Skip to content

Commit 62aefa8

Browse files
authored
Merge pull request #20 from ScopeCreep-zip/ci/green-pipeline
ci: repair the full CI/CD pipeline
2 parents b7066a9 + b5f19ea commit 62aefa8

49 files changed

Lines changed: 582 additions & 326 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.cargo/audit.toml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -40,4 +40,10 @@ ignore = [
4040
# lru::IterMut directly; chitchat is on the dependabot ignore list (wire
4141
# format critical). See `vex/lru-rustsec-2026-0002.json`.
4242
"RUSTSEC-2026-0002",
43+
44+
# proc-macro-error2 2.0.1 unmaintained — author confirmed end-of-life on
45+
# 2026-06-07. Build-time only, pulled transitively via tabled_derive ->
46+
# tabled (springtale-cli table rendering). No runtime code, no CVE. Tracking
47+
# tabled's migration away from it. See `vex/proc-macro-error2-rustsec-2026-0173.json`.
48+
"RUSTSEC-2026-0173",
4349
]

.github/repo-config.yml

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -120,15 +120,14 @@ org_actions_policy:
120120
- "EmbarkStudios/cargo-deny-action@*"
121121
- "rustsec/audit-check@*"
122122
- "pnpm/action-setup@*"
123-
- "gitleaks/gitleaks-action@*"
124123
- "trufflesecurity/trufflehog@*"
125124
- "aquasecurity/trivy-action@*"
126125
- "anchore/scan-action@*"
127126
- "anchore/sbom-action@*"
128127
- "hadolint/hadolint-action@*"
129128
- "returntocorp/semgrep-action@*"
130129
- "raven-actions/actionlint@*"
131-
- "woodruffw/zizmor-action@*"
130+
- "zizmorcore/zizmor-action@*"
132131
- "ossf/scorecard-action@*"
133132
- "google/osv-scanner-action@*"
134133
- "step-security/harden-runner@*"

.github/workflows/ci.yml

Lines changed: 26 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -44,10 +44,12 @@ jobs:
4444
permissions:
4545
contents: read
4646
steps:
47-
- uses: step-security/harden-runner@v2
47+
- uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2
4848
with:
4949
egress-policy: audit
5050
- uses: actions/checkout@v4
51+
with:
52+
persist-credentials: false
5153
- uses: dtolnay/rust-toolchain@stable
5254
with:
5355
components: rustfmt
@@ -60,14 +62,16 @@ jobs:
6062
permissions:
6163
contents: read
6264
steps:
63-
- uses: step-security/harden-runner@v2
65+
- uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2
6466
with:
6567
egress-policy: audit
6668
- uses: actions/checkout@v4
69+
with:
70+
persist-credentials: false
6771
- uses: dtolnay/rust-toolchain@stable
6872
with:
6973
components: clippy
70-
- uses: Swatinem/rust-cache@v2
74+
- uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
7175
- run: cargo clippy --workspace --all-targets -- -D warnings
7276

7377
# ── Test ──────────────────────────────────────────────────────────
@@ -77,12 +81,14 @@ jobs:
7781
permissions:
7882
contents: read
7983
steps:
80-
- uses: step-security/harden-runner@v2
84+
- uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2
8185
with:
8286
egress-policy: audit
8387
- uses: actions/checkout@v4
88+
with:
89+
persist-credentials: false
8490
- uses: dtolnay/rust-toolchain@stable
85-
- uses: Swatinem/rust-cache@v2
91+
- uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
8692
- uses: taiki-e/install-action@nextest
8793
- run: cargo nextest run --workspace --locked
8894
- run: cargo test --doc --locked
@@ -94,12 +100,14 @@ jobs:
94100
permissions:
95101
contents: read
96102
steps:
97-
- uses: step-security/harden-runner@v2
103+
- uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2
98104
with:
99105
egress-policy: audit
100106
- uses: actions/checkout@v4
107+
with:
108+
persist-credentials: false
101109
- uses: dtolnay/rust-toolchain@stable
102-
- uses: Swatinem/rust-cache@v2
110+
- uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
103111
# System deps for tauri (webkit2gtk).
104112
- run: |
105113
sudo apt-get update
@@ -114,11 +122,13 @@ jobs:
114122
permissions:
115123
contents: read
116124
steps:
117-
- uses: step-security/harden-runner@v2
125+
- uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2
118126
with:
119127
egress-policy: audit
120128
- uses: actions/checkout@v4
121-
- uses: pnpm/action-setup@v4
129+
with:
130+
persist-credentials: false
131+
- uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
122132
with:
123133
version: 9
124134
- uses: actions/setup-node@v4
@@ -142,11 +152,13 @@ jobs:
142152
permissions:
143153
contents: read
144154
steps:
145-
- uses: step-security/harden-runner@v2
155+
- uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2
146156
with:
147157
egress-policy: audit
148158
- uses: actions/checkout@v4
149-
- uses: pnpm/action-setup@v4
159+
with:
160+
persist-credentials: false
161+
- uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
150162
with:
151163
version: 9
152164
- uses: actions/setup-node@v4
@@ -173,10 +185,12 @@ jobs:
173185
permissions:
174186
contents: read
175187
steps:
176-
- uses: step-security/harden-runner@v2
188+
- uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2
177189
with:
178190
egress-policy: audit
179191
- uses: actions/checkout@v4
192+
with:
193+
persist-credentials: false
180194
- name: Tauri CSP must be present and strict
181195
run: |
182196
set -euo pipefail

