Skip to content

ci: consolidate release pipeline and add PR security gate#303

Merged
digitalghost-dev merged 7 commits into
mainfrom
ci-edits
Jun 23, 2026
Merged

ci: consolidate release pipeline and add PR security gate#303
digitalghost-dev merged 7 commits into
mainfrom
ci-edits

Conversation

@digitalghost-dev

@digitalghost-dev digitalghost-dev commented Jun 22, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Owner

Summary by CodeRabbit

  • Chores
    • Removed the previous CI workflow.
    • Added a dedicated pull-request Security workflow running gosec and Bandit scans.
    • Overhauled the release pipeline with stronger tag-build gating, packaging/publishing, docs-image publishing, SBOM generation and vulnerability scanning, and multi-arch Docker manifest publishing (including updated changelog filtering).
  • Documentation
    • Updated the local deployment documentation link for “Other connectors” to the v3 compatibility page.
  • Style
    • Added linter suppression annotations and adjusted config directory save permissions to 0o750.

@coderabbitai

coderabbitai Bot commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

ci.yml is deleted and all its jobs are absorbed into an expanded release.yml, which is renamed "Release" and gains workflow-level permissions and env globals. A new security.yml handles PR-scoped gosec and bandit scanning. The release pipeline gains smoke tests, security scanners, Linux package cross-compilation with Cloudsmith upload, docs link validation, docs/CLI ECR image publishing, SBOM generation, grype scanning, and multi-arch Docker manifest creation. Source code receives security linter suppressions, file permission hardening, and Dockerfiles gain linter ignores. The goreleaser changelog filter gains ci, chore, and build exclusion patterns.

Changes

CI/CD Workflow Consolidation and Security Hardening

Layer / File(s) Summary
Workflow rename, permissions, env setup, and new security.yml
.github/workflows/release.yml, .github/workflows/security.yml		 release.yml is renamed "Release" and gains explicit permissions and global env vars. New security.yml runs gosec and bandit on PRs with read-only permissions and medium severity/confidence thresholds.
CI gating jobs: smoke tests, security scanners, Rust cache, gitleaks
.github/workflows/release.yml		 Adds smoke-tests (matrix across Linux/macOS/Windows), gosec (SARIF upload), bandit (Python/uv, SARIF upload), rust-cache (build + unit test + network smoke test against pokeapi.co), and gitleaks (Docker-container scan, SARIF upload). All gate the goreleaser job.
Linux package cross-compilation and Cloudsmith upload
.github/workflows/release.yml		 build-linux-packages cross-compiles Go CLI and Rust poke-cache for amd64/arm64 and produces DEB/RPM via nfpm. upload-deb-packages and upload-rpm-packages push to Cloudsmith. upload-summary fails the workflow if either upload is not successful.
Docs link validation, docs Docker image, CLI Docker pipeline, and SBOM/grype scanning
.github/workflows/release.yml		 validate-links runs lychee over docs markdown. build-docs-docker-image builds and exports a docs-only Docker image; upload-docs-to-ecr pushes it to ECR as :latest. lint-cli-dockerfile runs hadolint. build-cli-docker-image builds and uploads the CLI image tar. upload-cli-to-ecr provides a backup ECR push. syft generates an SPDX JSON SBOM; grype scans it and uploads a SARIF report.
Multi-arch Docker manifest, goreleaser gating update, and changelog filters
.github/workflows/release.yml, .goreleaser.yml		 architecture-build builds amd64/arm64 images by digest via buildx. create-manifest-and-push assembles and pushes the manifest list. The goreleaser job's needs is expanded; goreleaser-action is bumped to v7. goreleaser.yml changelog filters gain ci, chore, and build exclusion patterns.
Source code and Dockerfile security suppressions and file permission hardening
cli.go, cmd/types/damage_table.go, cmd/utils/web.go, connections/cache.go, flags/config.go, styling/styling.go, Dockerfile, docs/Infrastructure_Guide/local-deployment.md		 Go files add // #nosec`` comments (G115 for terminal detection, G204 for command execution, G304 for file read). flags/config.go changes `os.MkdirAll` permission from `0o755` to `0o750` for stricter config directory access. `Dockerfile` adds `hadolint ignore` directives for apk-cache warnings. Documentation link for Soda Core connectors is updated to v3 compatibility page.

Sequence Diagram

sequenceDiagram
  participant Developer
  participant smoke-tests
  participant gosec
  participant bandit
  participant gitleaks
  participant goreleaser
  participant rust-cache
  participant build-linux
  participant docs-build
  participant cli-build
  participant multiarch

  Developer->>smoke-tests: push to tag
  smoke-tests->>gosec: pass
  smoke-tests->>bandit: pass
  smoke-tests->>rust-cache: pass
  gosec->>gitleaks: pass
  bandit->>gitleaks: pass
  gitleaks->>goreleaser: release approved
  rust-cache->>goreleaser: cache verified
  smoke-tests->>goreleaser: binaries built
  goreleaser->>build-linux: release artifacts
  goreleaser->>docs-build: start build
  goreleaser->>cli-build: start build
  cli-build->>multiarch: manifest
  multiarch->>Developer: published
Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

  • digitalghost-dev/poke-cli#224: Both PRs touch GitHub Actions workflow definitions and security scanning integrations (gitleaks, validate-links, and related CI/CD jobs).

