chore: remove disabled workflows, keep only build-iso
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
059913d3dd
commit
5af4c71ab7
@ -1,45 +0,0 @@
|
|||||||
name: Nightly Security Review
|
|
||||||
on:
|
|
||||||
schedule:
|
|
||||||
- cron: '47 1 * * *'
|
|
||||||
workflow_dispatch:
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
security-review:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v4
|
|
||||||
|
|
||||||
- name: Install Claude Code
|
|
||||||
run: npm install -g @anthropic-ai/claude-code
|
|
||||||
|
|
||||||
- name: Run security review on recent changes
|
|
||||||
env:
|
|
||||||
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
|
|
||||||
run: |
|
|
||||||
CHANGED=$(git diff --name-only HEAD~1..HEAD 2>/dev/null || echo "")
|
|
||||||
if [ -z "$CHANGED" ]; then
|
|
||||||
echo "No recent changes to review"
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
claude --print "Run a security review focused on these recently changed files:
|
|
||||||
$CHANGED
|
|
||||||
|
|
||||||
Check for:
|
|
||||||
- Constant-time comparison violations in crypto code
|
|
||||||
- Private key material in logs or error messages
|
|
||||||
- Floating-point Bitcoin amounts (must be integer sats)
|
|
||||||
- eval() or unsafe blocks without SAFETY comments
|
|
||||||
- Hardcoded credentials or secrets
|
|
||||||
- Missing input validation at API boundaries
|
|
||||||
|
|
||||||
Output a structured report with severity levels.
|
|
||||||
If any CRITICAL issues found, exit with code 1." > security-report.txt 2>&1
|
|
||||||
|
|
||||||
cat security-report.txt
|
|
||||||
|
|
||||||
if grep -qi "critical" security-report.txt; then
|
|
||||||
echo "::error::Critical security issues found — review security-report.txt"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
@ -1,29 +0,0 @@
|
|||||||
name: Weekly Dependency Audit
|
|
||||||
on:
|
|
||||||
schedule:
|
|
||||||
- cron: '13 2 * * 0'
|
|
||||||
workflow_dispatch:
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
audit:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v4
|
|
||||||
|
|
||||||
- name: Rust dependency audit
|
|
||||||
run: |
|
|
||||||
cargo install cargo-audit 2>/dev/null || true
|
|
||||||
echo "=== Cargo Audit ==="
|
|
||||||
cargo audit 2>&1 | tee cargo-audit.txt || true
|
|
||||||
|
|
||||||
echo ""
|
|
||||||
echo "=== Version Pinning Check ==="
|
|
||||||
grep -n '"\*"' Cargo.toml || echo "No wildcard versions found"
|
|
||||||
|
|
||||||
- name: Check for critical vulnerabilities
|
|
||||||
run: |
|
|
||||||
if grep -qi "RUSTSEC.*critical\|vulnerability found" cargo-audit.txt 2>/dev/null; then
|
|
||||||
echo "::error::Critical Rust dependency vulnerabilities found"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
echo "No critical vulnerabilities detected"
|
|
||||||
Loading…
x
Reference in New Issue
Block a user