.github/workflows/codeowners-lint.yml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -26,11 +26,13 @@ jobs:
2626
permissions:
2727
contents: read
2828
steps:
29-
- uses: step-security/harden-runner@v2
29+
- uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2
3030
with:
3131
egress-policy: audit
3232
- uses: actions/checkout@v4
33-
- uses: mszostok/codeowners-validator@v0.7.4
33+
with:
34+
persist-credentials: false
35+
- uses: mszostok/codeowners-validator@7f3f5e28c6d7b8dfae5731e54ce2272ca384592f # v0.7.4
3436
with:
3537
checks: "files,duppatterns,syntax"
3638
experimental_checks: "notowned"

.github/workflows/container.yml

Lines changed: 41 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -40,13 +40,15 @@ jobs:
4040
outputs:
4141
image-id: ${{ steps.build.outputs.imageid }}
4242
steps:
43-
- uses: step-security/harden-runner@v2
43+
- uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2
4444
with:
4545
egress-policy: audit
4646
- uses: actions/checkout@v4
47-
- uses: docker/setup-buildx-action@v3
47+
with:
48+
persist-credentials: false
49+
- uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
4850
- id: build
49-
uses: docker/build-push-action@v6
51+
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
5052
with:
5153
context: .
5254
push: false
@@ -63,26 +65,40 @@ jobs:
6365
contents: read
6466
security-events: write
6567
steps:
66-
- uses: step-security/harden-runner@v2
68+
- uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2
6769
with:
6870
egress-policy: audit
6971
- uses: actions/checkout@v4
70-
- uses: docker/setup-buildx-action@v3
71-
- uses: docker/build-push-action@v6
72+
with:
73+
persist-credentials: false
74+
- uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
75+
- uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
7276
with:
7377
context: .
7478
push: false
7579
load: true
7680
tags: springtale-local:ci
7781
cache-from: type=gha
78-
- uses: aquasecurity/trivy-action@0.28.0
82+
- uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
7983
with:
8084
image-ref: springtale-local:ci
8185
format: sarif
8286
output: trivy.sarif
8387
severity: HIGH,CRITICAL
8488
exit-code: '1'
89+
# CRITICAL: in SARIF mode `severity` does NOT filter the report, and
90+
# `exit-code` then fires on ANY finding in it (including LOW). This
91+
# makes the severity filter apply to the SARIF + exit-code, so the
92+
# job gates only on HIGH/CRITICAL — not the LOW rust-dep advisories
93+
# (rand/lru/rpassword) which cargo-audit already tracks.
94+
limit-severities-for-sarif: true
95+
# Only fail on FIXABLE vulnerabilities — un-actionable upstream
96+
# base-OS CVEs (debian "wont-fix") can't be patched from here and are
97+
# picked up automatically when the distroless base is rebuilt.
8598
ignore-unfixed: true
99+
# vuln-only: secret scanning is owned by secrets.yml (gitleaks +
100+
# trufflehog) and false-positives on compiled-binary strings here.
101+
scanners: vuln
86102
- uses: github/codeql-action/upload-sarif@v3
87103
if: always()
88104
with:
@@ -97,23 +113,30 @@ jobs:
97113
contents: read
98114
security-events: write
99115
steps:
100-
- uses: step-security/harden-runner@v2
116+
- uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2
101117
with:
102118
egress-policy: audit
103119
- uses: actions/checkout@v4
104-
- uses: docker/setup-buildx-action@v3
105-
- uses: docker/build-push-action@v6
120+
with:
121+
persist-credentials: false
122+
- uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
123+
- uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
106124
with:
107125
context: .
108126
push: false
109127
load: true
110128
tags: springtale-local:ci
111129
cache-from: type=gha
112-
- uses: anchore/scan-action@v6
130+
- uses: anchore/scan-action@1638637db639e0ade3258b51db49a9a137574c3e # v6
113131
with:
114132
image: springtale-local:ci
115133
fail-build: true
116134
severity-cutoff: high
135+
# Only fail on vulnerabilities with an available fix — mirrors
136+
# Trivy's ignore-unfixed. The base's libc6 HIGH/CRITICAL CVEs are all
137+
# debian "wont-fix" (CVE-2026-5450/5435/5928 + the disputed glibc
138+
# set), so they're un-actionable until distroless rebuilds.
139+
only-fixed: true
117140
output-format: sarif
118141
output-file: grype.sarif
119142
- uses: github/codeql-action/upload-sarif@v3
@@ -129,24 +152,26 @@ jobs:
129152
permissions:
130153
contents: read
131154
steps:
132-
- uses: step-security/harden-runner@v2
155+
- uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2
133156
with:
134157
egress-policy: audit
135158
- uses: actions/checkout@v4
136-
- uses: docker/setup-buildx-action@v3
137-
- uses: docker/build-push-action@v6
159+
with:
160+
persist-credentials: false
161+
- uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
162+
- uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
138163
with:
139164
context: .
140165
push: false
141166
load: true
142167
tags: springtale-local:ci
143168
cache-from: type=gha
144-
- uses: anchore/sbom-action@v0
169+
- uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0
145170
with:
146171
image: springtale-local:ci
147172
format: cyclonedx-json
148173
output-file: image-sbom.cdx.json
149-
- uses: anchore/sbom-action@v0
174+
- uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0
150175
with:
151176
image: springtale-local:ci
152177
format: spdx-json

