    open-pull-requests-limit: 3
+    target-branch: "develop" # Only create PRs against develop branch
+    open-pull-requests-limit: 2 # Reduced from 3 to 2
     labels:
       - "github-actions"
       - "dependencies"
       - "automated"
     commit-message:
       prefix: "ci"
       include: "scope"
-    # Group GitHub Actions updates
+    # Group ALL GitHub Actions updates into ONE PR
     groups:
       github-actions:
         patterns:
@@ -71,15 +82,21 @@ updates:
   - package-ecosystem: "docker"
     directory: "/"
     schedule:
-      interval: "weekly"
+      interval: "monthly" # Changed from weekly to monthly
       day: "monday"
       time: "09:00"
       timezone: "UTC"
-    open-pull-requests-limit: 3
+    target-branch: "develop" # Only create PRs against develop branch
+    open-pull-requests-limit: 2 # Reduced from 3 to 2
     labels:
       - "docker"
       - "dependencies"
       - "automated"
     commit-message:
       prefix: "build"
       include: "scope"
+    # Group all Docker updates into ONE PR
+    groups:
+      docker-images:
+        patterns:
+          - "*"

.github/workflows/security.yml

@@ -27,6 +27,13 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
+      - name: Log in to Docker Hub (for Docker Scout)
+        uses: docker/login-action@v3
+        continue-on-error: true
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
       - name: Build production image for scanning
         run: docker compose build react-prod
 
@@ -137,6 +144,9 @@ jobs:
     name: Dependency Review
     runs-on: ubuntu-latest
     if: github.event_name == 'pull_request'
+    permissions:
+      contents: read
+      pull-requests: write
 
     steps:
       - name: Checkout code