Build out all 27 modules + capstone (#1)
Co-authored-by: claude <claude@jpaul.io> Co-committed-by: claude <claude@jpaul.io>
This commit was merged in pull request #1.
This commit is contained in:
@@ -0,0 +1,42 @@
|
||||
# ci-security.yml — the security gate as a CI step (Module 15).
|
||||
#
|
||||
# This is a PROVIDER-NEUTRAL snippet, not a drop-in file. The YAML below uses the widely-shared
|
||||
# "workflow / job / steps" shape that most hosted and self-hosted CI systems understand (the exact
|
||||
# top-level keys and runner labels follow whatever host you set up in Module 14). Copy the *steps*
|
||||
# into the pipeline you already have rather than adding a second, competing workflow.
|
||||
#
|
||||
# The contract is the same on every platform:
|
||||
# 1. check out the code
|
||||
# 2. install the scanners
|
||||
# 3. run the gate (security-scan.sh), which exits non-zero on any finding -> the job goes red
|
||||
#
|
||||
# Because the real logic lives in security-scan.sh, this file stays tiny and your local run and your
|
||||
# CI run can never drift apart.
|
||||
|
||||
name: security
|
||||
|
||||
on: [push, pull_request] # run on the same events as your Module 14 build/test job
|
||||
|
||||
jobs:
|
||||
security-scan:
|
||||
runs-on: ubuntu-latest # or your self-hosted runner label (Module 19)
|
||||
steps:
|
||||
- name: Check out the code
|
||||
uses: actions/checkout@v4
|
||||
# Secret scanning cares about history. If your tool scans commits (not just the working
|
||||
# tree), fetch full history here — e.g. set `with: { fetch-depth: 0 }`.
|
||||
|
||||
- name: Set up Python
|
||||
uses: actions/setup-python@v5
|
||||
with:
|
||||
python-version: "3.x"
|
||||
|
||||
- name: Install scanners
|
||||
run: pip install pip-audit detect-secrets
|
||||
|
||||
- name: Run the security gate
|
||||
run: |
|
||||
chmod +x security-scan.sh
|
||||
./security-scan.sh
|
||||
# Non-zero exit fails the job. Require this job to pass before merge (branch protection on
|
||||
# your remote, Module 8/10) and the gate actually has teeth.
|
||||
Reference in New Issue
Block a user