Add code scanning module, renumber exercises, and improve workshop flow

Add new exercise 2 (Securing the Development Pipeline) covering Dependabot,
secret scanning, and code scanning. Includes callouts connecting code
scanning to GitHub Actions, and a Dependabot note bridging to the CI
exercise.

Renumber exercises 2-8 to 3-9 and update all cross-references.

Additional improvements across all exercises:
- Add codespace and terminal callouts at context-switch points
- Rename ci.yml to run-tests.yml with display name 'Run Tests'
- Rename CD workflow display name to 'Deploy App'
- Add 'Open your codespace' section to exercise 0
- Update exercise 3 intro to flow from code scanning module

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: GeekTrainer

content/github-actions/0-setup.md

@@ -14,26 +14,38 @@ Let's create the repository you'll use for your workshop.
 1. Navigate to [the repository root][repo-root]
 2. Select **Use this template** > **Create a new repository**
 
-    ![Screenshot of Use this template dropdown](../images/setup-use-template.png)
+    ![Screenshot of Use this template dropdown](../shared-images/setup-use-template.png)
 
 3. Under **Owner**, select the name of your GitHub handle, or the owner specified by your workshop leader.
 4. Under **Repository**, set the name to **pets-workshop**, or the name specified by your workshop leader.
 5. Ensure **Public** is selected for the visibility, or the value indicated by your workshop leader.
 6. Select **Create repository from template**.
 
-    ![Screenshot of configured template creation dialog](../images/setup-configure-repo.png)
+    ![Screenshot of configured template creation dialog](../shared-images/setup-configure-repo.png)
 
 In a few moments a new repository will be created from the template for this workshop!
 
+## Open your codespace
+
+Now let's open a codespace so you have a development environment ready to go.
+
+1. Navigate to the main page of your newly created repository.
+2. Select **Code** > **Codespaces** > **Create codespace on main**.
+
+    In a few moments a codespace will open in your browser with a full VS Code editor. This is where you'll create and edit files throughout the workshop.
+
+> [!TIP]
+> If your codespace ever disconnects or you close the tab, you can reopen it by navigating to your repository and selecting **Code** > **Codespaces** and the name of your codespace.
+
 ## Summary and next steps
 
-You've now created the repository you'll use for this workshop! Next let's [create your first workflow][walkthrough-next].
+You've created the repository and opened a codespace — you're ready to start building! Next let's [create your first workflow][walkthrough-next].
 
 | [← GitHub Actions: From CI to CD][walkthrough-previous] | [Next: Introduction & Your First Workflow →][walkthrough-next] |
 |:-----------------------------------|------------------------------------------:|
 
-[fork-repo]: https://docs.github.com/en/get-started/quickstart/fork-a-repo
-[template-repo]: https://docs.github.com/en/repositories/creating-and-managing-repositories/creating-a-template-repository
+[fork-repo]: https://docs.github.com/get-started/quickstart/fork-a-repo
+[template-repo]: https://docs.github.com/repositories/creating-and-managing-repositories/creating-a-template-repository
 [repo-root]: /
 [walkthrough-previous]: README.md
 [walkthrough-next]: 1-introduction.md

content/github-actions/1-introduction.md

@@ -1,6 +1,6 @@
 # Introduction & Your First Workflow
 
-| [← Workshop Setup][walkthrough-previous] | [Next: Running Tests →][walkthrough-next] |
+| [← Workshop Setup][walkthrough-previous] | [Next: Securing the Development Pipeline →][walkthrough-next] |
 |:-----------------------------------|------------------------------------------:|
 
 [GitHub Actions][github-actions] is an automation platform built into GitHub that lets you build, test, and deploy your code directly from your repository. While it's most commonly used for CI/CD, it can automate just about any task in your development workflow — from labeling issues to resizing images.
@@ -18,7 +18,7 @@ Before diving in, here are the key terms you'll encounter:
 
 The shelter has built its application — a Flask API and Astro frontend — and the team is ready to start automating their development workflow. Before diving into CI/CD, let's start with the basics: creating a simple workflow, triggering it manually, and understanding the logs.
 
