87 lines
3.6 KiB
YAML
87 lines
3.6 KiB
YAML
# Reusable: security-static + CodeQL gate.
|
|
# Runs independently from lint/test/build — does not block the main pipeline.
|
|
# Affects overall workflow success status.
|
|
name: Security Gate
|
|
|
|
on:
|
|
workflow_call: {}
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
security-static:
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 5
|
|
steps:
|
|
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
|
- name: "Layer 1: Static allow-list audit"
|
|
run: scripts/security-audit.sh
|
|
- name: "Layer 6: UI security audit"
|
|
run: scripts/security-ui.sh
|
|
- name: "Layer 8: Vendored dependency integrity"
|
|
run: scripts/security-vendored.sh
|
|
|
|
license-gate:
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 240
|
|
steps:
|
|
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
|
- name: Install ScanCode Toolkit
|
|
run: pipx install scancode-toolkit
|
|
- name: "Gate self-test (a planted violation must be detected)"
|
|
run: scripts/license-gate.sh --selftest
|
|
- name: "License compliance gate (one finding fails)"
|
|
run: scripts/license-gate.sh
|
|
- name: "License provenance audit (byte-identity vs upstream)"
|
|
env:
|
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
run: scripts/audit-license-provenance.py
|
|
|
|
codeql-gate:
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 240
|
|
steps:
|
|
- name: Wait for CodeQL on current commit (max 45 min)
|
|
env:
|
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
run: |
|
|
# On pull_request events github.sha is the synthetic merge commit;
|
|
# CodeQL runs are recorded against the PR head SHA.
|
|
CURRENT_SHA="${{ github.event.pull_request.head.sha || github.sha }}"
|
|
echo "Waiting for CodeQL to complete on $CURRENT_SHA..."
|
|
for attempt in $(seq 1 90); do
|
|
LATEST=$(gh api "repos/${{ github.repository }}/actions/workflows/codeql.yml/runs?head_sha=$CURRENT_SHA&per_page=1" \
|
|
--jq '.workflow_runs[] | "\(.conclusion) \(.status)"' 2>/dev/null | head -1 || echo "")
|
|
if [ -z "$LATEST" ]; then
|
|
echo " $attempt/90: no run yet..."; sleep 30; continue
|
|
fi
|
|
CONCLUSION=$(echo "$LATEST" | cut -d' ' -f1)
|
|
STATUS=$(echo "$LATEST" | cut -d' ' -f2)
|
|
if [ "$STATUS" = "completed" ] && [ "$CONCLUSION" = "success" ]; then
|
|
echo "=== CodeQL passed ==="; exit 0
|
|
elif [ "$STATUS" = "completed" ]; then
|
|
echo "BLOCKED: CodeQL $CONCLUSION"; exit 1
|
|
fi
|
|
echo " $attempt/90: $STATUS..."; sleep 30
|
|
done
|
|
echo "BLOCKED: CodeQL timeout"; exit 1
|
|
|
|
- name: Check for open code scanning alerts
|
|
env:
|
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
run: |
|
|
echo "Waiting 60s for alert API to settle..."
|
|
sleep 60
|
|
ALERTS=$(gh api 'repos/${{ github.repository }}/code-scanning/alerts?state=open' --jq 'length' 2>/dev/null || echo "0")
|
|
sleep 15
|
|
ALERTS2=$(gh api 'repos/${{ github.repository }}/code-scanning/alerts?state=open' --jq 'length' 2>/dev/null || echo "0")
|
|
[ "$ALERTS" -lt "$ALERTS2" ] && ALERTS=$ALERTS2
|
|
if [ "$ALERTS" -gt 0 ]; then
|
|
echo "BLOCKED: $ALERTS open alert(s)"
|
|
gh api 'repos/${{ github.repository }}/code-scanning/alerts?state=open' \
|
|
--jq '.[] | " #\(.number) [\(.rule.security_severity_level // .rule.severity)] \(.rule.id) — \(.most_recent_instance.location.path):\(.most_recent_instance.location.start_line)"' 2>/dev/null || true
|
|
exit 1
|
|
fi
|
|
echo "=== CodeQL gate passed (0 alerts) ==="
|