Skip to content

ci: repair the full CI/CD pipeline #20

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
radicalkjax merged 6 commits into from
Jun 12, 2026
Merged

ci: repair the full CI/CD pipeline #20

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
2e645ac
ci: repair the full CI/CD pipeline
radicalkjax Jun 11, 2026
8802f41
ci: address first-run CI failures on PR #20
radicalkjax Jun 11, 2026
d968756
ci: fix sentinel clippy lint + container scanner policy
radicalkjax Jun 11, 2026
cd86991
ci: eliminate explicit_counter_loop in audit-chain verify (rust 1.96)
radicalkjax Jun 11, 2026
417f455
deps: bump pyo3 0.24 -> 0.29 (RUSTSEC-2026-0176)
radicalkjax Jun 11, 2026
b5f19ea
ci: gate Trivy on HIGH/CRITICAL only (limit-severities-for-sarif)
radicalkjax Jun 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .cargo/audit.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,4 +40,10 @@ ignore = [
# lru::IterMut directly; chitchat is on the dependabot ignore list (wire
# format critical). See `vex/lru-rustsec-2026-0002.json`.
"RUSTSEC-2026-0002",

# proc-macro-error2 2.0.1 unmaintained — author confirmed end-of-life on
# 2026-06-07. Build-time only, pulled transitively via tabled_derive ->
# tabled (springtale-cli table rendering). No runtime code, no CVE. Tracking
# tabled's migration away from it. See `vex/proc-macro-error2-rustsec-2026-0173.json`.
"RUSTSEC-2026-0173",
]
3 changes: 1 addition & 2 deletions .github/repo-config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -120,15 +120,14 @@ org_actions_policy:
- "EmbarkStudios/cargo-deny-action@*"
- "rustsec/audit-check@*"
- "pnpm/action-setup@*"
- "gitleaks/gitleaks-action@*"
- "trufflesecurity/trufflehog@*"
- "aquasecurity/trivy-action@*"
- "anchore/scan-action@*"
- "anchore/sbom-action@*"
- "hadolint/hadolint-action@*"
- "returntocorp/semgrep-action@*"
- "raven-actions/actionlint@*"
- "woodruffw/zizmor-action@*"
- "zizmorcore/zizmor-action@*"
- "ossf/scorecard-action@*"
- "google/osv-scanner-action@*"
- "step-security/harden-runner@*"
Expand Down
38 changes: 26 additions & 12 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,10 +44,12 @@ jobs:
permissions:
contents: read
steps:
- uses: step-security/harden-runner@v2
- uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2
with:
egress-policy: audit
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: dtolnay/rust-toolchain@stable
with:
components: rustfmt
Expand All @@ -60,14 +62,16 @@ jobs:
permissions:
contents: read
steps:
- uses: step-security/harden-runner@v2
- uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2
with:
egress-policy: audit
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: dtolnay/rust-toolchain@stable
with:
components: clippy
- uses: Swatinem/rust-cache@v2
- uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
- run: cargo clippy --workspace --all-targets -- -D warnings