-## Understanding GitHub Actions
+## Background
 
 A workflow file is written in YAML and lives in the `.github/workflows/` directory. Here are the core sections you'll work with:
 
@@ -34,7 +34,7 @@ A workflow file is written in YAML and lives in the `.github/workflows/` directo
 
 Let's start with the classic "Hello World" — a workflow you can trigger manually from the GitHub UI.
 
-1. In your repository, create the folder `.github/workflows/` if it doesn't already exist.
+1. In your codespace, create the folder `.github/workflows/` if it doesn't already exist.
 2. Create a new file named `.github/workflows/hello.yml`.
 3. Add the following content:
 
@@ -68,22 +68,23 @@ Let's start with the classic "Hello World" — a workflow you can trigger manual
 
 Now let's push the workflow and trigger it by hand.
 
-1. Stage and commit your changes:
+1. Open the terminal in your codespace by pressing <kbd>Ctl</kbd>+<kbd>`</kbd>.
+2. Stage and commit your changes:
 
     ```bash
     git add .github/workflows/hello.yml
     git commit -m "Add hello world workflow"
     ```
 
-2. Push to your repository:
+3. Push to your repository:
 
     ```bash
     git push
     ```
 
-3. Navigate to your repository on GitHub and select the **Actions** tab.
-4. In the left sidebar, select the **Hello World** workflow.
-5. Select the **Run workflow** button, keep the default branch, and select **Run workflow** again to confirm.
+4. Navigate to your repository on GitHub and select the **Actions** tab.
+5. In the left sidebar, select the **Hello World** workflow.
+6. Select the **Run workflow** button, keep the default branch, and select **Run workflow** again to confirm.
 
 ## Explore the logs
 
@@ -103,7 +104,7 @@ Once the run completes, let's explore what happened.
 
 Congratulations! You've created and run your first GitHub Actions workflow. You've learned how to define a workflow in YAML, trigger it manually with `workflow_dispatch`, and navigate the logs in the Actions UI.
 
-Next, we'll put this knowledge to work by [building a CI workflow][walkthrough-next] that automatically tests the shelter's application.
+Next, we'll put this knowledge to work by [securing the development pipeline][walkthrough-next] with code scanning, Dependabot, and secret scanning.
 
 ### Resources
 
@@ -112,14 +113,14 @@ Next, we'll put this knowledge to work by [building a CI workflow][walkthrough-n
 - [Events that trigger workflows][workflow-triggers]
 - [Understanding GitHub Actions][understanding-actions]
 
-| [← Workshop Setup][walkthrough-previous] | [Next: Running Tests →][walkthrough-next] |
+| [← Workshop Setup][walkthrough-previous] | [Next: Securing the Development Pipeline →][walkthrough-next] |
 |:-----------------------------------|------------------------------------------:|
 
 [actions-marketplace]: https://github.com/marketplace?type=actions
 [github-actions]: https://github.com/features/actions
-[github-actions-docs]: https://docs.github.com/en/actions
-[understanding-actions]: https://docs.github.com/en/actions/about-github-actions/understanding-github-actions
-[workflow-syntax]: https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions
-[workflow-triggers]: https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows
+[github-actions-docs]: https://docs.github.com/actions
+[understanding-actions]: https://docs.github.com/actions/about-github-actions/understanding-github-actions
+[workflow-syntax]: https://docs.github.com/actions/writing-workflows/workflow-syntax-for-github-actions
+[workflow-triggers]: https://docs.github.com/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows
 [walkthrough-previous]: 0-setup.md
-[walkthrough-next]: 2-running-tests.md
+[walkthrough-next]: 2-code-scanning.md

