# Reusable: security-static + CodeQL gate. # Runs independently from lint/test/build — does not block the main pipeline. # Affects overall workflow success status. name: Security Gate on: workflow_call: {} permissions: contents: read jobs: security-static: runs-on: ubuntu-latest timeout-minutes: 5 steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: "Layer 1: Static allow-list audit" run: scripts/security-audit.sh - name: "Layer 6: UI security audit" run: scripts/security-ui.sh - name: "Layer 8: Vendored dependency integrity" run: scripts/security-vendored.sh license-gate: runs-on: ubuntu-latest timeout-minutes: 240 steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Install ScanCode Toolkit run: pipx install scancode-toolkit - name: "Gate self-test (a planted violation must be detected)" run: scripts/license-gate.sh --selftest - name: "License compliance gate (one finding fails)" run: scripts/license-gate.sh - name: "License provenance audit (byte-identity vs upstream)" env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: scripts/audit-license-provenance.py codeql-gate: runs-on: ubuntu-latest timeout-minutes: 240 steps: - name: Wait for CodeQL on current commit (max 45 min) env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | # On pull_request events github.sha is the synthetic merge commit; # CodeQL runs are recorded against the PR head SHA. CURRENT_SHA="${{ github.event.pull_request.head.sha || github.sha }}" echo "Waiting for CodeQL to complete on $CURRENT_SHA..." for attempt in $(seq 1 90); do LATEST=$(gh api "repos/${{ github.repository }}/actions/workflows/codeql.yml/runs?head_sha=$CURRENT_SHA&per_page=1" \ --jq '.workflow_runs[] | "\(.conclusion) \(.status)"' 2>/dev/null | head -1 || echo "") if [ -z "$LATEST" ]; then echo " $attempt/90: no run yet..."; sleep 30; continue fi CONCLUSION=$(echo "$LATEST" | cut -d' ' -f1) STATUS=$(echo "$LATEST" | cut -d' ' -f2) if [ "$STATUS" = "completed" ] && [ "$CONCLUSION" = "success" ]; then echo "=== CodeQL passed ==="; exit 0 elif [ "$STATUS" = "completed" ]; then echo "BLOCKED: CodeQL $CONCLUSION"; exit 1 fi echo " $attempt/90: $STATUS..."; sleep 30 done echo "BLOCKED: CodeQL timeout"; exit 1 - name: Check for open code scanning alerts env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | echo "Waiting 60s for alert API to settle..." sleep 60 ALERTS=$(gh api 'repos/${{ github.repository }}/code-scanning/alerts?state=open' --jq 'length' 2>/dev/null || echo "0") sleep 15 ALERTS2=$(gh api 'repos/${{ github.repository }}/code-scanning/alerts?state=open' --jq 'length' 2>/dev/null || echo "0") [ "$ALERTS" -lt "$ALERTS2" ] && ALERTS=$ALERTS2 if [ "$ALERTS" -gt 0 ]; then echo "BLOCKED: $ALERTS open alert(s)" gh api 'repos/${{ github.repository }}/code-scanning/alerts?state=open' \ --jq '.[] | " #\(.number) [\(.rule.security_severity_level // .rule.severity)] \(.rule.id) — \(.most_recent_instance.location.path):\(.most_recent_instance.location.start_line)"' 2>/dev/null || true exit 1 fi echo "=== CodeQL gate passed (0 alerts) ==="