.github/workflows/dast.yml

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -22,11 +22,13 @@ jobs:
2222
contents: read
2323
issues: write # ZAP action opens issues for findings
2424
steps:
25-
- uses: step-security/harden-runner@v2
25+
- uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2
2626
with:
2727
egress-policy: audit
2828
- uses: actions/checkout@v4
29-
- uses: pnpm/action-setup@v4
29+
with:
30+
persist-credentials: false
31+
- uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
3032
with:
3133
version: 9
3234
- uses: actions/setup-node@v4
@@ -45,7 +47,7 @@ jobs:
4547
if curl -fsS http://127.0.0.1:4173 > /dev/null; then break; fi
4648
sleep 1
4749
done
48-
- uses: zaproxy/action-baseline@v0.14.0
50+
- uses: zaproxy/action-baseline@7c4deb10e6261301961c86d65d54a516394f9aed # v0.14.0
4951
with:
5052
target: 'http://127.0.0.1:4173'
5153
rules_file_name: '.github/zap-rules.tsv'

.github/workflows/fuzz.yml

Lines changed: 12 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -43,18 +43,26 @@ jobs:
4343
- fuzz_path_canon
4444
- fuzz_url_allowlist
4545
steps:
46-
- uses: step-security/harden-runner@v2
46+
- uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2
4747
with:
4848
egress-policy: audit
4949
- uses: actions/checkout@v4
50+
with:
51+
persist-credentials: false
5052
- uses: dtolnay/rust-toolchain@nightly
51-
- uses: Swatinem/rust-cache@v2
53+
- uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
5254
- run: cargo install cargo-fuzz --locked
5355
- name: Run fuzz target
56+
# `${{...}}` context data is never interpolated directly into the
57+
# script — it's passed through `env:` and referenced as quoted shell
58+
# variables so untrusted input can't break out into the runner
59+
# (CWE-78 / semgrep run-shell-injection / zizmor template-injection).
60+
env:
61+
FUZZ_TARGET: ${{ matrix.target }}
62+
FUZZ_DURATION: ${{ inputs.duration_seconds || '300' }}
5463
run: |
55-
duration=${{ inputs.duration_seconds || '300' }}
5664
cd fuzz
57-
cargo +nightly fuzz run ${{ matrix.target }} -- -max_total_time=$duration
65+
cargo +nightly fuzz run "$FUZZ_TARGET" -- -max_total_time="$FUZZ_DURATION"
5866
- uses: actions/upload-artifact@v4
5967
if: failure()
6068
with:

.github/workflows/llm-redteam.yml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -32,11 +32,13 @@ jobs:
3232
permissions:
3333
contents: read
3434
steps:
35-
- uses: step-security/harden-runner@v2
35+
- uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2
3636
with:
3737
egress-policy: audit
3838
- uses: actions/checkout@v4
39+
with:
40+
persist-credentials: false
3941
- uses: dtolnay/rust-toolchain@stable
40-
- uses: Swatinem/rust-cache@v2
42+
- uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
4143
- uses: taiki-e/install-action@nextest
4244
- run: cargo nextest run -p springtale-ai --test redteam_corpus --no-fail-fast

0 commit comments

Comments
 (0)