ci: consolidate release pipeline and add PR security gate (#303)

digitalghost-dev · web-flow · commit 8b4d4c3cf3bd · 2026-06-22T20:19:20.000-07:00
* ci: consolidate release pipeline into `release.yml`, add PR security gate

* build: exclude `ci/chore/build` commits from goreleaser changelog

* fix: harden config dir perms to  and annotate gosec false positives

* ci: scope release workflow permissions to least privilege

* build: silence hadolint DL3018 on throwaway apk build deps

* docs: fix dead  connectors link

* ci: updating action version
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -0,0 +1,43 @@
+name: Security
+
+on:
+  pull_request:
+    types: [opened, reopened, synchronize]
+
+permissions:
+  contents: read
+
+jobs:
+  gosec:
+    runs-on: ubuntu-22.04
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Run Gosec Security Scanner
+        uses: securego/gosec@v2.25.0
+        with:
+          args: '-severity medium -confidence medium ./...'
+
+  bandit:
+    runs-on: ubuntu-22.04
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: '3.12'
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7
+
+      - name: Run Bandit Security Scanner
+        run: |
+          uv tool run --from 'bandit[toml]' bandit \
+            -r data_platform/pipelines \
+            --severity-level medium \
+            --confidence-level medium
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -60,6 +60,9 @@ changelog:
     exclude:
       - "^docs:"
       - "^test:"
+      - "^ci:"
+      - "^chore:"
+      - "^build:"
 
 homebrew_casks:
   - name: poke-cli
diff --git a/Dockerfile b/Dockerfile
@@ -15,6 +15,7 @@ FROM rust:1-alpine AS rust-build
 
 WORKDIR /build
 
+# hadolint ignore=DL3018
 RUN apk add --no-cache build-base
 
 COPY services/Cargo.toml services/Cargo.lock ./services/
@@ -26,6 +27,7 @@ RUN cargo build --release --manifest-path services/Cargo.toml --bin poke-cache
 FROM alpine:3.24
 
 # Installing only necessary packages and remove them after use
+# hadolint ignore=DL3018
 RUN apk add --no-cache shadow && \
     addgroup -S poke_group && adduser -S poke_user -G poke_group && \
     sed -i 's/^root:.*/root:!*:0:0:root:\/root:\/sbin\/nologin/' /etc/passwd && \
diff --git a/cli.go b/cli.go
@@ -214,7 +214,7 @@ func runCLI(args []string) int {
 var exit = os.Exit
 
 func isInteractive() bool {
-	return term.IsTerminal(int(os.Stdin.Fd())) && term.IsTerminal(int(os.Stdout.Fd()))
+	return term.IsTerminal(int(os.Stdin.Fd())) && term.IsTerminal(int(os.Stdout.Fd())) // #nosec G115
 }
 
 func saveConfig(cfg flags.Config) {
diff --git a/cmd/types/damage_table.go b/cmd/types/damage_table.go
@@ -40,7 +40,7 @@ func DamageTable(typesName string, endpoint string) (string, error) {
 	out.WriteString(styling.StyleBold.Render("Damage Chart:"))
 	out.WriteString("\n")
 
-	physicalWidth, _, _ := term.GetSize(uintptr(int(os.Stdout.Fd())))
+	physicalWidth, _, _ := term.GetSize(uintptr(int(os.Stdout.Fd()))) // #nosec G115
 	doc := strings.Builder{}
 
