Move live reconciliation real-time gates to the monotonic clock (#4376) #368
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: security-audit | |
| # Supply chain security checks. | |
| # | |
| # Triggers: | |
| # - Nightly cron and manual dispatch: every audit job runs unconditionally. | |
| # - Pull requests: GitHub path filters create a workflow run only when | |
| # audit-relevant paths change. The gate job remains as a second check | |
| # before the audit jobs run. | |
| # - Pushes to develop / master / test-security: GitHub path filters create a | |
| # workflow run only when audit-relevant paths change. The gate job remains as | |
| # a second check before the audit jobs run. | |
| permissions: | |
| contents: read | |
| actions: read | |
| env: | |
| # Fork PRs lack repo/org vars, so audit instead of block. | |
| EGRESS_POLICY: >- | |
| ${{ github.event.pull_request.head.repo.fork && 'audit' | |
| || vars.STEP_SECURITY_EGRESS_POLICY | |
| || 'block' }} | |
| on: | |
| pull_request: | |
| paths: &security_audit_paths | |
| - Cargo.lock # Keep in sync with scripts/ci/security-audit-gate.sh. | |
| - Cargo.toml | |
| - crates/**/Cargo.toml | |
| - crates/**/fuzz/Cargo.lock | |
| - uv.lock | |
| - pyproject.toml | |
| - .pre-commit-config.yaml | |
| - python/uv.lock | |
| - python/pyproject.toml | |
| - deny.toml | |
| - .cargo/deny-fuzz.toml | |
| - osv-scanner.toml | |
| - .supply-chain/** | |
| - tools.toml | |
| - .cargo/config.toml | |
| - .cargo/audit.toml | |
| - rust-toolchain.toml | |
| - scripts/cargo-tool-version.sh | |
| - scripts/rust-toolchain.sh | |
| - scripts/uv-version.sh | |
| - scripts/ci/security-audit-gate.sh | |
| - .zizmor.yml | |
| - .github/actions/** | |
| - .github/workflows/** | |
| push: | |
| branches: [develop, master, test-security] | |
| paths: *security_audit_paths | |
| schedule: | |
| - cron: "0 23 * * *" # Daily at 23:00 UTC (2hrs prior to next nightly-merge) | |
| workflow_dispatch: # Allow manual trigger | |
| jobs: | |
| changes: | |
| name: changes | |
| runs-on: ubuntu-22.04 | |
| outputs: | |
| audit_needed: ${{ steps.filter.outputs.audit_needed }} | |
| steps: | |
| - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 | |
| with: | |
| egress-policy: ${{ env.EGRESS_POLICY }} | |
| allowed-endpoints: >- | |
| ${{ vars.COMMON_ALLOWED_ENDPOINTS }} | |
| - name: Checkout repository | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Detect audit-relevant changes | |
| id: filter | |
| shell: bash | |
| env: | |
| EVENT_NAME: ${{ github.event_name }} | |
| PR_BASE_REF: ${{ github.event.pull_request.base.ref }} | |
| PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }} | |
| PUSH_BEFORE_SHA: ${{ github.event.before }} | |
| PUSH_AFTER_SHA: ${{ github.event.after }} | |
| run: bash scripts/ci/security-audit-gate.sh | |
| zizmor: | |
| name: zizmor | |
| needs: changes | |
| if: needs.changes.outputs.audit_needed == 'true' | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| contents: read | |
| actions: read | |
| security-events: write | |
| steps: | |
| - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 | |
| with: | |
| egress-policy: ${{ env.EGRESS_POLICY }} | |
| allowed-endpoints: >- | |
| ${{ vars.COMMON_ALLOWED_ENDPOINTS }} | |
| ${{ vars.SECURITY_AUDIT_ALLOWED_ENDPOINTS }} | |
| - name: Checkout repository | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| persist-credentials: false | |
| - name: Get uv version from pyproject.toml | |
| id: uv-version | |
| run: echo "uv_version=$(bash scripts/uv-version.sh)" >> "$GITHUB_OUTPUT" | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 | |
| with: | |
| version: ${{ steps.uv-version.outputs.uv_version }} | |
| enable-cache: true | |
| - name: Run zizmor | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| uv run --no-project --with zizmor==1.24.1 -- \ | |
| zizmor --format sarif --min-severity medium --config .zizmor.yml .github/ \ | |
| > zizmor.sarif | |
| - name: Upload zizmor SARIF | |
| if: >- | |
| always() && | |
| hashFiles('zizmor.sarif') != '' && | |
| (github.event_name != 'pull_request' || | |
| !github.event.pull_request.head.repo.fork) | |
| uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 | |
| with: | |
| sarif_file: zizmor.sarif | |
| category: zizmor | |
| cargo-audit: | |
| name: cargo-audit | |
| needs: changes | |
| if: needs.changes.outputs.audit_needed == 'true' | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 | |
| with: | |
| egress-policy: ${{ env.EGRESS_POLICY }} | |
| allowed-endpoints: >- | |
| ${{ vars.COMMON_ALLOWED_ENDPOINTS }} | |
