feat: CI/CD pipeline with security scanning

.github/CODEOWNERS

@@ -0,0 +1,30 @@
+# CODEOWNERS for Engram
+# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
+
+# Global fallback - require review from code owners
+* @moralpriest
+
+# CI/CD workflows - critical for security
+/.github/workflows/ @moralpriest
+/.github/workflows/security.yml @moralpriest
+/.github/workflows/release.yml @moralpriest
+
+# Security policies and documentation
+/SECURITY.md @moralpriest
+/docs/SECURITY_AUDIT.md @moralpriest
+
+# Dependency management
+/go.mod @moralpriest
+/go.sum @moralpriest
+/.github/dependabot.yml @moralpriest
+
+# Build and release scripts
+*.sh @moralpriest
+Makefile @moralpriest
+
+# Cryptographic code
+/crypto*.go @moralpriest
+*wallet*.go @moralpriest
+*key*.go @moralpriest
+*encrypt*.go @moralpriest
+*sign*.go @moralpriest

.github/ISSUE_TEMPLATE/bug_report.md

@@ -4,24 +4,24 @@ about: Create a report to help us improve
 title: "[BUG]"
 labels: bug
 assignees: ''
-
 ---
 
-**Describe the bug**  
-*A clear and concise description of what the bug is.*
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
 
-**To Reproduce**  
-*Steps to reproduce the behavior:*
-1. *Go to '...'*
-2. *Click on '....'*
-3. *Scroll down to '....'*
-4. *See error*
+1. Go to '...'
+2. Click on '...'
+3. Scroll down to '...'
+4. See error
 
-**Expected behavior**  
-*A clear and concise description of what you expected to happen.*
+**Expected behavior**
+A clear and concise description of what you expected to happen.
 
-**Screenshots**  
-*If applicable, add screenshots to help explain your problem.*
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
 
-**Additional context**  
-*Add any other context about the problem here.*
+**Additional context**
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -4,17 +4,16 @@ about: Suggest an idea for this project
 title: "[FEATURE]"
 labels: enhancement
 assignees: ''
-
 ---
 
-**Is your feature request related to a problem? Please describe.**  
-*A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]*
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
 
-**Describe the solution you'd like**  
-*A clear and concise description of what you want to happen.*
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
 
-**Describe alternatives you've considered**  
-*A clear and concise description of any alternative solutions or features you've considered.*
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
 
-**Additional context**  
-*Add any other context or screenshots about the feature request here.*
+**Additional context**
+Add any other context or screenshots about the feature request here.

.github/dependabot.yml

@@ -0,0 +1,48 @@
+# Dependabot configuration for Engram
+# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates
+
+version: 2
+updates:
+  # Go modules
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+      timezone: "UTC"
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "deps"
+    labels:
+      - "dependencies"
+      - "go"
+    groups:
+      # Group golang.org/x packages together
+      golang-x:
+        patterns:
+          - "golang.org/x/*"
+      # Group Fyne packages together
+      fyne:
+        patterns:
+          - "fyne.io/*"
+
+  # GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+      timezone: "UTC"
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "ci"
+    labels:
+      - "dependencies"
+      - "github-actions"
+    groups:
+      # Group all actions together
+      actions:
+        patterns:
+          - "*"

.github/pull_request_template.md

@@ -3,7 +3,8 @@
 **Please include a summary of the changes and the related issue or feature.**
 
 **NOTE**: The merge process is as follows:
-- Your pull request should be directed to `dev` branch. 
+
+- Your pull request should be directed to `dev` branch.
 - When it will be merged in `dev`, we will compile and merge within `dev` and then push into `main` for final release.
 
 Fixes # (issue)
@@ -17,26 +18,26 @@ Fixes # (issue)
 - [ ] (Major) Breaking change (fix or feature that would cause existing functionality to not work as expected)
 - [ ] This change requires a documentation update
 
-## Which part is impacted ?
-
-  - [ ] UI/UX
-  - [ ] Dashboard
-  - [ ] History
-  - [ ] Send
-  - [ ] Module: Identity
-  - [ ] Module: My Account
-  - [ ] Module: Messages
-  - [ ] Module: Transfers
-  - [ ] Module: Asset Explorer
-  - [ ] Module: Services
-  - [ ] Module: Cyberdeck
-  - [ ] Module: File Manager
-  - [ ] Module: Contract Builder
-  - [ ] Module: Datapad
-  - [ ] Module: TELA
-  - [ ] Misc (documentation, etc...)
-
-## Checklist:
+## Which part is impacted?
+
+- [ ] UI/UX
+- [ ] Dashboard
+- [ ] History
+- [ ] Send
+- [ ] Module: Identity
+- [ ] Module: My Account
+- [ ] Module: Messages
+- [ ] Module: Transfers
+- [ ] Module: Asset Explorer
+- [ ] Module: Services
+- [ ] Module: Cyberdeck
+- [ ] Module: File Manager
+- [ ] Module: Contract Builder
+- [ ] Module: Datapad
+- [ ] Module: TELA
+- [ ] Misc (documentation, etc...)
+
+## Checklist
 
 - [ ] I have performed a self-review of my code
 - [ ] I have commented my code (if applicable)
@@ -45,4 +46,4 @@ Fixes # (issue)
 
 ## License
 
-I am contributing & releasing the code under RESEARCH LICENSE (which can be found [here](https://raw.githubusercontent.com/DEROFDN/Engram/main/LICENSE)).
+I am contributing & releasing the code under RESEARCH LICENSE (which can be found [here](https://raw.githubusercontent.com/DEROFDN/Engram/main/LICENSE)).

