Riverbraid-Action-Gold/.github/workflows/security.yml at 193c164049dbcc5ef954b37ef5cab79334959514 · Riverbraid/Riverbraid-Action-Gold · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
name: Security Checks
on:
  push:
    branches: [ main ]
  schedule:
    - cron: '0 0 * * *'
env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true

jobs:
  static-analysis:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - uses: actions/checkout@v4
      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: javascript
      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3

  crypto-audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Ban Insecure RNG (Math.random)
        run: |
          if grep -r "Math.random" . --include="*.js" --include="*.cjs" --include="*.mjs"; then
            echo "❌ Insecure Math.random() detected — Riverbraid must remain deterministic and stationary."
            exit 1
          fi
      - name: Ban Broken Hashes (MD5 / SHA1)
        run: |
          if grep -riE "md5|sha1" . --include="*.js" --include="*.cjs" --include="*.mjs"; then
            echo "❌ Broken hash (MD5 or SHA1) detected — only cryptographically secure primitives allowed."
            exit 1
          fi