Add supply-chain security gates#83
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: c589587a62
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| fetch-depth: 0 | ||
|
|
||
| - name: Scan repository for secrets | ||
| uses: gitleaks/gitleaks-action@dcedce43c6f43de0b836d1fe38946645c9c638dc # v2 |
There was a problem hiding this comment.
Pass GITHUB_TOKEN into gitleaks on PRs
On pull_request runs, gitleaks-action v2's ScanPullRequest path exits when process.env.GITHUB_TOKEN is absent; its upstream usage example explicitly passes env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}. This job only grants token permissions, which does not create that environment variable, so every PR run will fail in the first gate before scanning or reaching later jobs. Add the env mapping (with the existing read permissions) or switch to a scan invocation that does not need the PR API.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Added the required token mapping. Gitleaks now passes on pull requests.
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 323596eb9e
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| version: "0.11.28" | ||
|
|
||
| - name: Audit locked Python dependencies | ||
| run: uv audit --frozen |
There was a problem hiding this comment.
Reject stale lockfiles before auditing
For PRs that edit pyproject.toml but forget to update uv.lock, uv audit --frozen audits the existing lockfile as the source of truth without checking it is current; the uv CLI docs describe --frozen this way and reserve --locked for asserting the lockfile remains up to date. That lets newly declared vulnerable dependencies avoid this required audit until the lock is refreshed, so run a lock check or use uv audit --locked before treating the result as merge-blocking.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Changed the audit to verify the lockfile is current before scanning.
|
@codex review |
|
Codex Review: Didn't find any major issues. Breezy! Reviewed commit: ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 7d0c9a4921
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| IMAGE_NAME: ${{ github.repository }} | ||
|
|
||
| jobs: | ||
| gitleaks: |
There was a problem hiding this comment.
Run the secret scan on every file change
Because this new Gitleaks job is inside the existing push/pull_request paths allowlist, it only runs when the changed files match that list. A PR that adds a credential to an unlisted file such as README.md, .env, or another documentation/config file will not start this job at all, so the secret can merge before any scan sees it. Move the secret scan to an unfiltered workflow or remove/expand the path filters for this job.
Useful? React with 👍 / 👎.
| version: "0.11.28" | ||
|
|
||
| - name: Audit locked Python dependencies | ||
| run: uv audit --locked |
There was a problem hiding this comment.
Audit the scenario-test workspace dependencies
This root-level uv audit --locked audits the current project's dependencies, but the repo also defines scenario-tests as a uv workspace member and the e2e job installs it with uv sync --package scenario-tests. Dependencies used only by that member, such as behave or future scenario-only packages, can therefore be locked and executed in CI without being covered by this audit gate; add an audit for the scenario-tests project/member as well.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Added a separate audit for the scenario-test workspace dependencies.
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 1ede95d74c
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| - project: application | ||
| audit-args: "" | ||
| - project: scenario-tests | ||
| audit-args: --package scenario-tests |
There was a problem hiding this comment.
Replace unsupported uv audit package flag
When this matrix row runs, the command expands to uv audit --locked --package scenario-tests. I checked the official uv audit CLI reference, and it lists selectors like --project/--directory but no --package option for uv audit, so this scenario-tests leg exits with a usage error before any audit runs. Because build now needs dependency-audit, this blocks every matching CI run.
Useful? React with 👍 / 👎.
|



Closes #23.
Adds blocking supply-chain checks for secrets, Dockerfiles, workflows, Python dependencies, pull-request dependency changes, and built container images.
Validated with actionlint, Hadolint, and
git diff --check.