.github/scripts/setup-branch-protection.sh

@@ -0,0 +1,150 @@
+#!/bin/bash
+# Configure branch protection rules for Engram repository
+# This script should be run by a repository admin
+
+set -e
+
+REPO="moralpriest/Engram"
+
+echo "Configuring branch protection rules for Engram..."
+echo "Repository: $REPO"
+echo ""
+
+# Check if gh CLI is installed and authenticated
+if ! command -v gh &> /dev/null; then
+    echo "Error: GitHub CLI (gh) is not installed"
+    echo "Install from: https://cli.github.com/"
+    exit 1
+fi
+
+if ! gh auth status &> /dev/null; then
+    echo "Error: Not authenticated with GitHub CLI"
+    echo "Run: gh auth login"
+    exit 1
+fi
+
+# Configure main branch protection
+echo "Setting up main branch protection..."
+gh api repos/$REPO/branches/main/protection \
+  --method PUT \
+  --input - <<EOF
+{
+  "required_status_checks": {
+    "strict": true,
+    "contexts": [
+      "Lint",
+      "Build (ubuntu-latest)",
+      "Build (macos-latest)",
+      "Build (windows-latest)",
+      "Test",
+      "Secret Scanning",
+      "Go Vulnerability Check",
+      "Go Security Analysis",
+      "CodeQL Analysis",
+      "Semgrep Analysis",
+      "Trivy Filesystem Scan",
+      "Lint Markdown",
+      "Check Links",
+      "Spell Check"
+    ]
+  },
+  "enforce_admins": true,
+  "required_pull_request_reviews": {
+    "required_approving_review_count": 1,
+    "dismiss_stale_reviews": true,
+    "require_code_owner_reviews": true
+  },
+  "restrictions": null,
+  "allow_force_pushes": false,
+  "allow_deletions": false,
+  "required_linear_history": true,
+  "required_signatures": true
+}
+EOF
+
+echo "✅ Main branch protection configured"
+
+# Configure dev branch protection
+echo "Setting up dev branch protection..."
+gh api repos/$REPO/branches/dev/protection \
+  --method PUT \
+  --input - <<EOF
+{
+  "required_status_checks": {
+    "strict": true,
+    "contexts": [
+      "Lint",
+      "Build (ubuntu-latest)",
+      "Build (macos-latest)",
+      "Build (windows-latest)",
+      "Test",
+      "Secret Scanning",
+      "Go Vulnerability Check",
+      "Go Security Analysis"
+    ]
+  },
+  "enforce_admins": false,
+  "required_pull_request_reviews": {
+    "required_approving_review_count": 1,
+    "dismiss_stale_reviews": true
+  },
+  "restrictions": null,
+  "allow_force_pushes": false,
+  "allow_deletions": false
+}
+EOF
+
+echo "✅ Dev branch protection configured"
+
+# Set up ruleset for workflow files
+echo "Setting up ruleset for workflow protection..."
+gh api repos/$REPO/rulesets \
+  --method POST \
+  --input - <<EOF
+{
+  "name": "Protect CI/CD Workflows",
+  "target": "branch",
+  "enforcement": "active",
+  "conditions": {
+    "ref_name": {
+      "include": ["~DEFAULT_BRANCH"],
+      "exclude": []
+    }
+  },
+  "rules": [
+    {
+      "type": "required_status_checks",
+      "parameters": {
+        "required_status_checks": [
+          {"context": "Lint", "integration_id": 15368},
+          {"context": "Test", "integration_id": 15368}
+        ],
+        "strict_required_status_checks_policy": true
+      }
+    },
+    {
+      "type": "pull_request",
+      "parameters": {
+        "required_approving_review_count": 1,
+        "dismiss_stale_reviews_on_push": true,
+        "require_code_owner_review": true
+      }
+    }
+  ],
+  "bypass_actors": []
+}
+EOF
+
+echo "✅ Ruleset configured"
+
+echo ""
+echo "========================================"
+echo "Branch protection setup complete!"
+echo ""
+echo "Summary:"
+echo "  - main: Strict protection, requires all checks + code owner review"
+echo "  - dev: Moderate protection, requires checks + 1 review"
+echo "  - Workflow changes require CODEOWNERS approval"
+echo ""
+echo "Note: Repository admin bypass is disabled for main branch"
+echo "========================================"