66 lines
1.8 KiB
YAML
66 lines
1.8 KiB
YAML
name: Security
|
|
|
|
# Runs the offline Docker-server security suite: behavioral tests for the
|
|
# secure-by-default posture (R1-R7). No network, browser, Redis or Docker needed
|
|
# - it boots the app via TestClient and monkeypatches DNS, so it is fast
|
|
# (~seconds) and deterministic.
|
|
|
|
on:
|
|
push:
|
|
branches: [main, develop, "security/**"]
|
|
paths:
|
|
- "deploy/docker/**"
|
|
- "crawl4ai/async_configs.py"
|
|
- ".github/workflows/security.yml"
|
|
pull_request:
|
|
paths:
|
|
- "deploy/docker/**"
|
|
- "crawl4ai/async_configs.py"
|
|
- ".github/workflows/security.yml"
|
|
|
|
jobs:
|
|
security-offline:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- uses: actions/setup-python@v5
|
|
with:
|
|
python-version: "3.10"
|
|
cache: pip
|
|
|
|
- name: Install dependencies
|
|
run: |
|
|
python -m pip install --upgrade pip
|
|
pip install -e .
|
|
pip install -r deploy/docker/requirements.txt
|
|
pip install pytest pytest-asyncio
|
|
|
|
- name: Run security suite
|
|
run: |
|
|
pytest deploy/docker/tests/test_security_*.py -q
|
|
|
|
posture-gate:
|
|
# The headline secure-by-default acceptance gate, isolated so it can be a
|
|
# required status check. xfail-marked items (e.g. the build-gated
|
|
# --no-sandbox removal) do not fail this job.
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- uses: actions/setup-python@v5
|
|
with:
|
|
python-version: "3.10"
|
|
cache: pip
|
|
|
|
- name: Install dependencies
|
|
run: |
|
|
python -m pip install --upgrade pip
|
|
pip install -e .
|
|
pip install -r deploy/docker/requirements.txt
|
|
pip install pytest pytest-asyncio
|
|
|
|
- name: Default-posture gate
|
|
run: |
|
|
pytest deploy/docker/tests/test_security_default_posture.py -q
|