Poem

🐇 Hopped through the YAML, deleted the old,
One workflow to rule them, brave and bold!
Smoke tests on Windows, Mac, and Linux too,
SBOM and grype scanning all shiny and new.
Multi-arch manifests, amd64 and arm,
The bunny kept everything safe from harm! 🌟

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 22.22% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title directly and clearly describes the main changes: consolidating CI workflows into the release pipeline and adding a new PR-level security gate workflow.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci-edits

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@codecov

codecov Bot commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 55.55556% with 4 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
cmd/utils/web.go 33.33% 2 Missing ⚠️
connections/cache.go 0.00% 1 Missing ⚠️
flags/config.go 50.00% 0 Missing and 1 partial ⚠️
Files with missing lines Coverage Δ
cli.go 75.20% <100.00%> (ø)
cmd/types/damage_table.go 97.22% <100.00%> (ø)
styling/styling.go 81.03% <100.00%> (-0.45%) ⬇️
connections/cache.go 67.56% <0.00%> (ø)
flags/config.go 50.76% <50.00%> (ø)
cmd/utils/web.go 70.00% <33.33%> (ø)
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

coderabbitai[bot]
coderabbitai Bot reviewed Jun 22, 2026
View reviewed changes

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release.yml:
- Around line 60-63: The gosec security scanner is currently non-blocking due to
the `-no-fail` flag in the args parameter of the securego/gosec action. Remove
the `-no-fail` flag from the args to make security findings enforceable,
ensuring that the job will fail if vulnerabilities are detected rather than just
reporting them without blocking the workflow.
- Around line 46-50: The release workflow gating tests make direct calls to the
live pokeapi.co API through commands like "pokemon pikachu", "pokemon
charizard", "ability overgrow", "move thunderbolt", and "mechanics --natures",
which means transient API or network outages can block releases regardless of
code quality. Replace these live API calls with mocked API responses or
configure the test commands to use a mock server or offline test mode so that
release gating is not dependent on external service availability.
- Around line 10-13: The workflow file grants elevated write permissions
(contents: write, id-token: write, security-events: write) at the top level,
making them available to all jobs unnecessarily. Move these write permissions
from the top-level permissions section into the specific job definitions that
actually require them. First, either remove these elevated permissions from the
top-level permissions block or set them to read-only there, then add a
permissions section within each job that needs elevated access with only the
specific permissions required for that job's tasks.
- Around line 30-33: Replace all mutable version tags in the `uses:` statements
throughout both .github/workflows/release.yml and .github/workflows/security.yml
with their corresponding full commit SHAs. For each action reference (such as
actions/checkout@v6, actions/setup-go@v6, and all others listed in the affected
lines), find the commit SHA for that specific version tag from the action's
GitHub repository and replace the `@v`# tag with the full commit hash. This
applies to all 50 affected lines across both workflow files to ensure
supply-chain security and prevent drift from future changes to those version
tags.

In @.github/workflows/security.yml:
- Around line 16-19: The workflow file uses mutable tag references for GitHub
Actions (actions/checkout@v6, securego/gosec@v2.25.0, actions/setup-python@v6,
and astral-sh/setup-uv@v7) which can silently change upstream. Replace these
mutable version tags with immutable commit SHAs for all occurrences of each
action throughout the file (checkout appears on lines 16 and 28, gosec on line
19, setup-python on line 31, and setup-uv on line 36). Convert each action
reference from the format "action@vX.Y.Z" to "action@<full-commit-sha>" to
ensure reproducible and secure workflow execution.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5a526571-6674-4772-be64-7d1cedf14c08

📥 Commits

Reviewing files that changed from the base of the PR and between 5c21099 and dab7dd9.

📒 Files selected for processing (4)
  • .github/workflows/ci.yml
  • .github/workflows/release.yml
  • .github/workflows/security.yml
  • .goreleaser.yml
💤 Files with no reviewable changes (1)
  • .github/workflows/ci.yml

Comment thread .github/workflows/release.yml Outdated
Comment thread .github/workflows/release.yml
Comment thread .github/workflows/release.yml
Comment thread .github/workflows/release.yml
Comment thread .github/workflows/security.yml
@github-advanced-security

github-advanced-security AI commented Jun 22, 2026

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@digitalghost-dev digitalghost-dev changed the title Ci edits ci edits Jun 22, 2026
@digitalghost-dev digitalghost-dev changed the title ci edits ci: consolidate release pipeline and add PR security gate Jun 22, 2026
@digitalghost-dev digitalghost-dev merged commit 8b4d4c3 into main Jun 23, 2026
8 checks passed
@digitalghost-dev digitalghost-dev deleted the ci-edits branch June 23, 2026 03:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@digitalghost-dev @github-advanced-security