mirror of
https://github.com/basecamp/once-campfire.git
synced 2026-04-11 15:33:08 +09:00
3fada3d997
* Add GitHub Actions audit job (actionlint + zizmor) to CI Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Configure dependabot for GitHub Actions, bundler, and Docker Batches all action updates into a single weekly PR. Adds cooldown periods to all ecosystems. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Add local GitHub Actions linting (actionlint + zizmor) to bin/setup and bin/ci Install actionlint, shellcheck, and zizmor in bin/setup. Run both linters as CI steps in config/ci.rb alongside existing style checks. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Pin all GitHub Actions to SHA hashes Run pinact to pin action versions to specific commit SHAs, preventing supply chain attacks from tag mutation. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Fix high severity zizmor findings - Suppress unpinned-images for redis service containers (digest pinning is nontrivial for service containers) - Move workflow-level permissions to job-level in publish-image.yml (build gets full set, manifest gets only what it needs) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Fix medium severity zizmor findings - Add persist-credentials: false to all checkout steps - Add permissions: {} at workflow level in ci.yml - Add job-level permissions (contents: read) to all CI jobs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Fix informational template-injection findings in publish-image.yml Move steps.meta.outputs.tags from inline ${{ }} expressions to env vars in both the manifest creation and cosign signing steps. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Update brakeman to 8.0.4 bin/brakeman uses --ensure-latest which fails if not on the newest version. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
24 lines
810 B
Ruby
24 lines
810 B
Ruby
# Run using bin/ci
|
|
|
|
CI.run do
|
|
step "Setup", "bin/setup --skip-server"
|
|
|
|
step "Style: Ruby", "bin/rubocop"
|
|
step "Style: GitHub Actions (actionlint)", "actionlint"
|
|
step "Style: GitHub Actions (zizmor)", "zizmor ."
|
|
|
|
step "Security: Gem audit", "bin/bundler-audit"
|
|
step "Security: Importmap vulnerability audit", "bin/importmap audit"
|
|
step "Security: Brakeman code analysis", "bin/brakeman --quiet --no-pager --exit-on-warn --exit-on-error"
|
|
|
|
step "Tests: Rails", "bin/rails test"
|
|
step "Tests: System", "bin/rails test:system"
|
|
step "Tests: Seeds", "env RAILS_ENV=test bin/rails db:seed:replant"
|
|
|
|
if success?
|
|
step "Signoff: All systems go. Ready for merge and deploy.", "gh signoff"
|
|
else
|
|
failure "Signoff: CI failed. Do not merge or deploy.", "Fix the issues and try again."
|
|
end
|
|
end
|