Skip to content

feat: add Kilo Gastown methodology spec and SAST tooling #942

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
KooshaPari wants to merge 13 commits into from
Closed

feat: add Kilo Gastown methodology spec and SAST tooling #942

Show file tree
Hide file tree
Changes from 11 commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
0f98bcc
Add Kilo Gastown methodology spec
Mar 31, 2026
3d28883
docs: resolve merge conflict in KILO_GASTOWN_SPEC.md
claude Mar 31, 2026
f44d1fd
ci: add SAST tooling (semgrep, trufflehog)
Apr 1, 2026
fa9c9d5
chore: add governance baselines, rulesets, and update security workflow
Apr 2, 2026
07c09bc
Merge origin/main into feat/kilo-gastown-spec-and-sast
Apr 2, 2026
faafc4f
ci: refresh sast and pr readiness tooling
Apr 2, 2026
52b6035
ci: fix models catalog refresh path
Apr 2, 2026
b460bab
fix: unblock secret scan and codex executor syntax
Apr 2, 2026
576b830
ci: tighten quick sast to pr delta and fix gofmt debt
Apr 2, 2026
eac2d7f
fix(security): clear semgrep findings on pr diff
Apr 2, 2026
d530d80
ci: harden governance and security baselines
Apr 2, 2026
39ba5a3
feat: apply phenotype governance standards
Apr 2, 2026
d9cff8a
feat: apply governance standards
Apr 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 52 additions & 0 deletions .github/RULESET_BASELINE.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
# cliproxyapi-plusplus Ruleset Baseline

Version: 2026-04-02
Ruleset JSON: `.github/rulesets/main.json`

## Changelog

- 2026-04-02: aligned the checked-in baseline with the repo-local governance wave, safer workflow pins, and the next required-check manifest pass.

This repository now has a checked-in baseline that matches the repaired remote `Main` ruleset.

## Enforced Branch Protection Baseline

- require pull requests before merge on the default branch
- no branch deletion
- no force push / non-fast-forward updates
- require at least 1 approval
- dismiss stale approvals on new push
- require code owner review
- require last push approval before merge
- require resolved review threads before merge
- allow merge methods: `merge`, `squash`
- enable GitHub `copilot_code_review`

## Repo-Local Governance Gates

The repo-local workflow set remains the main CI and policy contract:

- `policy-gate`
- `pr-path-guard`
- `pr-test-build`
- `required-check-names-guard`
- `quality-gate`
- `security-guard`
- `codeql`
- `sast-quick`
- `sast-full`

Current required check manifests:

- `.github/required-checks.txt`
- `.github/release-required-checks.txt`
- `.github/rulesets/main.json`

Those manifests should drive the next remote ruleset wave once the stable job names are re-verified
against live workflow output.
Comment on lines +39 to +46
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify manifest files exist and check their contents

echo "=== Checking for manifest files ==="
for manifest in ".github/required-checks.txt" ".github/release-required-checks.txt"; do
  if [[ -f "$manifest" ]]; then
    echo -e "\n✓ Found: $manifest"
    echo "Contents:"
    cat "$manifest"
  else
    echo -e "\n✗ Missing: $manifest"
  fi
done

echo -e "\n=== Cross-checking documented workflows against manifests ==="
documented_workflows=("policy-gate" "pr-path-guard" "pr-test-build" "required-check-names-guard" "quality-gate" "security-guard" "codeql" "sast-quick" "sast-full")

for workflow in "${documented_workflows[@]}"; do
  if grep -q "$workflow" .github/required-checks.txt 2>/dev/null || grep -q "$workflow" .github/release-required-checks.txt 2>/dev/null; then
    echo "$workflow found in manifests"
  else
    echo "$workflow not found in manifests"
  fi
done

Repository: KooshaPari/cliproxyapi-plusplus

Length of output: 1151

Manifest files exist but are incomplete—most documented workflows are missing.

