diff --git a/.github/workflows/boj-build.yml b/.github/workflows/boj-build.yml index b59be5f..c99d1db 100644 --- a/.github/workflows/boj-build.yml +++ b/.github/workflows/boj-build.yml @@ -1,19 +1,18 @@ +# SPDX-License-Identifier: PMPL-1.0-or-later name: BoJ Server Build Trigger - on: push: - branches: [ main, master ] + branches: [main, master] workflow_dispatch: - jobs: trigger-boj: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 - + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Trigger BoJ Server (Casket/ssg-mcp) run: | # Send a secure trigger to boj-server to build this repository curl -X POST "http://boj-server.local:7700/cartridges/ssg-mcp/invoke" -H "Content-Type: application/json" -d "{\"repo\": \"${{ github.repository }}\", \"branch\": \"${{ github.ref_name }}\", \"engine\": \"casket\\"}"} continue-on-error: true +permissions: read-all diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 4cfb012..3efe125 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -11,15 +11,13 @@ # supported CodeQL languages. # name: "CodeQL Advanced" - on: push: - branches: [ "main" ] + branches: ["main"] pull_request: - branches: [ "main" ] + branches: ["main"] schedule: - cron: '16 7 * * 1' - jobs: analyze: name: Analyze (${{ matrix.language }}) @@ -32,69 +30,64 @@ jobs: permissions: # required for all workflows security-events: write - # required to fetch internal or private CodeQL packs packages: read - # only required for workflows in private repositories actions: read contents: read - strategy: fail-fast: false matrix: include: - - language: actions - build-mode: none - # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift' - # Use `c-cpp` to analyze code written in C, C++ or both - # Use 'java-kotlin' to analyze code written in Java, Kotlin or both - # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both - # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, - # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. - # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how - # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages + - language: actions + build-mode: none + # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift' + # Use `c-cpp` to analyze code written in C, C++ or both + # Use 'java-kotlin' to analyze code written in Java, Kotlin or both + # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both + # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, + # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. + # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how + # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages steps: - - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - # Add any setup steps before running the `github/codeql-action/init` action. - # This includes steps like installing compilers or runtimes (`actions/setup-node` - # or others). This is typically only required for manual builds. - # - name: Setup runtime (example) - # uses: actions/setup-example@v1 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4 - with: - languages: ${{ matrix.language }} - build-mode: ${{ matrix.build-mode }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + # Add any setup steps before running the `github/codeql-action/init` action. + # This includes steps like installing compilers or runtimes (`actions/setup-node` + # or others). This is typically only required for manual builds. + # - name: Setup runtime (example) + # uses: actions/setup-example@v1 + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + # If the analyze step fails for one of the languages you are analyzing with + # "We were unable to automatically build your code", modify the matrix above + # to set the build mode to "manual" for that language. Then modify this step + # to build your code. + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + - name: Run manual