| ${{ vars.SECURITY_AUDIT_ALLOWED_ENDPOINTS }} | |
| - name: Checkout repository | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| persist-credentials: false | |
| - name: Install cargo-audit | |
| uses: ./.github/actions/cargo-tool-install | |
| with: | |
| tool-name: cargo-audit | |
| - name: Run cargo-audit | |
| run: | | |
| cargo audit | |
| cargo audit --file crates/adapters/lighter/fuzz/Cargo.lock | |
| cargo audit --file crates/adapters/derive/fuzz/Cargo.lock | |
| cargo-deny: | |
| name: cargo-deny | |
| needs: changes | |
| if: needs.changes.outputs.audit_needed == 'true' | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 | |
| with: | |
| egress-policy: ${{ env.EGRESS_POLICY }} | |
| allowed-endpoints: >- | |
| ${{ vars.COMMON_ALLOWED_ENDPOINTS }} | |
| ${{ vars.SECURITY_AUDIT_ALLOWED_ENDPOINTS }} | |
| - name: Checkout repository | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| persist-credentials: false | |
| - name: Install cargo-deny | |
| uses: ./.github/actions/cargo-tool-install | |
| with: | |
| tool-name: cargo-deny | |
| - name: Run cargo-deny (advisories, licenses, sources, bans) | |
| run: | | |
| cargo deny --all-features check advisories licenses sources bans | |
| cargo deny --manifest-path crates/adapters/lighter/fuzz/Cargo.toml \ | |
| --locked --all-features check --config .cargo/deny-fuzz.toml \ | |
| advisories licenses sources bans | |
| cargo deny --manifest-path crates/adapters/derive/fuzz/Cargo.toml \ | |
| --locked --all-features check --config .cargo/deny-fuzz.toml \ | |
| advisories licenses sources bans | |
| cargo-vet: | |
| name: cargo-vet | |
| needs: changes | |
| if: needs.changes.outputs.audit_needed == 'true' | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 | |
| with: | |
| egress-policy: ${{ env.EGRESS_POLICY }} | |
| allowed-endpoints: >- | |
| ${{ vars.COMMON_ALLOWED_ENDPOINTS }} | |
| ${{ vars.SECURITY_AUDIT_ALLOWED_ENDPOINTS }} | |
| - name: Checkout repository | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| persist-credentials: false | |
| - name: Install cargo-vet | |
| uses: ./.github/actions/cargo-tool-install | |
| with: | |
| tool-name: cargo-vet | |
| - name: Run cargo-vet | |
| run: | | |
| cargo vet --locked | |
| cargo vet --locked --manifest-path crates/adapters/lighter/fuzz/Cargo.toml \ | |
| --store-path .supply-chain | |
| cargo vet --locked --manifest-path crates/adapters/derive/fuzz/Cargo.toml \ | |
| --store-path .supply-chain | |
| pip-audit: | |
| name: pip-audit | |
| needs: changes | |
| if: needs.changes.outputs.audit_needed == 'true' | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 | |
| with: | |
| egress-policy: ${{ env.EGRESS_POLICY }} | |
| allowed-endpoints: >- | |
| ${{ vars.COMMON_ALLOWED_ENDPOINTS }} | |
| ${{ vars.SECURITY_AUDIT_ALLOWED_ENDPOINTS }} | |
| - name: Checkout repository | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| persist-credentials: false | |
| - name: Get uv version from pyproject.toml | |
| shell: bash | |
| run: | | |
| echo "UV_VERSION=$(bash scripts/uv-version.sh)" >> "$GITHUB_ENV" | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 | |
| with: | |
| version: ${{ env.UV_VERSION }} | |
| - name: Install Python | |
| run: uv python install 3.13 | |
| - name: Run pip-audit | |
| # aiohttp 3.14.0 fixes these advisories, but remains inside uv's 3-day | |
| # exclude-newer window while aiohttp source builds are disabled. | |
| run: > | |
| uv export --no-hashes --frozen | | |
| uv run --no-project --no-build --with "pip-audit==$(bash scripts/tool-version.sh pip-audit)" -- | |
| pip-audit --disable-pip --no-deps -r /dev/stdin | |
| --ignore-vuln GHSA-jg22-mg44-37j8 | |
| --ignore-vuln GHSA-hg6j-4rv6-33pg | |
| osv-scanner: | |
| name: osv-scanner | |
| needs: changes | |
| if: needs.changes.outputs.audit_needed == 'true' | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 | |
| with: | |
| egress-policy: ${{ env.EGRESS_POLICY }} | |
| allowed-endpoints: >- | |
| ${{ vars.COMMON_ALLOWED_ENDPOINTS }} | |
| ${{ vars.SECURITY_AUDIT_ALLOWED_ENDPOINTS }} | |
| - name: Checkout repository | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| persist-credentials: false | |
| - name: Run osv-scanner | |
| uses: google/osv-scanner-action/osv-scanner-action@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8 | |
| with: | |
| scan-args: |- | |
| --config=osv-scanner.toml | |
| --lockfile=Cargo.lock | |
| --lockfile=crates/adapters/lighter/fuzz/Cargo.lock | |
| --lockfile=crates/adapters/derive/fuzz/Cargo.lock | |
| --lockfile=uv.lock | |
| --lockfile=python/uv.lock |