Both .github/required-checks.txt and .github/release-required-checks.txt exist, but the manifest contents significantly diverge from the documented workflow names (lines 21-29). The manifests currently list only pr-test-build and pr-path-guard, while 7 documented workflows are absent: policy-gate, required-check-names-guard, quality-gate, security-guard, codeql, sast-quick, and sast-full. These manifests must be updated to align with the documented workflows before they can reliably drive the next ruleset wave.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/RULESET_BASELINE.md around lines 31 - 37, The manifests
`.github/required-checks.txt` and `.github/release-required-checks.txt` only
list `pr-test-build` and `pr-path-guard` but are missing the documented workflow
names; update both manifest files to include the full set of documented checks
(`policy-gate`, `required-check-names-guard`, `quality-gate`, `security-guard`,
`codeql`, `sast-quick`, `sast-full`, plus the existing `pr-test-build` and
`pr-path-guard`) so the manifests match the workflows listed in lines 21-29 and
can reliably drive the next ruleset wave. Ensure the names exactly match the
workflow job names used in the repository (case-sensitive) and save both
`.github/required-checks.txt` and `.github/release-required-checks.txt`.


## Exception Policy

- only documented billing or quota failures may be excluded from blocking CI evaluation
- review threads and blocking comments must be resolved before merge
- PRs must not rely on local `--no-verify` bypasses instead of server-side checks
Comment thread
coderabbitai[bot] marked this conversation as resolved.
9 changes: 9 additions & 0 deletions .github/release-required-checks.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,13 @@
# workflow_file|job_name
policy-gate.yml|enforce
pr-path-guard.yml|ensure-no-translator-changes
quality-gate.yml|verify
required-check-names-guard.yml|verify-required-check-names
security-guard.yml|ggshield-scan
sast-quick.yml|semgrep
sast-quick.yml|secrets
sast-quick.yml|go-quality
sast-quick.yml|license-check
Comment on lines +7 to +10
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same issue as .github/required-checks.txt: the SAST quick entries reference job IDs, but the workflow uses job name: values ("Semgrep Scan", "Secret Scanning", etc.). This will cause required-check-names-guard to fail and can prevent required checks from matching actual check run names. Align the manifest values with the workflow job names (or align workflow job names with the IDs).

Suggested change
sast-quick.yml|semgrep
sast-quick.yml|secrets
sast-quick.yml|go-quality
sast-quick.yml|license-check
sast-quick.yml|Semgrep Scan
sast-quick.yml|Secret Scanning
sast-quick.yml|Go Quality
sast-quick.yml|License Check

Copilot uses AI. Check for mistakes.
pr-test-build.yml|go-ci
pr-test-build.yml|quality-ci
pr-test-build.yml|quality-staged-check
Expand Down
10 changes: 9 additions & 1 deletion .github/required-checks.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,11 @@
# workflow_file|job_name
pr-test-build.yml|build
policy-gate.yml|enforce
pr-path-guard.yml|ensure-no-translator-changes
pr-test-build.yml|build
quality-gate.yml|verify
required-check-names-guard.yml|verify-required-check-names
security-guard.yml|ggshield-scan
sast-quick.yml|semgrep
sast-quick.yml|secrets
sast-quick.yml|go-quality
sast-quick.yml|license-check
Comment on lines +8 to +11
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The required-check manifest entries for the SAST quick workflow use job IDs (semgrep/secrets/go-quality/license-check), but the workflow defines explicit job name: values (e.g., "Semgrep Scan", "Secret Scanning"). The required-check-names-guard script greps for exact name: matches, so these entries will be reported as missing and the required check contexts may not match what GitHub emits. Update the manifest to the workflow job names or remove/align the job name: fields so they match.

Suggested change
sast-quick.yml|semgrep
sast-quick.yml|secrets
sast-quick.yml|go-quality
sast-quick.yml|license-check
sast-quick.yml|Semgrep Scan
sast-quick.yml|Secret Scanning
sast-quick.yml|Go Quality
sast-quick.yml|License Check

