Skip to content

Fix CI security gates and Codex project setup#21

Open
austinkennethtucker wants to merge 1 commit into
mainfrom
codex/ci-security-maintenance-20260712
Open

Fix CI security gates and Codex project setup#21
austinkennethtucker wants to merge 1 commit into
mainfrom
codex/ci-security-maintenance-20260712

Conversation

@austinkennethtucker

Copy link
Copy Markdown
Contributor

Summary

  • stop rejecting valid GitHub Actions checkout paths while preserving the dangerous-mount denylist and add regression coverage
  • replace the vulnerable Bookworm Python base with Python 3.12.13 on Trixie
  • remove the repository custom CodeQL job because GitHub default setup is already enabled and rejects advanced-setup SARIF uploads
  • add a validated, conservative Codex project environment plus durable project guidance

Evidence

The existing CI failed in check_compose_security.py because /home/runner/work/... contains /runner. The scheduled security workflow also reported 27 fixable HIGH or CRITICAL Debian findings, and its CodeQL upload failed with advanced configurations cannot be processed when the default setup is enabled.

Validation

  • Codex setup validator: 0 errors, 0 warnings
  • setup command: completed successfully in a clean origin-based branch
  • pytest: 57 passed
  • repository hygiene: passed
  • local and image Compose security checks: passed
  • Python dependency audit: no known vulnerabilities
  • Trivy 0.70.0 scan of python:3.12.13-slim-trixie: 0 HIGH or CRITICAL findings
  • Trivy filesystem vulnerability and secret scan: 0 findings
  • workflow YAML parse and git diff --check: passed

Docker Desktop required an administrator approval to configure its socket, so a full local image build was not performed. The unchanged GitHub container-scan job is expected to provide authoritative built-image verification on this PR.

Boundaries

No image was published, no release was created, and no authentication, trust, registry, or repository settings were changed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant