From 66c2a6c605d64172a58090e495c1748f55f54967 Mon Sep 17 00:00:00 2001 From: Donny <271941740+donny-devops@users.noreply.github.com> Date: Sun, 17 May 2026 15:11:58 -0400 Subject: [PATCH 1/4] security: add repository hygiene workflow --- .github/workflows/security-hygiene.yml | 35 ++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 .github/workflows/security-hygiene.yml diff --git a/.github/workflows/security-hygiene.yml b/.github/workflows/security-hygiene.yml new file mode 100644 index 0000000..0f873a1 --- /dev/null +++ b/.github/workflows/security-hygiene.yml @@ -0,0 +1,35 @@ +name: Security Hygiene + +on: + push: + branches: [main] + pull_request: + branches: [main] + workflow_dispatch: + +permissions: + contents: read + +jobs: + hygiene: + name: Secret hygiene + runs-on: ubuntu-latest + steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Block obvious private keys and tokens + shell: bash + run: | + SECRET_PATTERN='BEGIN (RSA |OPENSSH |EC |DSA )?PRIVATE KEY|ghp_[A-Za-z0-9_]{20,}|github_pat_[A-Za-z0-9_]{20,}|AKIA[0-9A-Z]{16}|AIza[0-9A-Za-z_-]{20,}|sk-[A-Za-z0-9]{20,}' + if grep -RInE "$SECRET_PATTERN" . \ + --exclude-dir=.git \ + --exclude=.github/workflows/security-hygiene.yml; then + echo "Potential secret material found. Remove it and rotate the credential." + exit 1 + fi From babb9893c5715a074ecefba47bf58ab3c78ad144 Mon Sep 17 00:00:00 2001 From: Donny <271941740+donny-devops@users.noreply.github.com> Date: Wed, 20 May 2026 19:37:46 -0400 Subject: [PATCH 2/4] Add AgentOps fleet quality gate --- .github/workflows/agentops-fleet.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 .github/workflows/agentops-fleet.yml diff --git a/.github/workflows/agentops-fleet.yml b/.github/workflows/agentops-fleet.yml new file mode 100644 index 0000000..3088da4 --- /dev/null +++ b/.github/workflows/agentops-fleet.yml @@ -0,0 +1,22 @@ +name: AgentOps Fleet Gate + +on: + push: + pull_request: + workflow_dispatch: + schedule: + - cron: '31 8 * * 1' + +permissions: + contents: read + actions: read + security-events: write + pull-requests: read + +jobs: + agentops: + uses: donny-devops/github-actions-templates/.github/workflows/reusable-agentops.yml@main + with: + python-version: '3.12' + node-version: '22' + run-security-audit: true From 0c5ed907a91bf5d1d4b8b13ae1c78d4c17cba11a Mon Sep 17 00:00:00 2001 From: Adonis Jimenez <271941740+donny-devops@users.noreply.github.com> Date: Sun, 21 Jun 2026 07:49:08 -0400 Subject: [PATCH 3/4] ci: fix lint permissions + add Trivy image scan + pip cache (#42) Updated CI workflow to improve p- Drop contents:write from lint job (was over-privileged for auto-commit) - Switch to ruff format --check (no auto-push) to keep CI read-only - Add cache: pip to both lint and test setup-python steps - Add retention-days: 7 to coverage artifact - Scope docker job permissions explicitly (packages:write, security-events:write) - Add Trivy SARIF image scan after docker push, upload to GitHub Security - Add provenance + sbom attestations to build-pushermissions and steps. --- .github/workflows/ci.yml | 56 +++++++++++++++++++++++----------------- 1 file changed, 32 insertions(+), 24 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7be5d57..64eb9a5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -9,17 +9,15 @@ on: env: FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true +permissions: + contents: read + jobs: lint: name: Lint (ruff) runs-on: ubuntu-latest - permissions: - contents: write steps: - uses: actions/checkout@v4 - with: - ref: ${{ github.head_ref }} - token: ${{ secrets.GITHUB_TOKEN }} - uses: actions/setup-python@v5 with: @@ -31,18 +29,13 @@ jobs: - name: Lint with ruff run: ruff check . --output-format=github - - name: Format with ruff - run: | - ruff format . - git config user.email "41898282+github-actions[bot]@users.noreply.github.com" - git config user.name "github-actions[bot]" - git diff --quiet || git commit -am "style: auto-format with ruff" && git push + - name: Format check with ruff + run: ruff format --check . test: name: Test (pytest + PostgreSQL) runs-on: ubuntu-latest needs: lint - services: postgres: image: postgres:16-alpine @@ -57,13 +50,12 @@ jobs: --health-retries 5 ports: - 5432:5432 - env: DATABASE_URL: postgresql://testuser:testpass@localhost:5432/testdb SECRET_KEY: test-secret - steps: - uses: actions/checkout@v4 + - uses: actions/setup-python@v5 with: python-version: "3.12" @@ -75,38 +67,37 @@ jobs: pip install -r requirements.txt - name: Run migrations - run: | - flask db upgrade + run: flask db upgrade env: FLASK_APP: "app:create_app()" - name: Run pytest - run: | - pytest --cov=app --cov-report=xml --cov-fail-under=85 -v + run: pytest --cov=app --cov-report=xml --cov-fail-under=85 -v - name: Upload coverage uses: actions/upload-artifact@v4 with: name: coverage-report path: coverage.xml + retention-days: 7 docker: name: Build & Push Docker Image runs-on: ubuntu-latest needs: test - if: github.event_name == 'push' && github.ref == 'refs/heads/main' permissions: contents: read packages: write - + security-events: write + if: github.event_name == 'push' && github.ref == 'refs/heads/main' steps: - uses: actions/checkout@v4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@v3 - name: Log in to GHCR - uses: docker/login-action@v4 + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} @@ -114,7 +105,7 @@ jobs: - name: Extract metadata id: meta - uses: docker/metadata-action@v6 + uses: docker/metadata-action@v5 with: images: ghcr.io/${{ github.repository }} tags: | @@ -122,10 +113,27 @@ jobs: type=raw,value=latest - name: Build and push - uses: docker/build-push-action@v5 + id: build + uses: docker/build-push-action@v6 with: context: . push: true tags: ${{ steps.meta.outputs.tags }} cache-from: type=gha cache-to: type=gha,mode=max + provenance: true + sbom: true + + - name: Trivy image scan + uses: aquasecurity/trivy-action@master + with: + image-ref: ghcr.io/${{ github.repository }}:latest + format: sarif + output: trivy.sarif + severity: HIGH,CRITICAL + exit-code: '0' + + - name: Upload Trivy results + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: trivy.sarif From d10f420d311ac65f7b5c0b1239c5d205ee10329c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 21 Jun 2026 11:50:58 +0000 Subject: [PATCH 4/4] chore(deps): bump actions/checkout from 4 to 7 Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 7. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v4...v7) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/ci.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 64eb9a5..5325c25 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -17,7 +17,7 @@ jobs: name: Lint (ruff) runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v7 - uses: actions/setup-python@v5 with: @@ -54,7 +54,7 @@ jobs: DATABASE_URL: postgresql://testuser:testpass@localhost:5432/testdb SECRET_KEY: test-secret steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v7 - uses: actions/setup-python@v5 with: @@ -91,7 +91,7 @@ jobs: security-events: write if: github.event_name == 'push' && github.ref == 'refs/heads/main' steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v7 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3