Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 36 additions & 0 deletions .githooks/pre-push
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
#!/usr/bin/env bash
#
# pre-push hook -- block a push that CI would reject.
#
# Runs the fast, no-compile gates (formatting + supply-chain audit) that have
# historically slipped through to CI. These are cheap (no project build), so
# they are safe to run on every push. Heavier gates (clippy, test) are NOT run
# here to avoid rebuilding on every push; run `scripts/preflight.sh` for the
# full local CI mirror before opening or updating a PR.
#
# Enable once per clone:
# git config core.hooksPath .githooks
#
# Bypass in an emergency (use sparingly, you own the CI result):
# git push --no-verify

set -euo pipefail

repo_root="$(git rev-parse --show-toplevel)"
preflight="$repo_root/scripts/preflight.sh"

if [[ ! -x "$preflight" ]]; then
echo "pre-push: scripts/preflight.sh missing or not executable; skipping gate" >&2
exit 0
fi

echo "pre-push: running fast preflight (fmt + audit) ..."
if ! "$preflight" --fast; then
echo "" >&2
echo "pre-push: BLOCKED -- fix the above before pushing (CI would fail)." >&2
echo " run 'scripts/preflight.sh' for the full check, or" >&2
echo " 'git push --no-verify' to bypass (you own the CI result)." >&2
exit 1
fi

exit 0
14 changes: 10 additions & 4 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -80,18 +80,24 @@ jobs:
- uses: Swatinem/rust-cache@v2
- run: cargo test -p frameshift-catalog-postgres -- --include-ignored

# Supply-chain advisory scan against the RustSec database. Non-blocking for
# now (continue-on-error) so a pre-existing transitive advisory cannot wedge
# the pipeline before the backlog is triaged; ratchet to blocking once clean.
# Supply-chain advisory scan against the RustSec database. Now blocking: the
# advisory backlog has been triaged and the vulnerable dependencies bumped, so
# a new advisory should fail the pipeline rather than slip in silently.
#
# The single ignore is RUSTSEC-2024-0370 (proc-macro-error unmaintained). It is
# a build-time-only proc-macro pulled transitively by age -> i18n-embed-fl; it
# never ships in any runtime artifact, and the only way to drop it is to bump
# age from 0.10 to the 0.11 BETA, which is unacceptable for the crate that
# backs local vault encryption. Re-evaluate when age ships a stable 0.11.
audit:
name: Security audit
runs-on: ubuntu-latest
continue-on-error: true
steps:
- uses: actions/checkout@v4
- uses: rustsec/audit-check@v2
with:
token: ${{ secrets.GITHUB_TOKEN }}
ignore: RUSTSEC-2024-0370

# Later tier (intentionally not yet wired, tracked in the roadmap):
# - cargo-deny (needs a deny.toml: license allowlist, ban list, advisory policy)
Expand Down
12 changes: 10 additions & 2 deletions .github/workflows/mirror.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,5 +18,13 @@ jobs:
env:
MIRROR_TOKEN: ${{ secrets.MIRROR_TOKEN }}
run: |
git remote add mirror https://x-access-token:${MIRROR_TOKEN}@github.com/Syntheos-Systems/FrameShift.git
git push mirror --mirror
git remote add mirror "https://x-access-token:${MIRROR_TOKEN}@github.com/Syntheos-Systems/FrameShift.git"
# actions/checkout only fetches the triggering ref, so pull every source
# branch into remote-tracking refs before mirroring.
git fetch --prune origin '+refs/heads/*:refs/remotes/origin/*'
# Mirror all branches and tags. We deliberately avoid `git push --mirror`:
# it deletes refs absent from the local checkout, which fails because the
# remote refuses to delete its default branch `main`. Force-push so the
# mirror still follows rebases and force-updates on the source.
git push --force mirror 'refs/remotes/origin/*:refs/heads/*'
git push --force mirror 'refs/tags/*:refs/tags/*'
4 changes: 4 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -30,3 +30,7 @@ data/

# Secrets
bin/leak-patterns.txt

# Local audit working directories (raw findings, local paths, tool identifiers)
.audit-fleet/
.audit-fleet-web/
Loading
Loading