build steps # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs # queries: security-extended,security-and-quality - # If the analyze step fails for one of the languages you are analyzing with - # "We were unable to automatically build your code", modify the matrix above - # to set the build mode to "manual" for that language. Then modify this step - # to build your code. - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - name: Run manual build steps - if: matrix.build-mode == 'manual' - shell: bash - run: | - echo 'If you are using a "manual" build mode for one or more of the' \ - 'languages you are analyzing, replace this with the commands to build' \ - 'your code, for example:' - echo ' make bootstrap' - echo ' make release' - exit 1 - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4 - with: - category: "/language:${{matrix.language}}" + if: matrix.build-mode == 'manual' + shell: bash + run: | + echo 'If you are using a "manual" build mode for one or more of the' \ + 'languages you are analyzing, replace this with the commands to build' \ + 'your code, for example:' + echo ' make bootstrap' + echo ' make release' + exit 1 + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4 + with: + category: "/language:${{matrix.language}}" +permissions: read-all diff --git a/.github/workflows/guix-nix-policy.yml b/.github/workflows/guix-nix-policy.yml index ae3afe6..4d28b6b 100644 --- a/.github/workflows/guix-nix-policy.yml +++ b/.github/workflows/guix-nix-policy.yml @@ -11,13 +11,13 @@ jobs: # Check for package manager files HAS_GUIX=$(find . -name "*.scm" -o -name ".guix-channel" -o -name "guix.scm" 2>/dev/null | head -1) HAS_NIX=$(find . -name "*.nix" 2>/dev/null | head -1) - + # Block new package-lock.json, yarn.lock, Gemfile.lock, etc. NEW_LOCKS=$(git diff --name-only --diff-filter=A HEAD~1 2>/dev/null | grep -E 'package-lock\.json|yarn\.lock|Gemfile\.lock|Pipfile\.lock|poetry\.lock|cargo\.lock' || true) if [ -n "$NEW_LOCKS" ]; then echo "⚠ī¸ Lock files detected. Prefer Guix manifests for reproducibility." fi - + # Prefer Guix, fallback to Nix if [ -n "$HAS_GUIX" ]; then echo "✅ Guix package management detected (primary)" @@ -26,5 +26,6 @@ jobs: else echo "ℹī¸ Consider adding guix.scm or flake.nix for reproducible builds" fi - + echo "✅ Package policy check passed" +permissions: read-all diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml index de13f18..7fd0bac 100644 --- a/.github/workflows/quality.yml +++ b/.github/workflows/quality.yml @@ -1,17 +1,14 @@ # SPDX-License-Identifier: PMPL-1.0-or-later name: Code Quality on: [push, pull_request] - jobs: lint: runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - name: Check file permissions run: | find . -type f -perm /111 -name "*.sh" | head -10 || true - - name: Check for secrets uses: trufflesecurity/trufflehog@7ee2e0fdffec27d19ccbb8fb3dcf8a83b9d7f9e8 # main with: @@ -19,20 +16,16 @@ jobs: base: ${{ github.event.pull_request.base.sha || github.event.before }} head: ${{ github.sha }} continue-on-error: true - - name: Check TODO/FIXME run: | echo "=== TODOs ===" grep -rn "TODO\|FIXME\|HACK\|XXX" --include="*.rs" --include="*.res" --include="*.py" --include="*.ex" . | head -20 || echo "None found" - - name: Check for large files run: | find . -type f -size +1M -not -path "./.git/*" | head -10 || echo "No large files" - - name: EditorConfig check uses: editorconfig-checker/action-editorconfig-checker@4054fa83a075fdf090bd098bdb1c09aaf64a4169 # main continue-on-error: true - docs: runs-on: ubuntu-latest steps: @@ -43,9 +36,10 @@ jobs: [ ! -f "README.md" ] && [ ! -f "README.adoc" ] && MISSING="$MISSING README" [ ! -f "LICENSE" ] && [ ! -f "LICENSE.txt" ] && [ ! -f "LICENSE.md" ] && MISSING="$MISSING LICENSE" [ ! -f "CONTRIBUTING.md" ] && [ ! -f "CONTRIBUTING.adoc" ] && MISSING="$MISSING CONTRIBUTING" - + if [ -n "$MISSING" ]; then