Copilot uses AI. Check for mistakes.
35 changes: 35 additions & 0 deletions .github/rulesets/main.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
{
"name": "Main",
"target": "branch",
"enforcement": "active",
"conditions": {
"ref_name": {
"include": ["~DEFAULT_BRANCH"],
"exclude": []
}
},
"bypass_actors": [],
"rules": [
{ "type": "deletion" },
{ "type": "non_fast_forward" },
{
"type": "pull_request",
"parameters": {
"required_approving_review_count": 1,
"dismiss_stale_reviews_on_push": true,
"required_reviewers": [],
"require_code_owner_review": true,
"require_last_push_approval": true,
"required_review_thread_resolution": true,
"allowed_merge_methods": ["merge", "squash"]
}
},
Comment thread
coderabbitai[bot] marked this conversation as resolved.
{
"type": "copilot_code_review",
"parameters": {
"review_on_push": true,
"review_draft_pull_requests": true
}
}
]
}
3 changes: 2 additions & 1 deletion .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,8 @@ jobs:
- name: Refresh models catalog
run: |
git fetch --depth 1 https://github.com/router-for-me/models.git main
git show FETCH_HEAD:models.json > internal/registry/models/models.json
mkdir -p pkg/llmproxy/registry/models
git show FETCH_HEAD:models.json > pkg/llmproxy/registry/models/models.json
Comment on lines 14 to +16
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow now writes models.json to pkg/llmproxy/registry/models/models.json, but other CI workflows still reference internal/registry/models/models.json (a path that doesn’t exist in this repo). Consider aligning all workflows on the embedded path so required checks/build pipelines don’t diverge or fail due to missing directories.

Copilot uses AI. Check for mistakes.
Comment on lines +15 to +16
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify all workflow files using the models.json path

echo "=== Checking all workflows for models.json path references ==="
rg -n "models\.json" .github/workflows/

echo ""
echo "=== Checking go:embed directives for expected path ==="
rg -n "go:embed.*models" --type=go

Repository: KooshaPari/cliproxyapi-plusplus

Length of output: 851

Critical: Three other workflows still use the old models path and will fail.

This CI workflow correctly writes to pkg/llmproxy/registry/models/models.json to match the go:embed directive in pkg/llmproxy/registry/model_updater.go (line 27). However, three other workflow files still use the old path internal/registry/models/models.json:

  • .github/workflows/release.yaml (line 19)
  • .github/workflows/pr-test-build.yml (line 20)
  • .github/workflows/docker-image.yml (lines 19, 54)

These inconsistencies will cause build failures in release, PR test, and Docker image workflows because the embedded file won't exist at the expected path.

Required fixes for other workflows

Apply the same path update to all three files:

mkdir -p pkg/llmproxy/registry/models
-git show FETCH_HEAD:models.json > internal/registry/models/models.json
+git show FETCH_HEAD:models.json > pkg/llmproxy/registry/models/models.json
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml around lines 15 - 16, Update every CI workflow that
still writes or reads the old embedded models JSON path so it uses the new path
pkg/llmproxy/registry/models/models.json; specifically change any occurrences of
internal/registry/models/models.json in the workflows (release.yaml,
pr-test-build.yml, docker-image.yml) to pkg/llmproxy/registry/models/models.json
and ensure the step that extracts the file uses git show FETCH_HEAD:models.json
> pkg/llmproxy/registry/models/models.json to match the go:embed directive in
pkg/llmproxy/registry/model_updater.go.

Comment on lines +15 to +16
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow now writes the models catalog to pkg/llmproxy/registry/models/models.json, but other workflows (e.g. docker-image, pr-test-build, release) still write to internal/registry/models/models.json. Since the Go code embeds pkg/llmproxy/registry/models/models.json, consider updating the other workflows as well (or writing to both locations) to avoid builds/releases using a stale or missing embedded catalog.

Suggested change
mkdir -p pkg/llmproxy/registry/models
git show FETCH_HEAD:models.json > pkg/llmproxy/registry/models/models.json
mkdir -p pkg/llmproxy/registry/models internal/registry/models
git show FETCH_HEAD:models.json | tee pkg/llmproxy/registry/models/models.json > internal/registry/models/models.json

Copilot uses AI. Check for mistakes.
- uses: actions/setup-go@v5
with:
go-version-file: go.mod
Expand Down
92 changes: 92 additions & 0 deletions .github/workflows/sast-full.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
name: SAST Full Analysis

on:
schedule:
- cron: "0 2 * * *"
workflow_dispatch:

permissions:
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

github/codeql-action/* typically requires actions: read permission (the existing codeql.yml includes it). sast-full.yml sets only contents: read and security-events: write, which may cause the CodeQL steps to fail with insufficient permissions in some repo/org settings.

