ci: add security scanning

[okwn]

Summary

Adds security scanning to CI.

Testing

CI passes.

---

Summary by cubic

Add a CI security job that scans the repo with Trivy and publishes results to the GitHub Security tab. This catches vulnerabilities automatically on pushes and forked PRs.

• New Features
  • New security job runs aquasecurity/trivy-action (fs scan) and uploads SARIF via github/codeql-action/upload-sarif.
  • Triggers on push (skips commits with message "codegen metadata") and on PRs from forks; uses depot-ubuntu-24.04 for this repo, else ubuntu-latest.
  • Sets a 15-minute timeout.

^{Written for commit efc2d57. Summary will update on new commits. Review in cubic}

[cubic-dev-ai]

1 issue found across 1 file

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/ci.yml">

<violation number="1" location=".github/workflows/ci.yml:118">
P1: Missing `permissions: security-events: write` in the `security` job, which is required by `github/codeql-action/upload-sarif` to upload SARIF results. Without this permission, the step will fail on fork PRs where `GITHUB_TOKEN` defaults to read-only.</violation>
</file>

<sub>Reply with feedback, questions, or to request a fix.

Fix all with cubic | Re-trigger cubic</sub>

[cubic-dev-ai]

P1: Missing permissions: security-events: write in the security job, which is required by github/codeql-action/upload-sarif to upload SARIF results. Without this permission, the step will fail on fork PRs where GITHUB_TOKEN defaults to read-only.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/ci.yml, line 118:

<comment>Missing `permissions: security-events: write` in the `security` job, which is required by `github/codeql-action/upload-sarif` to upload SARIF results. Without this permission, the step will fail on fork PRs where `GITHUB_TOKEN` defaults to read-only.</comment>

<file context>
@@ -114,3 +114,25 @@ jobs:
       - name: Run tests
         run: ./scripts/test
+
+  security:
+    timeout-minutes: 15
+    name: security
</file context>

Suggested change

	security:
	timeout-minutes: 15
	name: security
	runs-on: ${{ github.repository == 'stainless-sdks/agentmail-cli' && 'depot-ubuntu-24.04' || 'ubuntu-latest' }}
	if: (github.event_name == 'push' || github.event.pull_request.head.repo.fork) && (github.event_name != 'push' || github.event.head_commit.message != 'codegen metadata')
	security:
	timeout-minutes: 15
	name: security
	permissions:
	security-events: write
	runs-on: ${{ github.repository == 'stainless-sdks/agentmail-cli' && 'depot-ubuntu-24.04' || 'ubuntu-latest' }}
	if: (github.event_name == 'push' || github.event.pull_request.head.repo.fork) && (github.event_name != 'push' || github.event.head_commit.message != 'codegen metadata')