seo-dungeon/.github/workflows/v2.yml at main · avalonreset/seo-dungeon · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
name: v2 audit

# Local-only by design: this workflow is wired up so the v2.2 audit
# pass is ready to fire the moment we authorize a push, but it never
# runs on a push or pull_request event. The two triggers are:
#
#   - workflow_dispatch (manual button in the Actions UI)
#   - workflow_call    (so future workflows can chain it in)
#
# Until the v2 branch is pushed, this file lives on the branch but
# GitHub never schedules it. After we push, the maintainer triggers it
# manually from the Actions tab to gate the v2.2 tag.
on:
  workflow_dispatch:
    inputs:
      reason:
        description: "Why this audit run is happening (free text, goes to summary)"
        required: false
        default: "manual v2 audit"
  workflow_call:

permissions:
  contents: read

jobs:
  manifest:
    name: Manifest consistency (13 assertions)
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6

      - name: Set up Python 3.10
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
        with:
          python-version: "3.10"

      - name: Install pytest + test deps
        run: pip install pytest beautifulsoup4

      - name: Run manifest consistency tests
        run: pytest tests/test_manifest_consistency.py -v

  security:
    name: SSRF + DNS rebinding suite
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6

      - name: Set up Python 3.10
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
        with:
          python-version: "3.10"

      - name: Install runtime + test deps
        run: |
          pip install pytest
          pip install -r requirements.txt

      - name: Run url_safety regression battery
        run: pytest tests/test_url_safety.py -v

      - name: Confirm syntactic integrity of safety + renderer modules
        run: |
          python3 -m py_compile scripts/url_safety.py
          python3 -m py_compile scripts/render_page.py
          python3 -m py_compile scripts/fetch_page.py
          python3 -m py_compile scripts/capture_screenshot.py
          python3 -m py_compile scripts/google_auth.py
          python3 -m py_compile scripts/backlinks_auth.py

  full_pytest:
    name: Full pytest suite
    runs-on: ubuntu-latest
    env:
      # sync_flow tests need an authenticated gh CLI to bypass the
      # 60/hr anonymous rate limit. Identical to ci.yml.
      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    steps:
      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6

      - name: Set up Python 3.10
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
        with:
          python-version: "3.10"

      - name: Install pytest + test deps
        run: |
          pip install pytest beautifulsoup4
          pip install -r requirements.txt || true

      - name: Run pytest
        run: pytest tests/ -v

  secret_scan:
    name: Secret scan
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6

      - name: Scan tracked files for leaked credentials
        run: |
          set -uo pipefail
          # High-signal credential patterns. Test fixtures and documented
          # placeholders are allowlisted; auth-setup.md ships a private-key
          # placeholder (BEGIN PRIVATE KEY\n...) that is not a real key.
          PATTERN='AIza[0-9A-Za-z_-]{35}|ghp_[A-Za-z0-9]{36}|github_pat_[A-Za-z0-9_]{40,}|gh[ous]_[A-Za-z0-9]{36}|AKIA[0-9A-Z]{16}|GOCSPX-[A-Za-z0-9_-]{20,}|sk-(proj-)?[A-Za-z0-9]{20,}|xox[baprs]-[A-Za-z0-9-]{10,}'
          HITS=$(git ls-files -z \
            | xargs -0 grep -nIEH "$PATTERN" 2>/dev/null \
            | grep -vE 'DUMMY|EXAMPLE|YOUR_|REDACTED|placeholder|<[A-Z_]+>' \
            | grep -vE '^tests/|/auth-setup\.md:' || true)
          if [ -n "$HITS" ]; then
            echo "::error::Potential leaked credentials in tracked files:"
            echo "$HITS"
            exit 1
          fi
          echo "Secret scan clean: no credentials detected in tracked files."

  audit_summary:
    name: Audit summary
    runs-on: ubuntu-latest
    needs: [manifest, security, full_pytest, secret_scan]
    if: always()
    steps:
      - name: Emit summary
        run: |
          echo "## v2 audit summary" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "- Reason: ${{ inputs.reason }}" >> $GITHUB_STEP_SUMMARY
          echo "- Manifest: ${{ needs.manifest.result }}" >> $GITHUB_STEP_SUMMARY
          echo "- Security: ${{ needs.security.result }}" >> $GITHUB_STEP_SUMMARY
          echo "- Full pytest: ${{ needs.full_pytest.result }}" >> $GITHUB_STEP_SUMMARY
          echo "- Secret scan: ${{ needs.secret_scan.result }}" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "All four must report 'success' before tagging." >> $GITHUB_STEP_SUMMARY