Create ci.yml
Browse files- .github/workflows/ci.yml +100 -0
.github/workflows/ci.yml
ADDED
|
@@ -0,0 +1,100 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
name: CI
|
| 2 |
+
|
| 3 |
+
on:
|
| 4 |
+
push:
|
| 5 |
+
branches: [ "main" ]
|
| 6 |
+
pull_request:
|
| 7 |
+
branches: [ "main" ]
|
| 8 |
+
|
| 9 |
+
permissions:
|
| 10 |
+
contents: read
|
| 11 |
+
|
| 12 |
+
jobs:
|
| 13 |
+
test-and-secure:
|
| 14 |
+
runs-on: ubuntu-latest
|
| 15 |
+
|
| 16 |
+
env:
|
| 17 |
+
# Safe fallback for CI only (matches your app behavior)
|
| 18 |
+
ALLOW_DEV_SALT: "true"
|
| 19 |
+
|
| 20 |
+
steps:
|
| 21 |
+
- name: Checkout repository
|
| 22 |
+
uses: actions/checkout@v4
|
| 23 |
+
|
| 24 |
+
- name: Set up Python
|
| 25 |
+
uses: actions/setup-python@v5
|
| 26 |
+
with:
|
| 27 |
+
python-version: "3.13"
|
| 28 |
+
|
| 29 |
+
- name: Cache pip dependencies
|
| 30 |
+
uses: actions/cache@v4
|
| 31 |
+
with:
|
| 32 |
+
path: ~/.cache/pip
|
| 33 |
+
key: ${{ runner.os }}-pip-${{ hashFiles('requirements.txt') }}
|
| 34 |
+
restore-keys: |
|
| 35 |
+
${{ runner.os }}-pip-
|
| 36 |
+
|
| 37 |
+
- name: Install dependencies
|
| 38 |
+
run: |
|
| 39 |
+
python -m pip install --upgrade pip
|
| 40 |
+
pip install -r requirements.txt
|
| 41 |
+
pip install pytest ruff bandit pip-audit
|
| 42 |
+
|
| 43 |
+
- name: Lint (Ruff)
|
| 44 |
+
run: |
|
| 45 |
+
ruff check .
|
| 46 |
+
|
| 47 |
+
- name: Format Check (Ruff)
|
| 48 |
+
run: |
|
| 49 |
+
ruff format --check .
|
| 50 |
+
|
| 51 |
+
- name: Security Scan (Bandit)
|
| 52 |
+
run: |
|
| 53 |
+
bandit -r osint_core/ -ll
|
| 54 |
+
|
| 55 |
+
- name: Dependency Audit (pip-audit)
|
| 56 |
+
run: |
|
| 57 |
+
pip-audit
|
| 58 |
+
|
| 59 |
+
- name: Run Tests (Pytest)
|
| 60 |
+
run: |
|
| 61 |
+
pytest -v --tb=short
|
| 62 |
+
|
| 63 |
+
drift-guard:
|
| 64 |
+
runs-on: ubuntu-latest
|
| 65 |
+
needs: test-and-secure
|
| 66 |
+
|
| 67 |
+
steps:
|
| 68 |
+
- name: Checkout repository
|
| 69 |
+
uses: actions/checkout@v4
|
| 70 |
+
|
| 71 |
+
- name: Verify critical files exist
|
| 72 |
+
run: |
|
| 73 |
+
test -f osint_core/intent.py
|
| 74 |
+
test -f osint_core/policy.py
|
| 75 |
+
test -f osint_core/validators.py
|
| 76 |
+
|
| 77 |
+
- name: Prevent forbidden tools from entering repo
|
| 78 |
+
run: |
|
| 79 |
+
if grep -R -E "nmap|masscan|sqlmap|metasploit" .; then
|
| 80 |
+
echo "❌ Forbidden tooling detected"
|
| 81 |
+
exit 1
|
| 82 |
+
fi
|
| 83 |
+
|
| 84 |
+
- name: Enforce passive-first invariant
|
| 85 |
+
run: |
|
| 86 |
+
if grep -R "requests.get(" osint_core/ | grep -v "authorized"; then
|
| 87 |
+
echo "⚠️ Potential unauthorized outbound request"
|
| 88 |
+
exit 1
|
| 89 |
+
fi
|
| 90 |
+
|
| 91 |
+
- name: Validate YAML integrity
|
| 92 |
+
run: |
|
| 93 |
+
python -c "import yaml, sys; yaml.safe_load(open('data/sources.yaml'))"
|
| 94 |
+
|
| 95 |
+
- name: Check for raw indicator leakage
|
| 96 |
+
run: |
|
| 97 |
+
if grep -R -E "example\.com|@gmail\.com|192\.168\." osint_core/; then
|
| 98 |
+
echo "⚠️ Possible raw indicator leakage"
|
| 99 |
+
exit 1
|
| 100 |
+
fi
|