content/github-actions/2-code-scanning.md

@@ -0,0 +1,121 @@
+# Securing the Development Pipeline
+
+| [← Introduction & Your First Workflow][walkthrough-previous] | [Next: Running Tests →][walkthrough-next] |
+|:-----------------------------------|------------------------------------------:|
+
+In the previous exercise you created your first GitHub Actions workflow — a manually triggered "Hello World." Before building out CI/CD, let's explore security. Ensuring code security is imperative in today's environment, and GitHub provides tools that automate this for you — many of which are powered by GitHub Actions under the hood.
+
+When we think about how we create code today, there are three main areas to secure:
+
+- The **code we write** — which may contain vulnerabilities
+- The **libraries we use** — which may have known security issues
+- The **credentials we manage** — which may accidentally leak into source code
+
+[GitHub Advanced Security][advanced-security] provides a suite of tools covering each of these areas. Let's explore and enable them on our repository.
+
+## Scenario
+
+Security is important in every application. By detecting potential vulnerabilities early, teams can make updates before incidents occur. The shelter wants to ensure insecure code and libraries are detected as early as possible. You'll enable Dependabot, secret scanning, and code scanning to meet these needs.
+
+## Background
+
+[GitHub Advanced Security][advanced-security-docs] is a set of security features available directly in GitHub. The three pillars are:
+
+- **Code scanning** analyzes your source code for security vulnerabilities using [CodeQL][about-code-scanning], GitHub's semantic code analysis engine. When enabled, it runs as a GitHub Actions workflow — the same automation platform you used in the previous exercise. Every push and pull request triggers the analysis automatically.
+- **Dependabot** monitors your project's dependencies for known vulnerabilities and can automatically create [pull requests][about-prs] to update insecure packages to safe versions.
+- **Secret scanning** detects tokens, keys, and other credentials that have been committed to your repository, and can block pushes that contain [supported secrets][supported-secrets].
+
+> [!NOTE]
+> Code scanning is built on [GitHub Actions][github-actions]. When you enable CodeQL's default setup, GitHub creates and manages a workflow for you behind the scenes. You'll see this connection more clearly when you navigate to the **Actions** tab after enabling it. This is a great example of how Actions powers automation across the GitHub platform — not just CI/CD pipelines you write yourself.
+
+## Configure Dependabot
+
+Most projects depend on open source and external libraries. While modern development would be impossible without them, we always need to ensure the dependencies we use are secure. [Dependabot][dependabot-quickstart] monitors your repository's dependencies and raises alerts — or even creates pull requests — to update insecure packages.
+
+Public repositories on GitHub automatically have Dependabot alerts enabled. Let's configure Dependabot to also create PRs that update insecure library versions automatically.
+
+1. Navigate to your repository on GitHub.
+2. Select **Settings** > **Code security** (under **Security** in the sidebar).
+3. Locate the **Dependabot** section.
+
+    ![Screenshot of the Dependabot section](../shared-images/dependabot-settings.png)
+
+4. Select **Enable** next to **Dependabot security updates** to configure Dependabot to create PRs to resolve alerts.
+
+You've now enabled Dependabot alerts and security updates! When an insecure library is detected, you'll receive an alert, and Dependabot will create a pull request to update to a secure version.
+
+> [!TIP]
+> Dependabot doesn't just alert you — it can automatically create pull requests that bump library versions to secure ones. When you pair this with a CI pipeline that runs tests on every PR (which you'll build in the [next exercise][walkthrough-next]), those Dependabot PRs are automatically tested before merging. This creates a powerful feedback loop: vulnerabilities are detected, fixes are proposed, and your tests verify the update won't break anything — all without manual intervention.
+
+> [!IMPORTANT]
+> After enabling Dependabot security updates you may notice new pull requests created for potentially outdated packages. For this workshop you can ignore these pull requests.
+
+## Enable secret scanning
+
