HyphaApp · frjo · Apr 10, 2026 · Apr 9, 2026
diff --git a/.github/release-drafter.yml b/.github/release-drafter.yml
@@ -15,6 +15,10 @@ version-resolver:
       - "patch"
   default: patch
 categories:
+  - title: "🔒 Security"
+    labels:
+      - "Type: Security"
+      - "security"
   - title: "🚀 Features"
     labels:
       - "Type: Feature"

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -14,25 +14,39 @@ name: "CodeQL"
 
 on:
   push:
-    branches: [main, test]
-  pull_request:
-    # The branches below must be a subset of the branches above
-    branches: [main]
+    branches:
+      - main
+  schedule:
+    - cron: "30 5 * * 2"  # Every Tuesday at 05:30 UTC
+
+permissions:
+  security-events: write  # to upload SARIF results
+  actions: read
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
 
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [javascript, python]
+
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@v4
         with:
-          languages: javascript, python
+          languages: ${{ matrix.language }}
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@v4
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
@@ -2,21 +2,23 @@ name: Release Drafter
 
 on:
   push:
-    # branches to consider in the event; optional, defaults to all
     branches:
       - main
-  # pull_request event is required only for autolabeler
-  pull_request:
-    # Only following types are handled by the action, but one can default to all as well
-    types: [opened, reopened, synchronize]
 
   workflow_dispatch:
 
+permissions:
+  contents: write
+  pull-requests: read
+
+concurrency:
+  group: release-drafter
+  cancel-in-progress: false
+
 jobs:
   update_release_draft:
     runs-on: ubuntu-latest
     steps:
-      # Drafts your next Release notes as Pull Requests are merged into "main"
-      - uses: release-drafter/release-drafter@v6
+      - uses: release-drafter/release-drafter@v7
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}