Wazuh-Openclaw-Autopilot/.github/workflows/ci.yml at a33909dc6bf258c2c64e403fc8cc167634895eb7 · gensecaihq/Wazuh-Openclaw-Autopilot · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
# =============================================================================
# Wazuh OpenClaw Autopilot - CI/CD Pipeline
# =============================================================================
# Runs on push and pull request to main branch
# - Lint: ESLint code quality checks
# - Test: Unit tests with Node.js test runner
# - Security: npm audit for vulnerabilities
# - Build: Docker image build verification
# =============================================================================

name: CI

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

env:
  NODE_VERSION: "22"

jobs:
  # ---------------------------------------------------------------------------
  # Lint
  # ---------------------------------------------------------------------------
  lint:
    name: Lint
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: ${{ env.NODE_VERSION }}
          cache: "npm"
          cache-dependency-path: runtime/autopilot-service/package-lock.json

      - name: Install dependencies
        working-directory: runtime/autopilot-service
        run: npm ci

      - name: Run ESLint
        working-directory: runtime/autopilot-service
        run: npm run lint --if-present

  # ---------------------------------------------------------------------------
  # Test
  # ---------------------------------------------------------------------------
  test:
    name: Test
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: ${{ env.NODE_VERSION }}
          cache: "npm"
          cache-dependency-path: runtime/autopilot-service/package-lock.json

      - name: Install dependencies
        working-directory: runtime/autopilot-service
        run: npm ci

      - name: Run tests
        working-directory: runtime/autopilot-service
        run: npm test

  # ---------------------------------------------------------------------------
  # Security Audit
  # ---------------------------------------------------------------------------
  security:
    name: Security Audit
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: ${{ env.NODE_VERSION }}
          cache: "npm"
          cache-dependency-path: runtime/autopilot-service/package-lock.json

      - name: Install dependencies
        working-directory: runtime/autopilot-service
        run: npm ci

      - name: Run npm audit
        working-directory: runtime/autopilot-service
        run: npm audit --audit-level=high

  # ---------------------------------------------------------------------------
  # Docker Build
  # ---------------------------------------------------------------------------
  docker:
    name: Docker Build
    runs-on: ubuntu-latest
    needs: [lint, test, security]

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Build Docker image
        uses: docker/build-push-action@v6
        with:
          context: ./runtime/autopilot-service
          push: false
          load: true
          tags: wazuh-autopilot:${{ github.sha }}
          cache-from: type=gha
          cache-to: type=gha,mode=max

      - name: Scan Docker image for vulnerabilities
        uses: aquasecurity/trivy-action@0.28.0
        with:
          image-ref: wazuh-autopilot:${{ github.sha }}
          format: table
          exit-code: 1
          severity: CRITICAL,HIGH

  # ---------------------------------------------------------------------------
  # Policy Validation
  # ---------------------------------------------------------------------------
  validate-policies:
    name: Validate Policies
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Validate YAML syntax
        run: |
          # Install yaml-lint
          pip install yamllint

          # Validate policy files
          yamllint -d relaxed policies/policy.yaml
          yamllint -d relaxed policies/toolmap.yaml

      - name: Check for placeholder values
        run: |
          # Warn if placeholders exist (but don't fail - they're expected in templates)
          if grep -r "<SLACK_" policies/; then
            echo "::warning::Policy files contain placeholder values. Configure before production use."
          fi