Skip to content

Commit 1a2b237

Browse files
author
BlkLeg Shawnji
committed
Workflow adjustment
1 parent 7173b02 commit 1a2b237

9 files changed

Lines changed: 19 additions & 21 deletions

File tree

.github/workflows/block-tests.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,7 @@
11
name: Block Tests in Prod Paths
22
on: [pull_request]
3+
permissions:
4+
contents: read
35
jobs:
46
check-prod:
57
runs-on: ubuntu-latest

.github/workflows/ci.yml.retired

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -101,7 +101,7 @@ jobs:
101101
output: trivy-results.sarif
102102

103103
- name: Upload Trivy scan results
104-
uses: github/codeql-action/upload-sarif@v3
104+
uses: github/codeql-action/upload-sarif@v4
105105
if: always()
106106
with:
107107
sarif_file: trivy-results.sarif

.github/workflows/docker-build.yml

Lines changed: 1 addition & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -5,11 +5,6 @@ on:
55
tags:
66
- 'v*'
77
workflow_dispatch:
8-
inputs:
9-
tag:
10-
description: 'Image tag to push (e.g. v0.1.5)'
11-
required: false
12-
default: 'dev'
138

149
permissions:
1510
contents: read
@@ -42,7 +37,7 @@ jobs:
4237
if [ "${{ github.event_name }}" = "push" ]; then
4338
RAW_TAG="${{ github.ref_name }}"
4439
else
45-
RAW_TAG="${{ github.event.inputs.tag }}"
40+
RAW_TAG="dev"
4641
fi
4742
SAFE_TAG=$(printf '%s' "$RAW_TAG" | tr -cd '[:alnum:]_.-')
4843
if [ -z "$SAFE_TAG" ]; then

.github/workflows/preflight.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,7 @@ jobs:
3636
- name: Set up Python
3737
uses: actions/setup-python@v5
3838
with:
39-
python-version: '3.11'
39+
python-version: '3.12'
4040

4141
- name: Set up Node
4242
uses: actions/setup-node@v4

.github/workflows/security.yml

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,7 @@ jobs:
4242
with:
4343
args: --all-projects --sarif-file-output=snyk-results.sarif
4444
- name: Upload Snyk results to GitHub Security
45-
uses: github/codeql-action/upload-sarif@v3
45+
uses: github/codeql-action/upload-sarif@v4
4646
if: always()
4747
with:
4848
sarif_file: snyk-results.sarif
@@ -62,7 +62,7 @@ jobs:
6262
output: trivy-fs-results.sarif
6363
severity: 'CRITICAL,HIGH'
6464
- name: Upload Trivy filesystem results
65-
uses: github/codeql-action/upload-sarif@v3
65+
uses: github/codeql-action/upload-sarif@v4
6666
if: always()
6767
with:
6868
sarif_file: trivy-fs-results.sarif
@@ -80,7 +80,7 @@ jobs:
8080
format: sarif
8181
output: trivy-config-results.sarif
8282
- name: Upload Trivy config results
83-
uses: github/codeql-action/upload-sarif@v3
83+
uses: github/codeql-action/upload-sarif@v4
8484
if: always()
8585
with:
8686
sarif_file: trivy-config-results.sarif
@@ -99,7 +99,7 @@ jobs:
9999
- name: Run Semgrep
100100
run: semgrep scan --config p/default --sarif --output semgrep.sarif apps/backend/src/ apps/frontend/src/ docker/ || true
101101
- name: Upload Semgrep results
102-
uses: github/codeql-action/upload-sarif@v3
102+
uses: github/codeql-action/upload-sarif@v4
103103
if: always() && hashFiles('semgrep.sarif') != ''
104104
with:
105105
sarif_file: semgrep.sarif
@@ -118,8 +118,8 @@ jobs:
118118
- name: Run Bandit
119119
run: bandit -r apps/backend/src/ -f sarif -o bandit-results.sarif || true
120120
- name: Upload Bandit results
121-
uses: github/codeql-action/upload-sarif@v3
122-
if: always()
121+
uses: github/codeql-action/upload-sarif@v4
122+
if: always() && hashFiles('bandit-results.sarif') != ''
123123
with:
124124
sarif_file: bandit-results.sarif
125125

@@ -147,9 +147,9 @@ jobs:
147147
- name: Install Checkov
148148
run: pip install checkov
149149
- name: Run Checkov
150-
run: checkov -d docker/ -d . --skip-path apps/ --skip-path node_modules/ --output sarif --output-file-path checkov-results.sarif --quiet
150+
run: checkov -d docker/ -d . --skip-path apps/ --skip-path node_modules/ --skip-path site/ --output sarif --output-file-path checkov-results.sarif --quiet
151151
- name: Upload Checkov results
152-
uses: github/codeql-action/upload-sarif@v3
152+
uses: github/codeql-action/upload-sarif@v4
153153
if: always()
154154
with:
155155
sarif_file: checkov-results.sarif

.gitleaks.toml

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -3,8 +3,6 @@
33
[extend]
44
useDefault = true
55

6-
[[allowlist]]
6+
[allowlist]
77
description = "Alembic migration revision IDs (hex hashes) are not API keys"
8-
paths = [
9-
'''apps/backend/migrations/.*\.py'''
10-
]
8+
paths = ['apps/backend/migrations/.*\\.py']

Dockerfile

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -102,6 +102,7 @@ EXPOSE 8080
102102
HEALTHCHECK --interval=30s --timeout=5s --start-period=45s --retries=3 \
103103
CMD python -c "import urllib.request; urllib.request.urlopen('http://localhost:8080/api/v1/health', timeout=4)" || exit 1
104104

105+
# checkov:skip=CKV_DOCKER_3: Process runs as breaker26 via gosu in entrypoint; root needed for volume chown.
105106
# Container starts as root so that the entrypoint can fix /data volume ownership at runtime,
106107
# then drops to breaker26 (UID 1000) via gosu before execing the app.
107108
# tini as PID 1 ensures SIGTERM is forwarded to uvicorn and zombie processes are reaped.

docker/docker-compose.prod.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@
1111
# CB_TAG must match the tag used when publishing (e.g. make docker-publish-prod TAG=v0.2.0 → use CB_TAG=v0.2.0, not 0.2.0).
1212
#
1313
# Requires: Caddyfile and .env in the same directory as this file.
14+
# Caddyfile must be a regular file (not a directory); bind-mounting a directory fails.
1415
name: circuitbreaker
1516

1617
networks:

install.sh

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -422,7 +422,8 @@ Install_Docker() {
422422
Check_Docker() {
423423
if command -v docker >/dev/null 2>&1; then
424424
local ver major
425-
ver=$(docker version --format '{{.Server.Version}}' 2>/dev/null || echo "0.0.0")
425+
ver=$(docker version --format '{{.Server.Version}}' 2>/dev/null)
426+
[[ -z "$ver" || "$ver" == "0.0.0" ]] && ver=$(docker version --format '{{.Client.Version}}' 2>/dev/null || echo "0.0.0")
426427
major="${ver%%.*}"
427428
if [[ "$major" -lt "$MINIMUM_DOCKER_VERSION" ]]; then
428429
Show 1 "Docker $ver is too old (minimum required: $MINIMUM_DOCKER_VERSION). Please upgrade Docker and re-run."

0 commit comments

Comments
 (0)