SecAI_OS/.github/workflows/ci.yml at 0aac3221e9a2e88ec8d913dc5d802c924de1ae62 · SecAI-Hub/SecAI_OS · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
name: CI

on:
  push:
    branches: [main]
    paths-ignore:
      - "**.md"
  pull_request:
    paths-ignore:
      - "**.md"
  workflow_dispatch:

concurrency:
  group: ci-${{ github.ref }}
  cancel-in-progress: true

# Minimal permissions by default
permissions:
  contents: read

jobs:
  go-build-and-test:
    name: Go Build & Test
    runs-on: ubuntu-latest
    permissions:
      contents: read
    strategy:
      matrix:
        service: [registry, tool-firewall, airlock]
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
        with:
          go-version: "1.23"
          cache-dependency-path: services/${{ matrix.service }}/go.sum

      - name: Build
        working-directory: services/${{ matrix.service }}
        run: CGO_ENABLED=0 go build -ldflags="-s -w" -o /dev/null .

      - name: Test
        working-directory: services/${{ matrix.service }}
        run: go test -v -race -count=1 ./...

      - name: Vet
        working-directory: services/${{ matrix.service }}
        run: go vet ./...

  go-securectl:
    name: Build securectl CLI
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
        with:
          go-version: "1.23"
          cache-dependency-path: services/registry/go.sum

      - name: Build securectl
        working-directory: services/registry
        run: CGO_ENABLED=0 go build -ldflags="-s -w" -o /dev/null ./cmd/securectl/

  python-test:
    name: Python Test & Lint
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: "3.12"

      - name: Install dependencies
        run: pip install pyyaml flask requests pytest

      - name: Lint (syntax check)
        run: |
          python -m py_compile services/quarantine/quarantine/pipeline.py
          python -m py_compile services/quarantine/quarantine/watcher.py
          python -m py_compile services/ui/ui/app.py
          python -m py_compile services/search-mediator/app.py
          python -m py_compile services/diffusion-worker/app.py
          python -m py_compile services/common/audit_chain.py
          python -m py_compile services/common/auth.py
          python -m py_compile services/common/mlock_helper.py

      - name: Test
        run: python -m pytest tests/ -v

  shellcheck:
    name: Shell Script Lint
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Lint shell scripts
        run: |
          shellcheck -s bash \
            files/system/usr/libexec/secure-ai/*.sh \
            files/scripts/build-services.sh \
            files/scripts/generate-mok.sh

  policy-validate:
    name: Validate YAML configs
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: "3.12"

      - name: Install pyyaml
        run: pip install pyyaml

      - name: Validate YAML files
        run: |
          python -c "
          import yaml, sys, glob
          errors = 0
          for pattern in ['files/system/etc/secure-ai/**/*.yaml', 'recipes/*.yml']:
              for f in glob.glob(pattern, recursive=True):
                  try:
                      with open(f) as fh:
                          yaml.safe_load(fh)
                      print(f'OK: {f}')
                  except Exception as e:
                      print(f'FAIL: {f}: {e}')
                      errors += 1
          sys.exit(errors)
          "

  check-pins:
    name: Verify action pins
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - run: bash .github/scripts/check-action-pins.sh