echo "::warning::Missing docs:$MISSING" else echo "✅ Core documentation present" fi +permissions: read-all diff --git a/.github/workflows/rsr-antipattern.yml b/.github/workflows/rsr-antipattern.yml index 5035361..88b5922 100644 --- a/.github/workflows/rsr-antipattern.yml +++ b/.github/workflows/rsr-antipattern.yml @@ -5,19 +5,16 @@ # Allows: ReScript, Deno, WASM, Rust, OCaml, Haskell, Guile/Scheme name: RSR Anti-Pattern Check - on: push: branches: [main, master, develop] pull_request: branches: [main, master, develop] - jobs: antipattern-check: runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - name: Check for TypeScript run: | if find . -name "*.ts" -o -name "*.tsx" | grep -v node_modules | grep -q .; then @@ -26,7 +23,6 @@ jobs: exit 1 fi echo "✅ No TypeScript files" - - name: Check for Go run: | if find . -name "*.go" | grep -q .; then @@ -35,7 +31,6 @@ jobs: exit 1 fi echo "✅ No Go files" - - name: Check for Python (non-SaltStack) run: | PY_FILES=$(find . -name "*.py" | grep -v salt | grep -v _states | grep -v _modules | grep -v pillar | grep -v venv | grep -v __pycache__ || true) @@ -45,7 +40,6 @@ jobs: exit 1 fi echo "✅ No non-SaltStack Python files" - - name: Check for npm lockfiles run: | if [ -f "package-lock.json" ] || [ -f "yarn.lock" ]; then @@ -53,7 +47,6 @@ jobs: exit 1 fi echo "✅ No npm lockfiles" - - name: Check for tsconfig run: | if [ -f "tsconfig.json" ]; then @@ -61,7 +54,6 @@ jobs: exit 1 fi echo "✅ No tsconfig.json" - - name: Verify Deno presence (if package.json exists) run: | if [ -f "package.json" ]; then @@ -70,7 +62,6 @@ jobs: fi fi echo "✅ Deno configuration check complete" - - name: Summary run: | echo "╔════════════════════════════════════════════════════════════╗" @@ -81,3 +72,4 @@ jobs: echo "║ ║" echo "║ Blocked: TypeScript, Go, npm, Python (non-Salt) ║" echo "╚════════════════════════════════════════════════════════════╝" +permissions: read-all diff --git a/.github/workflows/security-policy.yml b/.github/workflows/security-policy.yml index aaa463e..a5748d4 100644 --- a/.github/workflows/security-policy.yml +++ b/.github/workflows/security-policy.yml @@ -9,30 +9,31 @@ jobs: - name: Security checks run: | FAILED=false - + # Block MD5/SHA1 for security (allow for checksums/caching) WEAK_CRYPTO=$(grep -rE 'md5\(|sha1\(' --include="*.py" --include="*.rb" --include="*.js" --include="*.ts" --include="*.go" --include="*.rs" . 2>/dev/null | grep -v 'checksum\|cache\|test\|spec' | head -5 || true) if [ -n "$WEAK_CRYPTO" ]; then echo "⚠ī¸ Weak crypto (MD5/SHA1) detected. Use SHA256+ for security:" echo "$WEAK_CRYPTO" fi - + # Block HTTP URLs (except localhost) HTTP_URLS=$(grep -rE 'http://[^l][^o][^c]' --include="*.py" --include="*.js" --include="*.ts" --include="*.go" --include="*.rs" --include="*.yaml" --include="*.yml" . 2>/dev/null | grep -v 'localhost\|127.0.0.1\|example\|test\|spec' | head -5 || true) if [ -n "$HTTP_URLS" ]; then echo "⚠ī¸ HTTP URLs found. Use HTTPS:" echo "$HTTP_URLS" fi - + # Block hardcoded secrets patterns SECRETS=$(grep -rEi '(api_key|apikey|secret_key|password)\s*[=:]\s*["'][A-Za-z0-9+/=]{20,}' --include="*.py" --include="*.js" --include="*.ts" --include="*.go" --include="*.rs" --include="*.env" . 2>/dev/null | grep -v 'example\|sample\|test\|mock\|placeholder' | head -3 || true) if [ -n "$SECRETS" ]; then echo "❌ Potential hardcoded secrets detected!" FAILED=true fi - + if [ "$FAILED" = true ]; then exit 1 fi - + echo "✅ Security policy check passed" +permissions: read-all diff --git a/.github/workflows/wellknown-enforcement.yml b/.github/workflows/wellknown-enforcement.yml index 557b7f4..bc63d58 100644 --- a/.github/workflows/wellknown-enforcement.yml +++ b/.github/workflows/wellknown-enforcement.yml @@ -13,6 +13,8 @@ on: # Weekly expiry check - cron: '0 9 * * 1' workflow_dispatch: +permissions: read-all + jobs: validate: