ci: repair the full CI/CD pipeline#20
Merged
Merged
Conversation
Brings every workflow back to green. Each fix is a real correction, not a suppression (see docs/security/CI-TRUST.md for the trust-list updates). CI: - springtaled embeds the dashboard SPA via rust-embed; add build.rs that drops a placeholder dist/ when the frontend isn't built so clippy/test compile, and a Dockerfile frontend stage so the release image embeds the real SPA. - apply rustfmt (connector-opencode, vault store) and Biome autofixes. Secrets: - gitleaks-action needs a paid license for org repos; run the pinned OSS CLI binary instead. .gitleaks.toml gains [extend] useDefault=true (keeps upstream rules), a vendored-SQLite path allowlist, and drops a fake Discord token from connector-discord docs. SAST: - zizmor moved orgs (woodruffw -> zizmorcore); SHA-pin sweep across all workflows with ref-pin exceptions for dtolnay/rust-toolchain + taiki-e/install-action (ref-derived). persona auditor, min-severity medium. - semgrep ci -> scan (the rejected flags), image digest-pinned and renamed semgrep/semgrep; fix fuzz.yml run-shell-injection via env vars. SCA: - cargo-audit job gains checks:write; pip-audit audits the maturin build-system requires (pyproject is not a requirements file); osv-scanner called as its reusable workflow; ignore RUSTSEC-2026-0173 (proc-macro-error2 unmaintained, build-time only via tabled, no upstream fix) + VEX. SBOM: - cargo-cyclonedx has no --output-pattern; collect per-crate <crate>.cdx.json. - npm SBOM via cdxgen (reads pnpm-lock; cyclonedx-npm needs npm lockfile). Container: - bump trivy-action 0.28.0 -> v0.36.0 (GHSA-69fq-xp46-6x23). Hardening: - scope scorecard top-level read-all to contents:read (per-job perms cover the rest); persist-credentials:false on checkouts; SHA-pin every third-party action; update org action allowlist for the zizmor move. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Fixes the jobs that failed on the validation run: - Test/Clippy (rust-embed): the build.rs placeholder approach never reached CI (an earlier `git clean` removed the untracked file). Replace it with a tracked `tauri/apps/dashboard/dist/.gitkeep` sentinel so the embed folder always exists at compile time; real `vite build` output stays gitignored. - Clippy (pre-existing -D warnings the job never reached past the first crate): `unnecessary_sort_by` in springtale-store sessions (sort_by_key + Reverse), `items_after_test_module` in springtale-crypto vault open (move check_fd_permissions above the test module), and `duplicated_attributes` in connector-opencode test_support (drop the redundant inner #![cfg(test)]). - hadolint DL3059: consolidate the two consecutive pnpm RUN instructions in the Dockerfile frontend stage. - Trivy/Grype HIGH image vulns (surfaced now that the image builds): bump distroless cc-debian12 base digest (libssl3 CVE-2026-45447, fixed in deb12u2) and rmcp 1.3.0 -> 1.4.0 (CVE-2026-42559 / GHSA-89vp-x53w-74fx). Verified locally: cargo fmt, full-workspace clippy (against the sentinel dist), tests for all changed crates, cargo-audit, cargo-deny, hadolint, and a trivy scan of the new base digest (0 HIGH/CRITICAL). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Second-round CI feedback on PR #20: - Clippy: `explicit_counter_loop` in springtale-sentinel audit verify — drop the manual `verified` counter and report `rows.len()` (every row reaching the end passed; failures return Err mid-loop). (A clippy result-cache masked this locally; re-verified after `cargo clean -p` on all members.) - Trivy: add `scanners: vuln`. The job was failing on Trivy's *secret* scanner (false-positive on compiled-binary strings), not a vulnerability — the vuln set is all LOW (rust deps) or wont-fix (base). Secret scanning is already owned by secrets.yml (gitleaks + trufflehog). - Grype: add `only-fixed: true` to mirror Trivy's ignore-unfixed. Every HIGH/CRITICAL Grype flags is a libc6 (glibc) CVE marked debian "wont-fix" (CVE-2026-5450/5435/5928 + the disputed 2018/2019 glibc set) — un-actionable on the latest distroless base; picked up automatically when it rebuilds. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Root cause of the recurring Clippy failures: CI floats to the latest stable toolchain (rust-toolchain.toml channel = "stable" -> 1.96.0), which has clippy lints my stale local 1.93 didn't emit. After matching the toolchain, clippy flagged the manual loop counters in the audit-chain verifiers. Rewrite both verify loops to use `.enumerate()` and derive the 1-based `expected_seq` from the index, dropping the manual `expected_seq`/`verified` counters (clippy::explicit_counter_loop): - crates/springtale-sentinel/src/audit/verify.rs - crates/springtale-store/tests/audit_chain.rs Verified on the CI toolchain (1.96.0): cargo fmt; cargo clippy --workspace --all-targets --keep-going (clean); cargo nextest run --workspace --locked (2073 passed); cargo test --doc --locked; and springtaled tests against a sentinel-only dist (the real CI checkout condition). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
A new advisory published today (out-of-bounds read in pyo3's PyList/PyTuple `nth`/`nth_back` iterators, fixed in 0.29.0) started failing the cargo-audit and cargo-deny jobs against the live RustSec DB. Upgrade rather than ignore — it's a real memory-safety vuln, and springtale-py is a leaf bindings crate. pyo3 0.29 makes the auto `FromPyObject` impl for Clone-deriving `#[pyclass]` types opt-in; add `from_py_object` to the eight value pyclasses to preserve the existing extract-from-Python behavior. Verified 1:1 on the CI toolchain (rust 1.96.0): cargo audit (exit 0), cargo deny check advisories bans licenses sources (all ok) — both platform-independent against today's advisory DB — plus cargo fmt, cargo clippy --workspace --all-targets --keep-going (clean), cargo nextest run --workspace --locked (2073 passed), and a clean springtale-py build. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The Trivy job failed even with zero HIGH/CRITICAL findings. Ground truth from the uploaded SARIF: 8 results, all LOW (rand/lru/rpassword advisories). In SARIF mode the trivy-action overrides the severity filter to all severities so the report is complete for code scanning, and exit-code: 1 then fires on ANY finding in it — including those LOW ones. limit-severities-for-sarif: true makes the HIGH,CRITICAL filter apply to the SARIF and the exit code, so the job gates only on HIGH/CRITICAL (currently 0) — the LOW rust-dep advisories are already tracked by cargo-audit. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Brings every CI/CD workflow back to green. All 34 checks pass.
CI (lint/test/build)
springtaledembeds the dashboard SPA; added a trackedtauri/apps/dashboard/dist/.gitkeepsentinel so clippy/test/build compile without a prior frontend build (realvite buildoutput stays gitignored), plus a Dockerfile frontend stage so the release image embeds the real SPA.-D warnings, rust 1.96): fixedunnecessary_sort_by,items_after_test_module,duplicated_attributes, andexplicit_counter_loop(audit-chain verifiers rewritten with.enumerate()).Secrets
gitleaks-action(needs a paid org license) with the pinned OSS CLI;.gitleaks.tomlkeeps the upstream ruleset ([extend] useDefault) + vendored-SQLite allowlist; removed a fake Discord token from a doc comment.SAST
woodruffw→zizmorcore); full SHA-pin sweep of every third-party action (ref-pin exceptions fordtolnay/rust-toolchain+taiki-e/install-action); personaauditor,min-severity: medium.ci→scan(the rejected flags); image digest-pinned + renamedsemgrep/semgrep; fixedfuzz.ymlshell-injection via env vars; scoped scorecard permissions.SCA
cargo-auditjob gainschecks: write;pip-auditaudits the maturin build-system requires;osv-scannercalled as its reusable workflow.proc-macro-error2unmaintained advisory ignored with VEX (no upstream fix).SBOM
cargo-cyclonedxcollection fixed (no--output-pattern); npm SBOM viacdxgen(reads pnpm-lock).Container
trivy-action(GHSA-69fq-xp46-6x23).limit-severities-for-sarif+scanners: vuln; Grypeonly-fixed— both gate only on fixable HIGH/CRITICAL (debian wont-fix glibc CVEs are un-actionable on the latest distroless).🤖 Generated with Claude Code