chore: bump version to 0.3.12 #105
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security | |
| # ── Trigger strategy ───────────────────────────────────────────────────────── | |
| # • push to main → full security suite on every merged commit | |
| # • pull_request → lightweight gate (secret scan + license check only) | |
| # Heavy jobs (cargo compile, trivy) run post-merge. | |
| # • schedule weekly → full audit even without code changes (CVE freshness) | |
| # • workflow_dispatch → manual on-demand run | |
| # | |
| # Rationale: running cargo-audit + cargo-deny + trivy on every PR compiles the | |
| # workspace twice and costs ~15 min of Linux time per PR. The risk window is | |
| # acceptable because: (1) secret scanning still runs on PRs, (2) deps cannot | |
| # reach production until merged to main. | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| schedule: | |
| - cron: '0 6 * * 1' # Weekly Monday 6 AM UTC | |
| workflow_dispatch: | |
| env: | |
| CARGO_TERM_COLOR: always | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| # ── Secret scanning (runs on PRs + push — fast, no compilation) ────────── | |
| secrets: | |
| name: Secret Scanning (gitleaks) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install gitleaks | |
| run: | | |
| GITLEAKS_VERSION="8.21.2" | |
| curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \ | |
| | tar xz -C /usr/local/bin gitleaks | |
| - name: Gitleaks scan | |
| run: gitleaks detect --source . --verbose --redact --config .gitleaks.toml | |
| # ── License + ban check (runs on PRs + push, fast) ─────────────────────── | |
| deny: | |
| name: License & Ban Check (cargo-deny) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dtolnay/rust-toolchain@stable | |
| - name: Install cargo-deny | |
| run: cargo install --locked cargo-deny@0.18.2 | |
| - name: Run cargo-deny | |
| run: cargo deny check licenses bans sources --config deny.toml | |
| # ── Dependency vulnerability audit (post-merge + schedule only) ────────── | |
| # Skipped on PRs: cargo-audit requires a full workspace resolve and is | |
| # better run on known-good (merged) code to reduce noise. | |
| audit: | |
| name: Dependency Audit (cargo-audit) | |
| runs-on: ubuntu-latest | |
| if: github.event_name != 'pull_request' | |
| # Advisory only — upstream CVEs should not block the pipeline. | |
| # Review findings in GitHub Security tab. | |
| continue-on-error: true | |
| permissions: | |
| contents: read | |
| checks: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: rustsec/audit-check@v2 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| # ── Clippy security lints (post-merge + schedule only) ─────────────────── | |
| # CI already runs clippy on every PR. This job adds security-focused lints | |
| # (unsafe, integer arithmetic, etc.) only when merging. | |
| clippy-security: | |
| name: Clippy Security Lints | |
| runs-on: ubuntu-latest | |
| if: github.event_name != 'pull_request' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dtolnay/rust-toolchain@stable | |
| with: | |
| components: clippy | |
| - uses: Swatinem/rust-cache@v2 | |
| - name: Security-focused clippy | |
| run: cargo clippy --workspace --no-default-features --exclude momoto-core --exclude momoto-metrics --exclude momoto-intelligence -- -D warnings | |
| # ── Container/filesystem scan (post-merge + schedule only) ─────────────── | |
| trivy: | |
| name: Trivy Vulnerability Scan | |
| runs-on: ubuntu-latest | |
| if: github.event_name != 'pull_request' | |
| permissions: | |
| contents: read | |
| security-events: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Run Trivy (filesystem scan) | |
| uses: aquasecurity/trivy-action@0.35.0 | |
| with: | |
| scan-type: fs | |
| scan-ref: . | |
| format: sarif | |
| output: trivy-results.sarif | |
| severity: HIGH,CRITICAL | |
| exit-code: 0 # Report only — don't fail build | |
| - name: Upload Trivy SARIF | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: trivy-results.sarif | |
| category: trivy-filesystem | |
| # ── Weekly SBOM snapshot (schedule only, no code changes required) ──────── | |
| sbom-weekly: | |
| name: Weekly SBOM | |
| runs-on: ubuntu-latest | |
| # Guard against forks accidentally consuming minutes via inherited schedules | |
| if: github.event_name == 'schedule' && github.repository == 'cuervo-ai/halcon-cli' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install syft | |
| run: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin | |
| - name: Generate SBOM | |
| run: | | |
| syft dir:. \ | |
| --output spdx-json=sbom-weekly.spdx.json \ | |
| --output cyclonedx-json=sbom-weekly.cyclonedx.json | |
| - name: Upload SBOM artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: weekly-sbom-${{ github.run_id }} | |
| path: | | |
| sbom-weekly.spdx.json | |
| sbom-weekly.cyclonedx.json | |
| retention-days: 90 |