# ── Test ──────────────────────────────────────────────────────────
Expand All @@ -77,12 +81,14 @@ jobs:
permissions:
contents: read
steps:
- uses: step-security/harden-runner@v2
- uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2
with:
egress-policy: audit
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: dtolnay/rust-toolchain@stable
- uses: Swatinem/rust-cache@v2
- uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
- uses: taiki-e/install-action@nextest
- run: cargo nextest run --workspace --locked
- run: cargo test --doc --locked
Expand All @@ -94,12 +100,14 @@ jobs:
permissions:
contents: read
steps:
- uses: step-security/harden-runner@v2
- uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2
with:
egress-policy: audit
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: dtolnay/rust-toolchain@stable
- uses: Swatinem/rust-cache@v2
- uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
# System deps for tauri (webkit2gtk).
- run: |
sudo apt-get update
Expand All @@ -114,11 +122,13 @@ jobs:
permissions:
contents: read
steps:
- uses: step-security/harden-runner@v2
- uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2
with:
egress-policy: audit
- uses: actions/checkout@v4
- uses: pnpm/action-setup@v4
with:
persist-credentials: false
- uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
with:
version: 9
- uses: actions/setup-node@v4
Expand All @@ -142,11 +152,13 @@ jobs:
permissions:
contents: read
steps:
- uses: step-security/harden-runner@v2
- uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2
with:
egress-policy: audit
- uses: actions/checkout@v4
- uses: pnpm/action-setup@v4
with:
persist-credentials: false
- uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
with:
version: 9
- uses: actions/setup-node@v4
Expand All @@ -173,10 +185,12 @@ jobs:
permissions:
contents: read
steps:
- uses: step-security/harden-runner@v2
- uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2
with:
egress-policy: audit
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Tauri CSP must be present and strict
run: |
set -euo pipefail
Expand Down
6 changes: 4 additions & 2 deletions .github/workflows/codeowners-lint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,11 +26,13 @@ jobs:
permissions:
contents: read
steps:
- uses: step-security/harden-runner@v2
- uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2
with:
egress-policy: audit
- uses: actions/checkout@v4
- uses: mszostok/codeowners-validator@v0.7.4
with:
persist-credentials: false
- uses: mszostok/codeowners-validator@7f3f5e28c6d7b8dfae5731e54ce2272ca384592f # v0.7.4
with:
checks: "files,duppatterns,syntax"
experimental_checks: "notowned"
57 changes: 41 additions & 16 deletions .github/workflows/container.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,13 +40,15 @@ jobs:
outputs:
image-id: ${{ steps.build.outputs.imageid }}
steps:
- uses: step-security/harden-runner@v2
- uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2
with:
egress-policy: audit
- uses: actions/checkout@v4
- uses: docker/setup-buildx-action@v3
with:
persist-credentials: false
- uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
- id: build
uses: docker/build-push-action@v6
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
with:
context: .
push: false
Expand All @@ -63,26 +65,40 @@ jobs:
contents: read
security-events: write
steps:
- uses: step-security/harden-runner@v2
- uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2
with:
egress-policy: audit
- uses: actions/checkout@v4
- uses: docker/setup-buildx-action@v3
- uses: docker/build-push-action@v6
with:
persist-credentials: false
- uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
- uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
with:
context: .
push: false
load: true
tags: springtale-local:ci
cache-from: type=gha
- uses: aquasecurity/trivy-action@0.28.0
- uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
with:
image-ref: springtale-local:ci
format: sarif
output: trivy.sarif
severity: HIGH,CRITICAL
exit-code: '1'
# CRITICAL: in SARIF mode `severity` does NOT filter the report, and
# `exit-code` then fires on ANY finding in it (including LOW). This
# makes the severity filter apply to the SARIF + exit-code, so the
# job gates only on HIGH/CRITICAL — not the LOW rust-dep advisories
# (rand/lru/rpassword) which cargo-audit already tracks.
limit-severities-for-sarif: true
# Only fail on FIXABLE vulnerabilities — un-actionable upstream
# base-OS CVEs (debian "wont-fix") can't be patched from here and are
# picked up automatically when the distroless base is rebuilt.
ignore-unfixed: true
# vuln-only: secret scanning is owned by secrets.yml (gitleaks +
# trufflehog) and false-positives on compiled-binary strings here.
scanners: vuln