+Many developers have accidentally checked in code containing tokens or credentials. Regardless of the reason, even seemingly innocuous tokens can create a security issue. [Secret scanning][about-secret-scanning] detects tokens in your source code and raises alerts. With push protection enabled, pushes containing supported secrets are blocked before they reach your repository.
+
+1. On the same **Code security** settings page, locate the **Secret scanning** section.
+2. Next to **Receive alerts on GitHub for detected secrets, keys or other tokens**, select **Enable**.
+3. Next to **Push protection**, select **Enable** to block pushes containing a [supported secret][supported-secrets].
+
+    ![Screenshot of fully configured secret scanning](../shared-images/secret-scanning-settings.png)
+
+You've now enabled secret scanning and push protection — helping prevent credentials from reaching your repository.
+
+## Enable code scanning
+
+There is a direct relationship between the amount of code an organization writes and its potential attack surface. [Code scanning][about-code-scanning] analyzes your source code for known vulnerabilities. When an issue is detected on a pull request, a comment is added highlighting the affected line with contextual information for the developer.
+
+Let's enable code scanning with the default CodeQL setup. This runs automatically whenever code is pushed to `main` or a pull request targets `main`, and on a regular schedule to catch newly discovered vulnerabilities.
+
+1. On the same **Code security** settings page, locate the **Code scanning** section.
+2. Next to **CodeQL analysis**, select **Set up** > **Default**.
+
+    ![Screenshot of code scanning dropdown menu](../shared-images/code-scanning-setup.png)
+
+3. On the **CodeQL default configuration** dialog, select **Enable CodeQL**.
+
+    ![Screenshot of code scanning dialog](../shared-images/code-scanning-dialog.png)
+
+> [!IMPORTANT]
+> Your list of languages may be different from what's shown in the screenshot.
+
+A background process starts and configures a CodeQL analysis workflow for your repository.
+
+> [!TIP]
+> After enabling CodeQL, navigate to the **Actions** tab in your repository. You'll see a new **CodeQL** workflow listed alongside the **Hello World** workflow you created earlier. This is the Actions workflow that GitHub created automatically to run code scanning — proof that Actions isn't just for CI/CD, but powers many of GitHub's built-in features.
+
+## Summary and next steps
+
+You've enabled GitHub Advanced Security for your repository:
+
+- **Dependabot** monitors dependencies for known vulnerabilities and creates PRs to update them.
+- **Secret scanning** detects leaked credentials and blocks pushes containing supported secrets.
+- **Code scanning** analyzes your source code using CodeQL, running as a GitHub Actions workflow on every push and PR.
+
+These tools run automatically in the background, catching security issues before they reach production. Now that you've seen how GitHub uses Actions internally for security automation, it's time to build your own CI workflow. Next, we'll [automate testing][walkthrough-next] for the shelter's application.
+
+### Resources
+
+- [About GitHub Advanced Security][advanced-security-docs]
+- [About code scanning with CodeQL][about-code-scanning]
+- [Dependabot quickstart guide][dependabot-quickstart]
+- [About secret scanning][about-secret-scanning]
+- [GitHub Skills: Secure your repository's supply chain][skills-supply-chain]
+- [GitHub Skills: Secure code game][skills-secure-code]
+
+| [← Introduction & Your First Workflow][walkthrough-previous] | [Next: Running Tests →][walkthrough-next] |
+|:-----------------------------------|------------------------------------------:|
+
+[about-code-scanning]: https://docs.github.com/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning
+[about-prs]: https://docs.github.com/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-pull-requests
+[about-secret-scanning]: https://docs.github.com/code-security/secret-scanning/introduction/about-secret-scanning
+[advanced-security]: https://github.com/features/security
+[advanced-security-docs]: https://docs.github.com/get-started/learning-about-github/about-github-advanced-security
+[dependabot-quickstart]: https://docs.github.com/code-security/getting-started/dependabot-quickstart-guide
+[github-actions]: https://github.com/features/actions
+[supported-secrets]: https://docs.github.com/code-security/secret-scanning/introduction/supported-secret-scanning-patterns
+[skills-supply-chain]: https://github.com/skills/secure-repository-supply-chain
+[skills-secure-code]: https://github.com/skills/secure-code-game
+[walkthrough-previous]: 1-introduction.md
+[walkthrough-next]: 3-running-tests.md