eliott/br-acc
1
0
Fork 0
mirror of https://github.com/kharonsec/br-acc synced 2026-04-25 17:15:02 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
add44821e89116cb9ca5df760df919f010d00faa
br-acc/.github/workflows/security.yml
Bruno César add44821e8 sync: upstream convergence 2026-03-02 
Co-authored-by: bruno cesar <brunoclz@brunos-MacBook-Pro.local>
2026-03-02 03:51:26 -03:00

127 lines
3.3 KiB
YAML
Raw Blame History

name: Security
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
gitleaks:
name: Gitleaks
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install gitleaks
run: |
VERSION=8.24.2
curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${VERSION}/gitleaks_${VERSION}_linux_x64.tar.gz" \
| tar -xz
chmod +x gitleaks
sudo mv gitleaks /usr/local/bin/gitleaks
- name: Run gitleaks
run: gitleaks git . --no-banner --redact --gitleaks-ignore-path .gitleaksignore
bandit:
name: Bandit (Python)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Install bandit
run: python -m pip install --upgrade pip bandit
- name: Run bandit
run: |
bandit -r api/src etl/src scripts \
-x api/tests,etl/tests \
-lll -iii
pip-audit:
name: Pip Audit (Python deps)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: astral-sh/setup-uv@v5
with:
version: "latest"
- uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Export lock-compatible requirement sets
run: |
cd api
uv export --format requirements-txt --no-hashes --no-emit-project --no-emit-local > /tmp/api-requirements.txt
cd ../etl
uv export --format requirements-txt --no-hashes --no-emit-project --no-emit-local > /tmp/etl-requirements.txt
- name: Audit API dependencies
run: uvx pip-audit -r /tmp/api-requirements.txt --strict
- name: Audit ETL dependencies
run: uvx pip-audit -r /tmp/etl-requirements.txt --strict
public-privacy-gate:
name: Public Privacy Gate
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Validate public privacy contract
run: python scripts/check_public_privacy.py --repo-root .
compliance-pack-gate:
name: Compliance Pack Gate
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Validate legal and ethics baseline
run: python scripts/check_compliance_pack.py --repo-root .
public-boundary-gate:
name: Public Boundary Gate
if: github.repository == 'brunoclz/world-transparency-graph'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Validate public edition scope
run: python scripts/check_open_core_boundary.py --repo-root .
internal-instruction-boundary:
name: Internal Instruction Boundary
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Ensure internal assistant files are not tracked
run: |
if git ls-files | grep -E '(^|/)(CLAUDE\.md|AGENTS.*\.md)$'; then
echo "Forbidden tracked files found: CLAUDE.md / AGENTS*.md"
exit 1
fi
Reference in New Issue View Git Blame Copy Permalink