e93507a09c
Lockfile supply-chain audit / lockfile supply-chain audit (push) Has been cancelled
Windows Studio GGUF CI / GPU prebuilt resolves without Visual Studio (push) Has been cancelled
Windows Studio GGUF CI / setup.ps1 unit tests (VS 2026 / CMake guard) (push) Has been cancelled
Windows Studio GGUF CI / real-VS detection (VS 2022) (push) Has been cancelled
Windows Studio GGUF CI / real-VS detection (VS 2026) (push) Has been cancelled
Windows Studio GGUF CI / VC++ runtime detect + install round-trip (windows-2025-vs2026) (push) Has been cancelled
Windows Studio GGUF CI / VC++ runtime detect + install round-trip (windows-latest) (push) Has been cancelled
Windows Studio Update CI / Studio Updating Tests (push) Has been cancelled
Wheel CI / Wheel build + content sanity + import smoke (push) Has been cancelled
Lint CI / Source lint (Python + shell + YAML + JSON + safety nets) (push) Has been cancelled
MLX CI on Mac M1 / dispatch (push) Has been cancelled
Security audit / advisory audit (pip + npm + cargo) (push) Has been cancelled
Security audit / pip scan-packages :: extras (push) Has been cancelled
Security audit / pip scan-packages :: studio (push) Has been cancelled
Security audit / pip scan-packages :: hf-stack (push) Has been cancelled
Security audit / npm scan-packages (Studio frontend tarballs) (push) Has been cancelled
Security audit / workflow-trigger lint (pull_request_target / cache-poisoning) (push) Has been cancelled
Security audit / pytest tests/security (push) Has been cancelled
Security audit / npm provenance + new install-script diff (push) Has been cancelled
Studio API CI / Studio API & Auth Tests (push) Has been cancelled
Backend CI / (Python 3.10) (push) Has been cancelled
Backend CI / (Python 3.11) (push) Has been cancelled
Backend CI / (Python 3.12) (push) Has been cancelled
Backend CI / (Python 3.13) (push) Has been cancelled
Backend CI / Repo tests (CPU) (push) Has been cancelled
Frontend CI / Frontend build + bundle sanity (push) Has been cancelled
Studio GGUF CI / OpenAI, Anthropic API tests (push) Has been cancelled
Studio GGUF CI / Tool calling Tests (push) Has been cancelled
Studio GGUF CI / JSON, images (push) Has been cancelled
Mac Studio GGUF CI / OpenAI, Anthropic API tests (push) Has been cancelled
Mac Studio GGUF CI / Tool calling Tests (push) Has been cancelled
Mac Studio GGUF CI / JSON, images (push) Has been cancelled
Mac Studio Install Matrix CI / Install + load (macos-14) (push) Has been cancelled
Mac Studio Install Matrix CI / Install + load (macos-15) (push) Has been cancelled
Mac Studio Install Matrix CI / Install + load (macos-26) (push) Has been cancelled
Mac Studio Install Matrix CI / Install + load (macos-15-intel) (push) Has been cancelled
Mac Studio API CI / Studio API & Auth Tests (push) Has been cancelled
Mac Studio Install Matrix CI / Install + load (macos-26-intel) (push) Has been cancelled
Mac Studio UI CI / Chat UI Tests (push) Has been cancelled
Studio Tauri CI / Tauri Linux debug build (no codesign) (push) Has been cancelled
Mac Studio Update CI / Studio Updating Tests (push) Has been cancelled
Studio UI CI / Chat UI Tests (push) Has been cancelled
Windows Studio API CI / Studio API & Auth Tests (push) Has been cancelled
Windows Studio UI CI / Chat UI Tests (push) Has been cancelled
Studio Update CI / Studio Updating Tests (push) Has been cancelled
Core / Core (HF=default + TRL=default) (push) Has been cancelled
Core / Core (HF=4.57.6 + TRL<1) (push) Has been cancelled
Core / Core (HF=latest + TRL=latest) (push) Has been cancelled
Core / llama.cpp build + smoke (push) Has been cancelled
Windows Studio GGUF CI / OpenAI, Anthropic API tests (push) Has been cancelled
Windows Studio GGUF CI / Tool calling Tests (push) Has been cancelled
Windows Studio GGUF CI / JSON, images (push) Has been cancelled
Windows Studio GGUF CI / Studio install + inference without Visual Studio (push) Has been cancelled
