feat: update ci & add sast (#771)

* chore: update ci

* feat: add sast

.github/workflows/ci.yml

@@ -11,16 +11,33 @@ on:
       - '*.md'
 
 jobs:
+  dependency-review:
+    name: Dependency Review
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+        - name: Check out repo
+          uses: actions/checkout@v3
+          with:
+            persist-credentials: false
+
+        - name: Dependency review
+          uses: actions/dependency-review-action@v2
+
   test:
     runs-on: ${{ matrix.os }}
-
+    permissions:
+      contents: read
     strategy:
       matrix:
-        node-version: [14.x, 16.x, "*"]
+        node-version: [14, 16, '*']
         os: [ubuntu-latest, windows-latest, macOS-latest]
-
     steps:
       - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
 
       - name: Use Node.js
         uses: actions/setup-node@v3
@@ -50,6 +67,8 @@ jobs:
   coverage:
     needs: test
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Coveralls Finished
         uses: coverallsapp/github-action@master

.github/workflows/sast.yml

@@ -0,0 +1,29 @@
+name: sast
+
+on:
+  push:
+    branches-ignore:
+      - 'dependabot/**'
+  pull_request:
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    strategy:
+      fail-fast: true
+      matrix:
+        language: [ 'javascript' ]
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
+
+      - uses: github/codeql-action/init@v2
+        with:
+          languages: ${{ matrix.language }}
+
+      - uses: github/codeql-action/analyze@v2