Suggested change
permissions:
permissions:
actions: read

Copilot uses AI. Check for mistakes.
contents: read
security-events: write

jobs:
codeql:
name: CodeQL Analysis
runs-on: ubuntu-latest
timeout-minutes: 30
strategy:
matrix:
language: [go, javascript]
steps:
- uses: actions/checkout@v4
Copy link
Copy Markdown

@kilo-code-bot kilo-code-bot bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WARNING: CodeQL matrix missing Go language.

The matrix lists [python, cpp, javascript] but this is primarily a Go codebase (per cargo clippy in sast-quick.yml, the AGENTS.md build instructions, and the codebase structure). Without go in the matrix, CodeQL will not analyze the core Go code, making the full SAST scan incomplete for this repository.

Suggested change
- uses: actions/checkout@v4
language: [go, python, javascript]

Note: also removed cpp since this doesn't appear to be a C++ project. Adjust if there is C++ code present.


- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: ${{ matrix.language }}

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4

Comment on lines +23 to +30
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow uses CodeQL action v3 (github/codeql-action/*@v3), but the existing .github/workflows/codeql.yml uses v4 (see .github/workflows/codeql.yml:24-36). Aligning on a single major version reduces maintenance overhead and avoids behavioral differences across workflows.

Copilot uses AI. Check for mistakes.
trivy-repo:
name: Trivy Repository Scan
runs-on: ubuntu-latest
timeout-minutes: 15
steps:
- uses: actions/checkout@v4
Copy link
Copy Markdown

@kilo-code-bot kilo-code-bot bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WARNING: Using @master branch reference for trivy-action.

Pinning to a mutable branch (@master) introduces supply-chain risk and non-reproducible builds. If the upstream action is compromised or introduces breaking changes, your CI will silently adopt them.

Recommend pinning to a specific version tag or commit SHA:

      - uses: aquasecurity/trivy-action@v0.28.0

- uses: aquasecurity/trivy-action@v0.35.0
with:
scan-type: fs
scan-ref: .
format: sarif
output: trivy-results.sarif
- name: Upload Trivy SARIF
uses: github/codeql-action/upload-sarif@v4
if: always()
with:
sarif_file: trivy-results.sarif
category: trivy
Comment thread
coderabbitai[bot] marked this conversation as resolved.

full-semgrep:
name: Full Semgrep Analysis
runs-on: ubuntu-latest
timeout-minutes: 20
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Install Semgrep
run: python -m pip install --disable-pip-version-check semgrep==1.157.0
- name: Run Semgrep
run: |
semgrep scan \
--config .semgrep-rules/ \
--config p/security-audit \
--config p/owasp-top-ten \
--config p/cwe-top-25 \
--error \
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as in sast-quick: running Semgrep with --error will fail the scheduled full scan on any finding, including low-signal rules. If this workflow is intended to be informational (nightly signal) rather than gating, consider removing --error or filtering by severity / excluding the in-repo custom rules until noise is reduced.

Suggested change
--error \

Copilot uses AI. Check for mistakes.
--sarif \
--output semgrep.sarif \
.

- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v4
if: always()
with:
sarif_file: semgrep.sarif
category: semgrep-full

full-secrets:
name: Full Secret Scan
runs-on: ubuntu-latest
timeout-minutes: 15
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0

- uses: trufflesecurity/trufflehog@v3.94.2
with:
path: ./
extra_args: --only-verified
127 changes: 127 additions & 0 deletions .github/workflows/sast-quick.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,127 @@
name: SAST Quick Check

on:
pull_request:
push:
branches: [main]

permissions:
contents: read
security-events: write

jobs:
semgrep:
name: Semgrep Scan
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Install Semgrep
run: python -m pip install --disable-pip-version-check semgrep==1.157.0
- name: Run Semgrep
env:
EVENT_NAME: ${{ github.event_name }}
PR_BASE_REF: ${{ github.event.pull_request.base.ref }}
HEAD_SHA: ${{ github.sha }}
run: |
set -euo pipefail

