From 694a0be0faa4721d33ab2edecff38d484b9c6fdb Mon Sep 17 00:00:00 2001 From: Saravana Achu Mac Date: Tue, 5 May 2026 13:34:05 -0700 Subject: [PATCH] ci(security): add release guard audits --- .github/workflows/ci.yml | 24 ++++++++++++++++ package.json | 1 + scripts/release-guard-audit.sh | 50 ++++++++++++++++++++++++++++++++++ 3 files changed, 75 insertions(+) create mode 100755 scripts/release-guard-audit.sh diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0434c1d..963a3ae 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -11,6 +11,30 @@ concurrency: cancel-in-progress: true jobs: + release-guards: + name: Release guards — secrets + token/color drift + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Checkout common-plat guard scripts + uses: actions/checkout@v4 + with: + repository: saravanakumardb1/learning_ai_common_plat + path: learning_ai_common_plat + token: ${{ secrets.GH_PAT }} + + - name: Link common-platform workspace path + run: | + mkdir -p ../learning_ai + ln -sfn "$GITHUB_WORKSPACE/learning_ai_common_plat" ../learning_ai/learning_ai_common_plat + + - name: Install audit tools + run: sudo apt-get update && sudo apt-get install -y ripgrep + + - name: Run release guard audit + run: COMMON_PLAT="$GITHUB_WORKSPACE/learning_ai_common_plat" bash scripts/release-guard-audit.sh + backend: name: Backend — typecheck + test + build runs-on: ubuntu-latest diff --git a/package.json b/package.json index ea043ca..3f8c635 100644 --- a/package.json +++ b/package.json @@ -8,6 +8,7 @@ "build": "pnpm --filter @notelett/backend run build && pnpm --filter @notelett/web run build", "smoke:local": "bash scripts/local-smoke.sh", "smoke:compose": "bash scripts/compose-smoke.sh", + "audit:release-guards": "bash scripts/release-guard-audit.sh", "verify": "pnpm run typecheck && pnpm run test && pnpm run build", "prepare": "husky" }, diff --git a/scripts/release-guard-audit.sh b/scripts/release-guard-audit.sh new file mode 100755 index 0000000..240d12d --- /dev/null +++ b/scripts/release-guard-audit.sh @@ -0,0 +1,50 @@ +#!/usr/bin/env bash +# Release guard checks for secrets, hardcoded colors, and client-side token/API drift. + +set -euo pipefail + +ROOT="$(git rev-parse --show-toplevel)" +cd "$ROOT" + +COMMON_PLAT="${COMMON_PLAT:-$ROOT/../learning_ai/learning_ai_common_plat}" +if [[ ! -d "$COMMON_PLAT" && -d "$ROOT/../learning_ai_common_plat" ]]; then + COMMON_PLAT="$ROOT/../learning_ai_common_plat" +fi + +echo "=== Secret scan ===" +if [[ -x "$COMMON_PLAT/scripts/secret-scan-repo.sh" ]]; then + (cd "$ROOT" && bash "$COMMON_PLAT/scripts/secret-scan-repo.sh") +else + bash scripts/secret-scan-repo.sh +fi + +echo "=== Hardcoded color audit ===" +color_matches="$( + rg -n '#[0-9a-fA-F]{3,8}|rgba?\(' web/src mobile/src \ + --glob '!**/*.test.*' \ + --glob '!**/tokens.*' \ + --glob '!**/*.d.ts' || true +)" +if [[ -n "$color_matches" ]]; then + echo "Hardcoded colors found outside tests/token files:" >&2 + echo "$color_matches" >&2 + exit 1 +fi +echo "✓ No hardcoded hex/rgb colors found in web/mobile product code." + +echo "=== Hardcoded token audit ===" +token_matches="$( + rg -n 'ghp_[A-Za-z0-9_]{20,}|gitea[_-]?[A-Za-z0-9_]{20,}|npm_[A-Za-z0-9_]{20,}|Authorization: Bearer [A-Za-z0-9._-]{20,}' \ + --glob '!node_modules/**' \ + --glob '!docs/**' \ + --glob '!*.md' || true +)" +if [[ -n "$token_matches" ]]; then + echo "Hardcoded token-like values found:" >&2 + echo "$token_matches" >&2 + exit 1 +fi + +echo "✓ No hardcoded token-like values found." + +echo "Release guard audit passed."