bytelyst/learning_ai_notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ci(security): add release guard audits

Browse Source
This commit is contained in:
Saravana Achu Mac 2026-05-05 13:34:05 -07:00
parent a29efd56c9
commit 694a0be0fa
3 changed files with 75 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
.github/workflows/ci.yml vendored
View File

@ -11,6 +11,30 @@ concurrency:
cancel-in-progress: true cancel-in-progress: true
jobs: jobs:
release-guards:
name: Release guards — secrets + token/color drift
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Checkout common-plat guard scripts
uses: actions/checkout@v4
with:
repository: saravanakumardb1/learning_ai_common_plat
path: learning_ai_common_plat
token: ${{ secrets.GH_PAT }}
- name: Link common-platform workspace path
run: |
mkdir -p ../learning_ai
ln -sfn "$GITHUB_WORKSPACE/learning_ai_common_plat" ../learning_ai/learning_ai_common_plat
- name: Install audit tools
run: sudo apt-get update && sudo apt-get install -y ripgrep
- name: Run release guard audit
run: COMMON_PLAT="$GITHUB_WORKSPACE/learning_ai_common_plat" bash scripts/release-guard-audit.sh
backend: backend:
name: Backend — typecheck + test + build name: Backend — typecheck + test + build
runs-on: ubuntu-latest runs-on: ubuntu-latest

1
package.json
View File

@ -8,6 +8,7 @@
"build": "pnpm --filter @notelett/backend run build && pnpm --filter @notelett/web run build", "build": "pnpm --filter @notelett/backend run build && pnpm --filter @notelett/web run build",
"smoke:local": "bash scripts/local-smoke.sh", "smoke:local": "bash scripts/local-smoke.sh",
"smoke:compose": "bash scripts/compose-smoke.sh", "smoke:compose": "bash scripts/compose-smoke.sh",
"audit:release-guards": "bash scripts/release-guard-audit.sh",
"verify": "pnpm run typecheck && pnpm run test && pnpm run build", "verify": "pnpm run typecheck && pnpm run test && pnpm run build",
"prepare": "husky" "prepare": "husky"
}, },

50
scripts/release-guard-audit.sh Executable file
View File

@ -0,0 +1,50 @@
#!/usr/bin/env bash
# Release guard checks for secrets, hardcoded colors, and client-side token/API drift.
set -euo pipefail
ROOT="$(git rev-parse --show-toplevel)"
cd "$ROOT"
COMMON_PLAT="${COMMON_PLAT:-$ROOT/../learning_ai/learning_ai_common_plat}"
if [[ ! -d "$COMMON_PLAT" && -d "$ROOT/../learning_ai_common_plat" ]]; then
COMMON_PLAT="$ROOT/../learning_ai_common_plat"
fi
echo "=== Secret scan ==="
if [[ -x "$COMMON_PLAT/scripts/secret-scan-repo.sh" ]]; then
(cd "$ROOT" && bash "$COMMON_PLAT/scripts/secret-scan-repo.sh")
else
bash scripts/secret-scan-repo.sh
fi
echo "=== Hardcoded color audit ==="
color_matches="$(
rg -n '#[0-9a-fA-F]{3,8}|rgba?\(' web/src mobile/src \
--glob '!**/*.test.*' \
--glob '!**/tokens.*' \
--glob '!**/*.d.ts' || true
)"
if [[ -n "$color_matches" ]]; then
echo "Hardcoded colors found outside tests/token files:" >&2
echo "$color_matches" >&2
exit 1
fi
echo "✓ No hardcoded hex/rgb colors found in web/mobile product code."
echo "=== Hardcoded token audit ==="
token_matches="$(
rg -n 'ghp_[A-Za-z0-9_]{20,}|gitea[_-]?[A-Za-z0-9_]{20,}|npm_[A-Za-z0-9_]{20,}|Authorization: Bearer [A-Za-z0-9._-]{20,}' \
--glob '!node_modules/**' \
--glob '!docs/**' \
--glob '!*.md' || true
)"
if [[ -n "$token_matches" ]]; then
echo "Hardcoded token-like values found:" >&2
echo "$token_matches" >&2
exit 1
fi
echo "✓ No hardcoded token-like values found."
echo "Release guard audit passed."