Skip to content

chore(workflows): add github action linters [SECINT-75] #124

chore(workflows): add github action linters [SECINT-75]

chore(workflows): add github action linters [SECINT-75] #124

Workflow file for this run

name: build-safe
on:
workflow_dispatch:
push:
branches: [ main ]
types: [ opened, reopened, synchronize, ready_for_review ]
pull_request:
branches: [ main ]
types: [ opened, reopened, synchronize, ready_for_review ]
env:
CGR_PYTHON_BUILDER_IMAGE_NAME: "cgr.dev/cgr-demo.com/python:3.13-dev"
CGR_PYTHON_RUNTIME_IMAGE_NAME: "cgr.dev/cgr-demo.com/python:3.13"
permissions: {}
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
pull-requests: write # Required for PR comments
issues: write # Required for issue comments
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
fetch-depth: 0
ref: ${{ github.ref }}
- uses: octo-sts/action@6177b4481c00308b3839969c3eca88c96a91775f
id: octo-sts
with:
scope: chainguard-dev/libraries-ultralytics-attack-demo
identity: build-safe
# - name: Install Cosign
# uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac
# - uses: chainguard-dev/setup-chainctl@272698817627c158bbd813cb783b62a4b9bbbc67
# with:
# identity: "4cf15780a13a9b6576d8b357e6524554c8c12a18/aab27dc39ad870c9"
# - name: Set up Docker Buildx
# uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435
# - name: Auth to Registry
# run: |
# chainctl auth configure-docker
# chainctl auth status
# - name: Verify Chainguard Python image signatures && pre-pull images
# run: |
# CATALOG_SYNCER="4cf15780a13a9b6576d8b357e6524554c8c12a18/c03040118377d88c"
# APKO_BUILDER="4cf15780a13a9b6576d8b357e6524554c8c12a18/ca93125e202f81f8"
# cosign verify ...
# docker pull ...
# - name: Build Docker image using local base image
# run: |
# docker build \
# --build-arg BASE_IMAGE=${{ env.CGR_PYTHON_BUILDER_IMAGE_NAME }} \
# -t ultralytics:cgr-base \
# -f Dockerfile .
# working-directory: src
- uses: chainguard-dev/malcontent-action@228e2bc9f055a1cd367d59e380c947e76a6e25d4
id: malcontent
with:
github-token: ${{ steps.octo-sts.outputs.token }}
fail-on-increase: false
comment-on-pr: true
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 #v3.29.0 - 11 Jun 2025
if: always()
env:
GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }}
with:
sarif_file: ${{ steps.malcontent.outputs.sarif-file }}
category: malcontent
- name: Evaluate risk threshold
run: |
echo "SARIF: ${{ steps.malcontent.outputs.sarif-file }}"
RISK_DELTA="${{ steps.malcontent.outputs['risk-delta'] }}"
echo "Risk delta: $RISK_DELTA"
# Convert to number safely
NUM_DELTA=$(jq -n "$RISK_DELTA" 2>/dev/null || echo 0)
if [ "$NUM_DELTA" -gt 20 ]; then
echo "::error::Significant security risk increase detected!"
echo "${{ steps.malcontent.outputs['diff-summary'] }}"
exit 1
else
echo "Risk delta below threshold — continuing."
fi