misaradmin/synor
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 4
synor/.forgejo/workflows/security.yml
Gulshan Yadav d9fd97bb96
Some checks failed
CI / Check (push) Failing after 2s
Details
CI / Test (push) Failing after 2s
Details
CI / Build (Linux x86_64) (push) Has been skipped
Details
Security Audit / Vulnerability Scan (push) Failing after 2s
Details
Security Audit / License & Security Policy (push) Failing after 2s
Details
Security Audit / Static Analysis (Clippy) (push) Failing after 2s
Details
Security Audit / Secret Detection (push) Failing after 2s
Details
Security Audit / Check Outdated Dependencies (push) Failing after 2s
Details
Security Audit / Unsafe Code Audit (push) Failing after 2s
Details
Security Audit / Property-Based Testing (push) Failing after 2s
Details
Security Audit / WASM Module Security (push) Failing after 2s
Details
CI / Benchmarks (push) Has been skipped
Details
CI / CI Success (push) Failing after 1s
Details
chore: migrate from GitHub to Forgejo (git.misar.io) 
- Move .github/workflows/ to .forgejo/workflows/ (identical YAML, runner labels changed to self-hosted)
- Drop macOS/Windows CI matrix legs (no macOS/Windows runners on self-hosted act_runner)
- Update Cargo.toml repository URL to git.misar.io/misaradmin/synor
- Remove .github/dependabot.yml (not applicable on Forgejo)
2026-03-30 08:20:39 +05:30

176 lines
5.1 KiB
YAML
Raw Blame History

# Security Audit CI Workflow
# Runs automated security checks on every push and PR
#
# SECURITY NOTE: This workflow does not use any untrusted inputs
# (issue titles, PR descriptions, etc.) in run commands.
name: Security Audit
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
schedule:
# Run weekly on Sundays at midnight
- cron: '0 0 * * 0'
jobs:
# ============================================================================
# Vulnerability Scanning
# ============================================================================
cargo-audit:
name: Vulnerability Scan
runs-on: self-hosted
steps:
- uses: actions/checkout@v4
- name: Install Rust
uses: dtolnay/rust-toolchain@stable
- name: Install cargo-audit
run: cargo install cargo-audit --locked
- name: Run cargo-audit
run: cargo audit --deny warnings
# ============================================================================
# License & Policy Check
# ============================================================================
cargo-deny:
name: License & Security Policy
runs-on: self-hosted
steps:
- uses: actions/checkout@v4
- name: Run cargo-deny
uses: EmbarkStudios/cargo-deny-action@v1
with:
command: check all
# ============================================================================
# Static Analysis
# ============================================================================
clippy:
name: Static Analysis (Clippy)
runs-on: self-hosted
steps:
- uses: actions/checkout@v4
- name: Install Rust
uses: dtolnay/rust-toolchain@stable
with:
components: clippy
- name: Run Clippy
run: |
cargo clippy --all-targets --all-features -- \
-D warnings \
-D clippy::unwrap_used \
-D clippy::expect_used \
-W clippy::pedantic
# ============================================================================
# Secret Scanning
# ============================================================================
secrets-scan:
name: Secret Detection
runs-on: self-hosted
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Detect secrets with gitleaks
uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# ============================================================================
# Dependency Freshness
# ============================================================================
outdated:
name: Check Outdated Dependencies
runs-on: self-hosted
steps:
- uses: actions/checkout@v4
- name: Install Rust
uses: dtolnay/rust-toolchain@stable
- name: Install cargo-outdated
run: cargo install cargo-outdated --locked
- name: Check outdated
run: cargo outdated --root-deps-only --exit-code 1
continue-on-error: true
# ============================================================================
# Unsafe Code Detection
# ============================================================================
geiger:
name: Unsafe Code Audit
runs-on: self-hosted
steps:
- uses: actions/checkout@v4
- name: Install Rust
uses: dtolnay/rust-toolchain@stable
- name: Install cargo-geiger
run: cargo install cargo-geiger --locked
- name: Run cargo-geiger
run: cargo geiger --output-format Ratio
continue-on-error: true
# ============================================================================
# Property Tests
# ============================================================================
property-tests:
name: Property-Based Testing
runs-on: self-hosted
env:
PROPTEST_CASES: "500"
steps:
- uses: actions/checkout@v4
- name: Install Rust
uses: dtolnay/rust-toolchain@stable
- name: Run property tests
run: cargo test --release proptest -- --test-threads=1
# ============================================================================
# WASM Security
# ============================================================================
wasm-audit:
name: WASM Module Security
runs-on: self-hosted
steps:
- uses: actions/checkout@v4
- name: Install Rust
uses: dtolnay/rust-toolchain@stable
with:
targets: wasm32-unknown-unknown
- name: Install wasm-pack
run: curl https://rustwasm.github.io/wasm-pack/installer/init.sh -sSf | sh
- name: Build WASM
working-directory: crates/synor-crypto-wasm
run: wasm-pack build --target bundler --release
- name: Check WASM size
run: |
WASM_FILE="crates/synor-crypto-wasm/pkg/synor_crypto_bg.wasm"
if [ -f "$WASM_FILE" ]; then
WASM_SIZE=$(wc -c < "$WASM_FILE")
echo "WASM size: $WASM_SIZE bytes"
# Fail if over 1MB
if [ "$WASM_SIZE" -gt 1048576 ]; then
echo "::error::WASM module too large"
exit 1
fi
fi
Reference in a new issue View git blame Copy permalink