skills: document file ownership as security layer #22
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| jobs: | |
| test: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: "22" | |
| - name: Install slack-bridge dependencies | |
| run: cd slack-bridge && npm ci | |
| - name: Test — bridge security (71 tests) | |
| run: cd slack-bridge && node --test security.test.mjs | |
| - name: Test — tool-guard (60 tests) | |
| run: cd pi/extensions && node --test tool-guard.test.mjs | |
| - name: Test — extension scanner (15 tests) | |
| run: cd bin && node --test scan-extensions.test.mjs | |
| - name: Test — safe-bash wrapper (24 tests) | |
| run: cd bin && bash hornet-safe-bash.test.sh | |
| - name: Test — log redaction (11 tests) | |
| run: cd bin && bash redact-logs.test.sh | |
| # security-audit.sh checks live system state (running services, firewall, | |
| # /proc mounts) that doesn't exist in CI. Run it locally instead: | |
| # cd bin && bash security-audit.test.sh | |
| secret-scan: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.12" | |
| - name: Install detect-secrets | |
| run: pip install detect-secrets | |
| - name: Check for new secrets | |
| run: | | |
| # Scan the repo and compare against the audited baseline. | |
| # Fails if any NEW secrets are found that aren't in the baseline. | |
| detect-secrets scan \ | |
| --baseline .secrets.baseline \ | |
| --exclude-files 'node_modules/.*' \ | |
| --exclude-files '\.git/.*' \ | |
| --exclude-files 'package-lock\.json' | |
| # Verify no unaudited secrets remain | |
| if detect-secrets audit --report --baseline .secrets.baseline 2>&1 | grep -q 'Unaudited'; then | |
| echo "❌ Unaudited secrets found — run: detect-secrets audit .secrets.baseline" | |
| exit 1 | |
| fi |