From 9bbe7a8f64c0229f9c8a4d477d33bc0a86f27038 Mon Sep 17 00:00:00 2001 From: anonpenguin23 Date: Tue, 12 May 2026 11:16:54 +0300 Subject: [PATCH] ci(security): simplify to repo-specific layout, drop unsupported cache expr MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit GitHub rejected the prior workflow on registration (0 jobs created, rerequestable=false) — most likely the dynamic `cache: \${{ ... && ... || ... }}` expression in setup-node and/or the missing .python-version file referenced unconditionally. Switching to a static config tailored to this repo's actual layout (sdk/ for JS, core/ for Go, no Python). --- .github/workflows/security.yml | 111 +++++++++------------------------ 1 file changed, 31 insertions(+), 80 deletions(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index de63857..502d715 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -1,8 +1,7 @@ -# DeBros canonical security CI workflow. +# DeBros canonical security CI workflow (orama-specific). # -# Auto-detects the project's language and runs the appropriate -# supply-chain + vulnerability checks. Drop this file into -# .github/workflows/ in any DeBros-compliant repo. +# Runs supply-chain + vulnerability checks per the DeBros baseline rules. +# Triggers on main pushes/PRs and weekly to catch newly-published CVEs. # # See: https://github.com/DeBrosDAO/rules/blob/main/DEBROS.md @@ -10,89 +9,81 @@ name: security on: pull_request: - branches: [main, master] + branches: [main] push: - branches: [main, master] + branches: [main] schedule: - # Weekly scan even on quiet repos — catches newly-published CVEs + # Weekly scan even on quiet weeks — catches newly-published CVEs # in existing dependencies. - cron: "0 8 * * 1" +permissions: + contents: read + jobs: # ------------------------------------------------------------------ - # JavaScript / TypeScript + # JavaScript / TypeScript (sdk/) # ------------------------------------------------------------------ npm-audit: - if: ${{ hashFiles('**/package.json') != '' }} runs-on: ubuntu-latest - permissions: - contents: read + defaults: + run: + working-directory: sdk steps: - uses: actions/checkout@v4 - name: Verify lockfile committed run: | - if [ ! -f pnpm-lock.yaml ] && [ ! -f package-lock.json ] && [ ! -f yarn.lock ] && [ ! -f bun.lockb ]; then - echo "::error::No lockfile committed. See DEBROS.md §1.2" + if [ ! -f pnpm-lock.yaml ]; then + echo "::error::sdk/pnpm-lock.yaml must be committed (DEBROS.md §1.2)" exit 1 fi - name: Verify .npmrc blocks install scripts run: | if ! grep -q '^ignore-scripts=true' .npmrc 2>/dev/null; then - echo "::error::.npmrc must contain 'ignore-scripts=true' (DEBROS.md §1.3, JS/TS compliance)" + echo "::error::sdk/.npmrc must contain 'ignore-scripts=true' (DEBROS.md §1.3)" exit 1 fi - - uses: pnpm/action-setup@v3 - if: ${{ hashFiles('pnpm-lock.yaml') != '' }} + - uses: pnpm/action-setup@v4 with: - run_install: false + version: 9 - uses: actions/setup-node@v4 with: node-version-file: ".nvmrc" - cache: ${{ hashFiles('pnpm-lock.yaml') != '' && 'pnpm' || 'npm' }} + cache: pnpm + cache-dependency-path: sdk/pnpm-lock.yaml - - name: Install (frozen lockfile) - run: | - if [ -f pnpm-lock.yaml ]; then - pnpm install --frozen-lockfile - elif [ -f package-lock.json ]; then - npm ci - elif [ -f yarn.lock ]; then - yarn install --frozen-lockfile - fi + - name: Install (frozen lockfile, no scripts) + run: pnpm install --frozen-lockfile --ignore-scripts - - name: Audit (production deps) - run: | - if [ -f pnpm-lock.yaml ]; then - pnpm audit --prod --audit-level=high - else - npm audit --omit=dev --audit-level=high - fi + - name: Audit production deps + run: pnpm audit --prod --audit-level=high # ------------------------------------------------------------------ - # Go + # Go (core/) # ------------------------------------------------------------------ go-vuln: - if: ${{ hashFiles('**/go.mod') != '' }} runs-on: ubuntu-latest - permissions: - contents: read + defaults: + run: + working-directory: core steps: - uses: actions/checkout@v4 - name: Verify go.sum committed run: | if [ ! -f go.sum ]; then - echo "::error::go.sum must be committed (DEBROS.md §1.2)" + echo "::error::core/go.sum must be committed (DEBROS.md §1.2)" exit 1 fi - uses: actions/setup-go@v5 with: - go-version-file: "go.mod" + go-version-file: core/go.mod + cache-dependency-path: core/go.sum - name: Verify modules run: go mod verify @@ -102,43 +93,3 @@ jobs: - name: Run govulncheck run: govulncheck ./... - - - name: Install staticcheck - run: go install honnef.co/go/tools/cmd/staticcheck@latest - - - name: Run staticcheck - run: staticcheck ./... - - # ------------------------------------------------------------------ - # Python - # ------------------------------------------------------------------ - python-audit: - if: ${{ hashFiles('**/pyproject.toml') != '' || hashFiles('**/requirements*.txt') != '' }} - runs-on: ubuntu-latest - permissions: - contents: read - steps: - - uses: actions/checkout@v4 - - - name: Verify lockfile committed - run: | - if [ ! -f poetry.lock ] && [ ! -f uv.lock ] && [ ! -f Pipfile.lock ]; then - echo "::warning::No lockfile detected. Consider Poetry or uv for reproducibility (DEBROS.md §1.2)" - fi - - - uses: actions/setup-python@v5 - with: - python-version-file: ".python-version" - - - name: Install pip-audit - run: pip install pip-audit - - - name: Run pip-audit - run: | - if [ -f poetry.lock ]; then - pip-audit --strict - elif [ -f requirements.txt ]; then - pip-audit --requirement requirements.txt --strict - else - pip-audit --strict - fi