chain-client-sdk-dart/.forgejo/workflows/security.yml
flemming-it ab2205466a
Some checks failed
Security / Security check (push) Has been cancelled
ci(security): add self-test harness (mirror of fai/platform)
18 scenarios that verify the security script's rules still
trip on every tripwire — PATs, AWS keys, PEM headers, env
files, allowlist exempts, confidentiality terms, marketing
phrases, .security-allow exclusion, plus message-mode
(Conventional Commits, DCO, Claude trailer, banned phrases).

Wired into the security workflow as a second-line gate after
the diff-based check. Catches the refactor-weakens-a-rule
class of regression: the diff scan can be green while a rule
silently no-ops; the harness fails loudly when that happens.

Signed-off-by: flemming-it <stefan.a.flemming@googlemail.com>
2026-05-10 21:41:24 +02:00

51 lines
1.9 KiB
YAML

name: Security
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
security:
name: Security check
runs-on: ubuntu-latest
steps:
# Same external-URL checkout dance the fai/platform CI uses —
# the runner's internal forgejo URL is not resolvable from
# inside the DinD job container. See `reference_forgejo_ci_setup`
# in the operator memory for the rationale.
- name: Checkout via external URL
run: |
set -eu
mkdir -p "$GITHUB_WORKSPACE"
cd "$GITHUB_WORKSPACE"
git init -q
git remote add origin \
"https://x-access-token:${GITHUB_TOKEN}@git.flemming.ws/${GITHUB_REPOSITORY}.git"
# Fetch enough history that scanning back to the merge base
# / origin/main yields a non-empty diff. depth=50 covers any
# realistic PR; larger PRs still pass since the script
# falls back to the root commit on missing base.
git fetch --depth=50 origin "$GITHUB_SHA"
git checkout -q FETCH_HEAD
- name: Security check (secrets, confidentiality, banned phrases)
# Same script `tools/security/check-staged.sh` the local
# pre-commit hook runs — defense in depth, so a contributor
# without `bash tools/install-hooks.sh` still cannot land
# secrets or banned phrases on main.
run: |
set -eu
BASE="origin/main"
if [ -n "${GITHUB_BASE_REF:-}" ]; then
git fetch --depth=50 origin "$GITHUB_BASE_REF"
BASE="origin/$GITHUB_BASE_REF"
fi
bash tools/security/check-staged.sh ci "$BASE"
- name: Security script self-test
# Verifies every rule still trips on its tripwire — catches
# the case where a refactor of the script silently weakens
# a check.
run: bash tools/security/test-check-staged.sh