- uses: github/codeql-action/upload-sarif@v3
if: always()
with:
Expand All @@ -97,23 +113,30 @@ jobs:
contents: read
security-events: write
steps:
- uses: step-security/harden-runner@v2
- uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2
with:
egress-policy: audit
- uses: actions/checkout@v4
- uses: docker/setup-buildx-action@v3
- uses: docker/build-push-action@v6
with:
persist-credentials: false
- uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
- uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
with:
context: .
push: false
load: true
tags: springtale-local:ci
cache-from: type=gha
- uses: anchore/scan-action@v6
- uses: anchore/scan-action@1638637db639e0ade3258b51db49a9a137574c3e # v6
with:
image: springtale-local:ci
fail-build: true
severity-cutoff: high
# Only fail on vulnerabilities with an available fix — mirrors
# Trivy's ignore-unfixed. The base's libc6 HIGH/CRITICAL CVEs are all
# debian "wont-fix" (CVE-2026-5450/5435/5928 + the disputed glibc
# set), so they're un-actionable until distroless rebuilds.
only-fixed: true
output-format: sarif
output-file: grype.sarif
- uses: github/codeql-action/upload-sarif@v3
Expand All @@ -129,24 +152,26 @@ jobs:
permissions:
contents: read
steps:
- uses: step-security/harden-runner@v2
- uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2
with:
egress-policy: audit
- uses: actions/checkout@v4
- uses: docker/setup-buildx-action@v3
- uses: docker/build-push-action@v6
with:
persist-credentials: false
- uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
- uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
with:
context: .
push: false
load: true
tags: springtale-local:ci
cache-from: type=gha
- uses: anchore/sbom-action@v0
- uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0
with:
image: springtale-local:ci
format: cyclonedx-json
output-file: image-sbom.cdx.json
- uses: anchore/sbom-action@v0
- uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0
with:
image: springtale-local:ci
format: spdx-json
Expand Down
8 changes: 5 additions & 3 deletions .github/workflows/dast.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,11 +22,13 @@ jobs:
contents: read
issues: write # ZAP action opens issues for findings
steps:
- uses: step-security/harden-runner@v2
- uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2
with:
egress-policy: audit
- uses: actions/checkout@v4
- uses: pnpm/action-setup@v4
with:
persist-credentials: false
- uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
with:
version: 9
- uses: actions/setup-node@v4
Expand All @@ -45,7 +47,7 @@ jobs:
if curl -fsS http://127.0.0.1:4173 > /dev/null; then break; fi
sleep 1
done
- uses: zaproxy/action-baseline@v0.14.0
- uses: zaproxy/action-baseline@7c4deb10e6261301961c86d65d54a516394f9aed # v0.14.0
with:
target: 'http://127.0.0.1:4173'
rules_file_name: '.github/zap-rules.tsv'
Expand Down
16 changes: 12 additions & 4 deletions .github/workflows/fuzz.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,18 +43,26 @@ jobs:
- fuzz_path_canon
- fuzz_url_allowlist
steps:
- uses: step-security/harden-runner@v2
- uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2
with:
egress-policy: audit
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: dtolnay/rust-toolchain@nightly
- uses: Swatinem/rust-cache@v2
- uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
- run: cargo install cargo-fuzz --locked
- name: Run fuzz target
# `${{...}}` context data is never interpolated directly into the
# script — it's passed through `env:` and referenced as quoted shell
# variables so untrusted input can't break out into the runner
# (CWE-78 / semgrep run-shell-injection / zizmor template-injection).
env:
FUZZ_TARGET: ${{ matrix.target }}
FUZZ_DURATION: ${{ inputs.duration_seconds || '300' }}
run: |
duration=${{ inputs.duration_seconds || '300' }}
cd fuzz
cargo +nightly fuzz run ${{ matrix.target }} -- -max_total_time=$duration
cargo +nightly fuzz run "$FUZZ_TARGET" -- -max_total_time="$FUZZ_DURATION"
- uses: actions/upload-artifact@v4
if: failure()
with:
Expand Down
6 changes: 4 additions & 2 deletions .github/workflows/llm-redteam.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,11 +32,13 @@ jobs:
permissions:
contents: read
steps:
- uses: step-security/harden-runner@v2
- uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2
with:
egress-policy: audit
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: dtolnay/rust-toolchain@stable
- uses: Swatinem/rust-cache@v2
- uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
- uses: taiki-e/install-action@nextest
- run: cargo nextest run -p springtale-ai --test redteam_corpus --no-fail-fast
Loading
Loading