🚀 Add Brakeman scan and improve CI workflows

- Renamed `.erb-lint.yml` to `.erb_lint.yml`
- Added a new GitHub Actions workflow for Brakeman security scans
- Enhanced existing workflows with better permissions
- Introduced Ruby test runs workflow with caching for gems and yarn
- Configured Overcommit hooks for code quality checks
- Updated RuboCop configuration for improved style enforcement

.github/workflows/brakeman.yml

@@ -0,0 +1,59 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow integrates Brakeman with GitHub's Code Scanning feature
+# Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications
+
+name: Brakeman Scan
+
+on:
+  push:
+    branches: [ "master" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "master" ]
+  schedule:
+    - cron: '20 4 * * 4'
+
+permissions:
+  contents: read
+
+jobs:
+  brakeman-scan:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    name: Brakeman Scan
+    runs-on: ubuntu-latest
+    steps:
+    # Checkout the repository to the GitHub Actions runner
+    - name: Checkout
+      uses: actions/checkout@v4
+
+    # Customize the ruby version depending on your needs
+    - name: Setup Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: '3.3'
+        bundler-cache: true
+
+    - name: Setup Brakeman
+      env:
+        BRAKEMAN_VERSION: '6.2.2'
+      run: |
+        gem install brakeman --version $BRAKEMAN_VERSION
+
+    # Execute Brakeman CLI and generate a SARIF output with the security issues identified during the analysis
+    - name: Scan
+      continue-on-error: true
+      run: |
+        brakeman -f sarif -o output.sarif.json .
+
+    # Upload the SARIF file generated in the previous step
+    - name: Upload SARIF
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: output.sarif.json

.github/workflows/release-drafter.yml

@@ -2,12 +2,17 @@ name: Release Drafter
 
 on:
   push:
-    # branches to consider in the event; optional, defaults to all
     branches:
       - master
 
+permissions:
+  contents: read
+
 jobs:
   update_release_draft:
+    permissions:
+      contents: write
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       # Drafts your next Release notes as Pull Requests are merged into "master"

.github/workflows/ruby-tests.yml

@@ -0,0 +1,75 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# This workflow will download a prebuilt Ruby version, install dependencies and run tests with Rake
+# For more information see: https://github.com/marketplace/actions/setup-ruby-jruby-and-truffleruby
+
+name: Ruby Test Runs
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  test:
+
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        ruby-version: ['3.3']
+
+    env:
+      BUNDLE_WITHOUT: 'development'
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby-version }}
+          bundler-cache: true # runs 'bundle install' and caches installed gems automatically
+
+      - name: Setup Node 20
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20.x
+
+      - name: Get yarn cache
+        id: yarn-cache
+        run: echo "::set-output name=dir::$(yarn cache dir)"
+
+      - name: Cache yarn
+        uses: actions/cache@v4
+        with:
+          path: ${{ steps.yarn-cache.outputs.dir }}
+          key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-yarn-
+
+      - name: Cache gems
+        uses: actions/cache@v4
+        with:
+          path: vendor/bundle
+          key: ${{ runner.os }}-gem-v1-${{ hashFiles('**/Gemfile.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-gem-v1-
+
+      - name: Install dependencies
+        run: |
+          gem install bundler
+          bundle config path vendor/bundle
+          bundle install --jobs 4 --retry 3
+          yarn install --frozen-lockfile
+
+      - name: Prepare tests
+        run: |
+          bin/rails assets:precompile RAILS_ENV=test
+          bin/rails db:migrate RAILS_ENV=test
+
+      - name: Run tests
+        run: |
+          bin/rails test

.overcommit.yml

@@ -0,0 +1,77 @@
+# Use this file to configure the Overcommit hooks you wish to use. This will
+# extend the default configuration defined in:
+# https://github.com/sds/overcommit/blob/main/config/default.yml
+#
+# At the topmost level of this YAML file is a key representing type of hook
+# being run (e.g. pre-commit, commit-msg, etc.). Within each type you can
+# customize each hook, such as whether to only run it on certain files (via
+# `include`), whether to only display output if it fails (via `quiet`), etc.
+#
+# For a complete list of hooks, see:
+# https://github.com/sds/overcommit/tree/main/lib/overcommit/hook
+#
+# For a complete list of options that you can use to customize hooks, see:
+# https://github.com/sds/overcommit#configuration
+#
+# Uncomment the following lines to make the configuration take effect.
+
+verify_signatures: false
+
+PreCommit:
+  I18nTasksNormalize:
+    enabled: true
+    description: 'Run i18n-tasks normalize on locales'
+    required_executable: 'i18n-tasks'
+    include:
+      - 'config/locales/**/*.yml'
+    command: ['bundle', 'exec', 'i18n-tasks', 'normalize']
+    on_warn: fail # Ensure it stops commit if there's a warning
+
+  RuboCop:
+    enabled: true
+    required: true
+    command: ['bundle', 'exec', 'rubocop', '-f', 'simple']
+
+  AutoFixTrailingWhitespace:
+    enabled: true
+    description: 'Removes trailing whitespace in files'
+    command: 'sed -i -e "s/[[:space:]]\+$//"'
+    include: '**/*.{rb,yml}'  # Fix for file pattern matching
+    exclude: ['vendor/**/*']   # You can add more exclusions as needed
+
+  TrailingWhitespace:
+    enabled: false
+    exclude:
+      - '**/db/structure.sql' # Ignore trailing whitespace in generated files
+
+  ErbLint:
+    enabled: true
+    required: true
+    command: ['bundle', 'exec', 'erblint', '--lint-all']
+
+#   StandardRB:
+#    enabled: false
+#    required: true
+#    command: ['bundle', 'exec', 'standardrb']
+#  RustyWind:
+#    enabled: true
+#    required: true
+#    command: ['yarn', 'run', 'rustywind-fix']
+
+# PrePush:
+#   RSpec:
+#     enabled: true
+#     required: true
+#     command: ['bundle', 'exec', 'rspec']
+
+#PreCommit:
+#  RuboCop:
+#    enabled: true
+#    on_warn: fail # Treat all warnings as failures
+#
+#PostCheckout:
+#  ALL: # Special hook name that customizes all hooks of this type
+#    quiet: true # Change all post-checkout hooks to only display output on failure
+#
+#  IndexTags:
+#    enabled: true # Generate a tags file with `ctags` each time HEAD changes