if [ "$EVENT_NAME" = "pull_request" ]; then
git fetch --no-tags --depth=1 origin "$PR_BASE_REF"
mapfile -t changed_files < <(
git diff --name-only --diff-filter=ACMR "origin/$PR_BASE_REF...$HEAD_SHA" -- \
'*.go' '*.yaml' '*.yml' '*.sh' '*.json' '*.ts' '*.tsx' '*.js' '*.jsx'
)
if [ "${#changed_files[@]}" -eq 0 ]; then
cat > semgrep.sarif <<'EOF'
{"version":"2.1.0","runs":[]}
EOF
exit 0
fi
semgrep scan \
--config .semgrep-rules/ \
--config p/security-audit \
--config p/owasp-top-ten \
--config p/cwe-top-25 \
--error \
--sarif \
--output semgrep.sarif \
"${changed_files[@]}"
Comment on lines +46 to +54
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep is invoked with --error, which will fail the job on findings. Given the repo includes INFO/LOW severity custom rules and the PR notes the custom ruleset may be noisy, this is likely to gate merges unexpectedly. If the intent is to upload SARIF without blocking, drop --error (or restrict failures to a severity threshold / only upstream packs until the rules are tuned).

Copilot uses AI. Check for mistakes.
else
semgrep scan \
--config .semgrep-rules/ \
--config p/security-audit \
--config p/owasp-top-ten \
--config p/cwe-top-25 \
--error \
--sarif \
--output semgrep.sarif \
.
fi

- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v4
if: always()
with:
sarif_file: semgrep.sarif
category: semgrep

secrets:
name: Secret Scanning
runs-on: ubuntu-latest
timeout-minutes: 3
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0

- uses: trufflesecurity/trufflehog@v3.94.2
with:
path: ./
extra_args: --only-verified

Copy link
Copy Markdown

@kilo-code-bot kilo-code-bot bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WARNING: Using @main branch reference for trufflehog.

Pinning to @main introduces supply-chain risk and non-reproducible builds. Pin to a specific release tag or commit SHA for security:

      - uses: trufflesecurity/trufflehog@v3.82.12

go-quality:
name: Go Quality
runs-on: ubuntu-latest
timeout-minutes: 15
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version-file: go.mod
cache: true
- name: Enforce gofmt
run: |
if ! git ls-files -z '*.go' | grep -q .; then
exit 0
fi
unformatted=$(
git ls-files -z '*.go' |
xargs -0 gofmt -l
)
if [ -n "$unformatted" ]; then
echo "$unformatted"
exit 1
fi
Comment thread
coderabbitai[bot] marked this conversation as resolved.
- name: Run go vet
run: go vet ./...
Comment thread
coderabbitai[bot] marked this conversation as resolved.

license-check:
name: License Compliance
runs-on: ubuntu-latest
timeout-minutes: 15
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version-file: go.mod
cache: true
- name: Capture dependency inventory
run: |
go list -m -f '{{if not .Main}}{{.Path}} {{.Version}}{{end}}' all | sort > license-inventory.txt
test -s license-inventory.txt
26 changes: 20 additions & 6 deletions .github/workflows/security-guard.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,23 @@
name: security-guard
on: [workflow_dispatch]
name: Security Guard

on:
workflow_call:
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-guard.yml is now callable as a reusable workflow (workflow_call), but it relies on secrets.GITGUARDIAN_API_KEY. Reusable workflows only receive secrets that are explicitly declared under on.workflow_call.secrets and passed by the caller; otherwise this will be empty and the scan will fail unexpectedly.

Suggested change
workflow_call:
workflow_call:
secrets:
GITGUARDIAN_API_KEY:
required: true

Copilot uses AI. Check for mistakes.
secrets:
GITGUARDIAN_API_KEY:
required: true
workflow_dispatch:
Comment thread
coderabbitai[bot] marked this conversation as resolved.
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow is listed as a required check (security-guard.yml|ggshield-scan), but it only triggers via workflow_dispatch/workflow_call and is not invoked by any other workflow. As a result, PRs/branch updates won't automatically produce the required status check, potentially blocking merges unless run manually. Consider adding pull_request/push triggers (or wiring a caller workflow) or removing it from the required-check manifest if it should remain manual-only.

Suggested change
workflow_dispatch:
workflow_dispatch:
push:
pull_request:

Copilot uses AI. Check for mistakes.

jobs:
audit:
ggshield-scan:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
Comment thread
coderabbitai[bot] marked this conversation as resolved.
- uses: actions/checkout@v4
- name: Run security audit
run: echo "Security audit placeholder - no script available yet"
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065
- name: Install ggshield
run: pip install ggshield==1.38.0
- name: Run ggshield secret scan
env:
GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
run: ggshield secret scan path . --recursive
Loading
Loading