 	// Helper function to build list items
diff --git a/cmd/utils/web.go b/cmd/utils/web.go
@@ -22,13 +22,13 @@ func Open(url string) tea.Cmd {
 		switch runtime.GOOS {
 		case "windows":
 			browserCmd = "cmd"
-			openCmd = exec.Command("cmd", "/c", "start", url) //nolint:gosec
+			openCmd = exec.Command("cmd", "/c", "start", url) // #nosec G204
 		case "darwin":
 			browserCmd = "open"
-			openCmd = exec.Command("open", url)
+			openCmd = exec.Command("open", url) // #nosec G204
 		default:
 			browserCmd = "xdg-open"
-			openCmd = exec.Command("xdg-open", url)
+			openCmd = exec.Command("xdg-open", url) // #nosec G204
 		}
 
 		if _, err := exec.LookPath(browserCmd); err != nil {
diff --git a/connections/cache.go b/connections/cache.go
@@ -71,7 +71,7 @@ func cachedFetch(url string) ([]byte, error) {
 		warnNoCache()
 		return directFetch(url)
 	}
-	out, err := exec.Command(path, "get", url).Output()
+	out, err := exec.Command(path, "get", url).Output() // #nosec G204
 	if err != nil {
 		return directFetch(url)
 	}
diff --git a/docs/Infrastructure_Guide/local-deployment.md b/docs/Infrastructure_Guide/local-deployment.md
@@ -196,7 +196,7 @@ The above `yml` defines the structure for the raw `series` table from the `stagi
 Soda and its components needed for the project can be installed with `uv`:
 
 1. Install Soda Core with PostgreSQL connector since Supabase uses PostgreSQL.
-   Other [connectors](https://github.com/sodadata/soda-core/blob/main/docs/installation.md#compatibility) can be used.
+   Other [connectors](https://github.com/sodadata/soda-core/blob/v3/docs/installation.md#compatibility) can be used.
 ```shell
    uv add soda-core-postgres
 ```
diff --git a/flags/config.go b/flags/config.go
@@ -75,7 +75,7 @@ func Load() (Config, bool, error) {
 
 func LoadFrom(path string) (Config, bool, error) {
 	cfg := Defaults()
-	data, err := os.ReadFile(path)
+	data, err := os.ReadFile(path) // #nosec G304
 	if errors.Is(err, fs.ErrNotExist) {
 		return cfg, true, nil
 	}
@@ -105,7 +105,7 @@ func SaveTo(path string, cfg Config) error {
 		return err
 	}
 	dir := filepath.Dir(path)
-	if err := os.MkdirAll(dir, 0o755); err != nil {
+	if err := os.MkdirAll(dir, 0o750); err != nil {
 		return err
 	}
 	tmp, err := os.CreateTemp(dir, "config-*.toml")
diff --git a/styling/styling.go b/styling/styling.go
@@ -110,7 +110,7 @@ func init() {
 }
 
 func HasDarkBackground() bool {
-	if !term.IsTerminal(int(os.Stdin.Fd())) || !term.IsTerminal(int(os.Stdout.Fd())) {
+	if !term.IsTerminal(int(os.Stdin.Fd())) || !term.IsTerminal(int(os.Stdout.Fd())) { // #nosec G115
 		return true
 	}
 	return lipgloss.HasDarkBackground(os.Stdin, os.Stdout)

Original file line number	Diff line number	Diff line change
`@@ -214,7 +214,7 @@ func runCLI(args []string) int {`
`214`	`214`	`var exit = os.Exit`
`215`	`215`
`216`	`216`	`func isInteractive() bool {`
`217`		`- return term.IsTerminal(int(os.Stdin.Fd())) && term.IsTerminal(int(os.Stdout.Fd()))`
	`217`	`+ return term.IsTerminal(int(os.Stdin.Fd())) && term.IsTerminal(int(os.Stdout.Fd())) // #nosec G115`
`218`	`218`	`}`
`219`	`219`
`220`	`220`	`func saveConfig(cfg flags.Config) {`
Original file line number	Diff line number	Diff line change
`@@ -71,7 +71,7 @@ func cachedFetch(url string) ([]byte, error) {`
`71`	`71`	`warnNoCache()`
`72`	`72`	`return directFetch(url)`
`73`	`73`	`}`
`74`		`- out, err := exec.Command(path, "get", url).Output()`
	`74`	`+ out, err := exec.Command(path, "get", url).Output() // #nosec G204`
`75`	`75`	`if err != nil {`
`76`	`76`	`return directFetch(url)`
`77`	`77`	`}`