name: Security # Runs the offline Docker-server security suite: behavioral tests for the # secure-by-default posture (R1-R7). No network, browser, Redis or Docker needed # - it boots the app via TestClient and monkeypatches DNS, so it is fast # (~seconds) and deterministic. on: push: branches: [main, develop, "security/**"] paths: - "deploy/docker/**" - "crawl4ai/async_configs.py" - ".github/workflows/security.yml" pull_request: paths: - "deploy/docker/**" - "crawl4ai/async_configs.py" - ".github/workflows/security.yml" jobs: security-offline: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v5 with: python-version: "3.10" cache: pip - name: Install dependencies run: | python -m pip install --upgrade pip pip install -e . pip install -r deploy/docker/requirements.txt pip install pytest pytest-asyncio - name: Run security suite run: | pytest deploy/docker/tests/test_security_*.py -q posture-gate: # The headline secure-by-default acceptance gate, isolated so it can be a # required status check. xfail-marked items (e.g. the build-gated # --no-sandbox removal) do not fail this job. runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v5 with: python-version: "3.10" cache: pip - name: Install dependencies run: | python -m pip install --upgrade pip pip install -e . pip install -r deploy/docker/requirements.txt pip install pytest pytest-asyncio - name: Default-posture gate run: | pytest deploy/docker/tests/test_security_default_posture.py -q