From cf37cf00a05826d79895bb65b8d495be298ee722 Mon Sep 17 00:00:00 2001 From: jhaynie Date: Wed, 13 May 2026 01:21:31 +0000 Subject: [PATCH 1/2] chore: harden dependency and workflow automation Adds repository security hardening matching agentuity/sdk#1471: - Renovate config with release-age gates, dependency dashboard, and digest pinning - Gitleaks scan workflow (PR + nightly) - OSV-Scanner PR diff workflow and nightly reusable scan - Trivy filesystem SARIF scan - Actionlint workflow validating workflow changes - Pinned action references and minimal token scope in new workflows --- .github/actionlint.yaml | 4 ++ .github/workflows/actionlint.yml | 29 +++++++++ .github/workflows/gitleaks.yml | 27 ++++++++ .github/workflows/osv-scanner-nightly.yml | 19 ++++++ .github/workflows/osv-scanner-pr.yml | 76 +++++++++++++++++++++++ .github/workflows/trivy.yml | 39 ++++++++++++ renovate.json | 43 +++++++++++++ 7 files changed, 237 insertions(+) create mode 100644 .github/actionlint.yaml create mode 100644 .github/workflows/actionlint.yml create mode 100644 .github/workflows/gitleaks.yml create mode 100644 .github/workflows/osv-scanner-nightly.yml create mode 100644 .github/workflows/osv-scanner-pr.yml create mode 100644 .github/workflows/trivy.yml create mode 100644 renovate.json diff --git a/.github/actionlint.yaml b/.github/actionlint.yaml new file mode 100644 index 00000000..6233dea1 --- /dev/null +++ b/.github/actionlint.yaml @@ -0,0 +1,4 @@ +self-hosted-runner: + labels: + - blacksmith-2vcpu-ubuntu-2404 + - blacksmith-4vcpu-ubuntu-2204 diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml new file mode 100644 index 00000000..a2691924 --- /dev/null +++ b/.github/workflows/actionlint.yml @@ -0,0 +1,29 @@ +name: Actionlint + +on: + pull_request: + paths: + - '.github/actionlint.yaml' + - '.github/workflows/**' + push: + branches: + - main + paths: + - '.github/actionlint.yaml' + - '.github/workflows/**' + +permissions: + contents: read + +env: + GITHUB_TOKEN: '' + +jobs: + actionlint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 + with: + persist-credentials: false + + - uses: rhysd/actionlint@914e7df21a07ef503a81201c76d2b11c789d3fca diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml new file mode 100644 index 00000000..c37b8cdc --- /dev/null +++ b/.github/workflows/gitleaks.yml @@ -0,0 +1,27 @@ +name: Gitleaks Scan + +on: + pull_request: + merge_group: + schedule: + - cron: "11 9 * * *" + workflow_dispatch: + +permissions: + contents: read + +jobs: + gitleaks: + name: Gitleaks Secret Scan + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 + with: + fetch-depth: 0 + persist-credentials: false + + - name: Run Gitleaks + uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 + env: + GITHUB_TOKEN: ${{ github.token }} + GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} diff --git a/.github/workflows/osv-scanner-nightly.yml b/.github/workflows/osv-scanner-nightly.yml new file mode 100644 index 00000000..4586dba7 --- /dev/null +++ b/.github/workflows/osv-scanner-nightly.yml @@ -0,0 +1,19 @@ +name: OSV-Scanner Nightly Scan + +on: + schedule: + - cron: "17 8 * * *" + workflow_dispatch: + +permissions: + actions: read + contents: read + security-events: write + +jobs: + scan-nightly: + uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@9a498708959aeaef5ef730655706c5a1df1edbc2 # v2.3.8 + with: + scan-args: |- + --recursive + ./ diff --git a/.github/workflows/osv-scanner-pr.yml b/.github/workflows/osv-scanner-pr.yml new file mode 100644 index 00000000..2d870b2c --- /dev/null +++ b/.github/workflows/osv-scanner-pr.yml @@ -0,0 +1,76 @@ +name: OSV-Scanner PR Scan + +on: + pull_request: + merge_group: + +permissions: + actions: read + contents: read + security-events: write + +jobs: + scan-pr: + name: OSV Scanner PR + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 + with: + fetch-depth: 0 + persist-credentials: false + + - name: Checkout target branch + env: + BASE_SHA: ${{ github.event.pull_request.base.sha || github.event.merge_group.base_sha }} + run: | + git checkout "$BASE_SHA" + git submodule update --recursive + + - name: Run scanner on existing code + uses: google/osv-scanner-action/osv-scanner-action@9a498708959aeaef5ef730655706c5a1df1edbc2 + continue-on-error: true + with: + scan-args: |- + --format=json + --output=old-results.json + --recursive + ./ + + - name: Checkout current branch + run: | + git checkout -f "$GITHUB_SHA" + git submodule update --recursive + + - name: Run scanner on new code + uses: google/osv-scanner-action/osv-scanner-action@9a498708959aeaef5ef730655706c5a1df1edbc2 + continue-on-error: true + with: + scan-args: |- + --format=json + --output=new-results.json + --recursive + ./ + + - name: Compare scanner results + id: compare + uses: google/osv-scanner-action/osv-reporter-action@9a498708959aeaef5ef730655706c5a1df1edbc2 + continue-on-error: true + with: + scan-args: |- + --output=results.sarif + --old=old-results.json + --new=new-results.json + --gh-annotations=true + --fail-on-vuln=true + + - name: Upload to code scanning + if: ${{ !cancelled() && hashFiles('results.sarif') != '' }} + uses: github/codeql-action/upload-sarif@cdefb33c0f6224e58673d9004f47f7cb3e328b89 + with: + sarif_file: results.sarif + + - name: Fail on newly introduced vulnerabilities + if: ${{ steps.compare.outcome == 'failure' }} + run: | + echo "::error::OSV-Scanner found newly introduced vulnerabilities." + exit 1 diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 00000000..acbc6e2b --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,39 @@ +name: Trivy Scan + +on: + pull_request: + merge_group: + schedule: + - cron: "43 8 * * *" + workflow_dispatch: + +permissions: + actions: read + contents: read + security-events: write + +jobs: + trivy: + name: Trivy Filesystem Scan + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 + with: + persist-credentials: false + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@a9c7b0f06e461e9d4b4d1711f154ee024b8d7ab8 + with: + scan-type: fs + scan-ref: . + format: sarif + output: trivy-results.sarif + severity: CRITICAL,HIGH + ignore-unfixed: true + exit-code: "0" + + - name: Upload Trivy SARIF + if: ${{ !cancelled() && hashFiles('trivy-results.sarif') != '' }} + uses: github/codeql-action/upload-sarif@cdefb33c0f6224e58673d9004f47f7cb3e328b89 + with: + sarif_file: trivy-results.sarif diff --git a/renovate.json b/renovate.json new file mode 100644 index 00000000..3cb5056d --- /dev/null +++ b/renovate.json @@ -0,0 +1,43 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:best-practices", + ":dependencyDashboard", + ":semanticCommits", + ":pinGitHubActionDigests", + "npm:unpublishSafe" + ], + "enabledManagers": ["bun", "github-actions", "dockerfile", "docker-compose"], + "labels": ["dependencies"], + "minimumReleaseAge": "3 days", + "rangeStrategy": "bump", + "separateMajorMinor": true, + "separateMultipleMajor": true, + "vulnerabilityAlerts": { + "enabled": true, + "labels": ["security"] + }, + "osvVulnerabilityAlerts": true, + "lockFileMaintenance": { + "enabled": true, + "schedule": ["before 5am on monday"], + "commitMessageAction": "Lock file maintenance" + }, + "packageRules": [ + { + "description": "Require human approval before Renovate raises major version updates.", + "matchUpdateTypes": ["major"], + "dependencyDashboardApproval": true + }, + { + "description": "Keep Bun ecosystem updates behind the same age gate configured in bunfig.toml.", + "matchDatasources": ["npm"], + "minimumReleaseAge": "3 days" + }, + { + "description": "Pin executable CI dependencies to immutable digests.", + "matchManagers": ["github-actions", "dockerfile", "docker-compose"], + "pinDigests": true + } + ] +} From a1fa3b889894400820c1e04e5ee8917a011ca6da Mon Sep 17 00:00:00 2001 From: jhaynie Date: Wed, 13 May 2026 01:38:12 +0000 Subject: [PATCH 2/2] ci(security): allow gitleaks pull_requests read; tolerate missing GHAS for SARIF upload --- .github/workflows/gitleaks.yml | 1 + .github/workflows/osv-scanner-pr.yml | 1 + .github/workflows/trivy.yml | 1 + 3 files changed, 3 insertions(+) diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml index c37b8cdc..da1ecc86 100644 --- a/.github/workflows/gitleaks.yml +++ b/.github/workflows/gitleaks.yml @@ -9,6 +9,7 @@ on: permissions: contents: read + pull-requests: read jobs: gitleaks: diff --git a/.github/workflows/osv-scanner-pr.yml b/.github/workflows/osv-scanner-pr.yml index 2d870b2c..b2c110dc 100644 --- a/.github/workflows/osv-scanner-pr.yml +++ b/.github/workflows/osv-scanner-pr.yml @@ -65,6 +65,7 @@ jobs: - name: Upload to code scanning if: ${{ !cancelled() && hashFiles('results.sarif') != '' }} + continue-on-error: true uses: github/codeql-action/upload-sarif@cdefb33c0f6224e58673d9004f47f7cb3e328b89 with: sarif_file: results.sarif diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index acbc6e2b..ca3463f7 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -34,6 +34,7 @@ jobs: - name: Upload Trivy SARIF if: ${{ !cancelled() && hashFiles('trivy-results.sarif') != '' }} + continue-on-error: true uses: github/codeql-action/upload-sarif@cdefb33c0f6224e58673d9004f47f7cb3e328b89 with: sarif_file: trivy-results.sarif