Studio export capability / capability (macos-latest) (push) Has been cancelled
Studio export capability / capability (ubuntu-latest) (push) Has been cancelled
Studio export capability / capability (windows-latest) (push) Has been cancelled
Cross-platform parity / parity (macos-latest) (push) Has been cancelled
Cross-platform parity / parity (windows-latest) (push) Has been cancelled
Scorecard supply-chain security / Scorecard analysis (push) Has been cancelled
Studio load-orchestrator CI / test (push) Has been cancelled
80 lines
3.0 KiB
YAML
80 lines
3.0 KiB
YAML
# SPDX-License-Identifier: AGPL-3.0-only
|
|
# Copyright 2026-present the Unsloth AI Inc. team. All rights reserved.
|
|
#
|
|
# Fast, focused supply-chain audit of every checked-in lockfile.
|
|
#
|
|
# Runs scripts/lockfile_supply_chain_audit.py on PRs that touch any
|
|
# npm or cargo lockfile, on push to main, and on a daily schedule so
|
|
# newly-published IOCs surface even when no PR opens.
|
|
#
|
|
# Default behavior is "advisory": only public indicator-of-compromise
|
|
# strings, known-malicious pinned versions, and structurally broken
|
|
# lockfiles fail the build. Structural anomalies (missing integrity,
|
|
# non-default registry, etc.) are emitted as GitHub Actions warnings
|
|
# but do not block merges. This deliberately keeps the noise floor
|
|
# low while still failing the moment a checked-in lockfile starts
|
|
# pointing at known-bad bytes.
|
|
#
|
|
# This workflow is intentionally separate from security-audit.yml:
|
|
# - security-audit.yml is the umbrella job (pip-audit + npm audit +
|
|
# cargo audit + OSV + Semgrep + secret scanning + SBOM + ...);
|
|
# it takes ~25 minutes and runs only when dep manifests change.
|
|
# - lockfile-audit.yml is a ~30 second pure-Python parse + grep on
|
|
# the lockfiles themselves; it runs on every PR that even nudges
|
|
# a lockfile so reviewers always see the audit result inline.
|
|
|
|
name: Lockfile supply-chain audit
|
|
|
|
on:
|
|
pull_request:
|
|
paths:
|
|
- 'studio/frontend/package-lock.json'
|
|
- 'studio/backend/core/data_recipe/oxc-validator/package-lock.json'
|
|
- 'studio/package-lock.json'
|
|
- 'studio/src-tauri/Cargo.lock'
|
|
- 'scripts/lockfile_supply_chain_audit.py'
|
|
- '.github/workflows/lockfile-audit.yml'
|
|
push:
|
|
branches: [main]
|
|
paths:
|
|
- 'studio/frontend/package-lock.json'
|
|
- 'studio/backend/core/data_recipe/oxc-validator/package-lock.json'
|
|
- 'studio/package-lock.json'
|
|
- 'studio/src-tauri/Cargo.lock'
|
|
- 'scripts/lockfile_supply_chain_audit.py'
|
|
- '.github/workflows/lockfile-audit.yml'
|
|
schedule:
|
|
- cron: '37 5 * * *'
|
|
workflow_dispatch:
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
audit:
|
|
name: lockfile supply-chain audit
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 5
|
|
steps:
|
|
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
|
|
with:
|
|
python-version: '3.12'
|
|
|
|
- name: Verify audit script parses
|
|
run: python3 -c "import ast; ast.parse(open('scripts/lockfile_supply_chain_audit.py').read())"
|
|
|
|
- name: Run lockfile supply-chain audit
|
|
# Default mode: only known-malicious pinned versions, known IOC
|
|
# strings, and structurally broken lockfiles fail the build.
|
|
# Missing-integrity and other structural anomalies are emitted
|
|
# as ::warning:: annotations and do not gate merges.
|
|
run: python3 scripts/lockfile_supply_chain_audit.py
|