4e54b8bd4d
- Added YAML frontmatter to all 8 polish-* skills and sweep skill so Claude can auto-invoke them - New bitcoin-conventions skill with PROUX UX methodology, sats display, address validation, Tor preferences, Lightning patterns - Path-specific rules for containers (security hardening) and frontend (Vue/glassmorphism conventions) - Gitea Actions: nightly security review and weekly dependency audit Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
46 lines
1.4 KiB
YAML
46 lines
1.4 KiB
YAML
name: Nightly Security Review
|
|
on:
|
|
schedule:
|
|
- cron: '47 1 * * *'
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
security-review:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Install Claude Code
|
|
run: npm install -g @anthropic-ai/claude-code
|
|
|
|
- name: Run security review on recent changes
|
|
env:
|
|
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
|
|
run: |
|
|
CHANGED=$(git diff --name-only HEAD~1..HEAD 2>/dev/null || echo "")
|
|
if [ -z "$CHANGED" ]; then
|
|
echo "No recent changes to review"
|
|
exit 0
|
|
fi
|
|
|
|
claude --print "Run a security review focused on these recently changed files:
|
|
$CHANGED
|
|
|
|
Check for:
|
|
- Constant-time comparison violations in crypto code
|
|
- Private key material in logs or error messages
|
|
- Floating-point Bitcoin amounts (must be integer sats)
|
|
- eval() or unsafe blocks without SAFETY comments
|
|
- Hardcoded credentials or secrets
|
|
- Missing input validation at API boundaries
|
|
|
|
Output a structured report with severity levels.
|
|
If any CRITICAL issues found, exit with code 1." > security-report.txt 2>&1
|
|
|
|
cat security-report.txt
|
|
|
|
if grep -qi "critical" security-report.txt; then
|
|
echo "::error::Critical security issues found — review security-report.txt"
|
|
exit 1
|
|
fi
|