Skip to content
Security

feat(data): entities_fts triggers with cascading refresh #864

Sign in to view logs

feat(data): entities_fts triggers with cascading refresh

feat(data): entities_fts triggers with cascading refresh #864

Workflow file for this run

.github/workflows/security.yml at cf49ec5
# Copyright 2026 Phillip Cloud
# Licensed under the Apache License, Version 2.0
name: Security
on:
push:
branches: [main]
pull_request:
branches: [main]
permissions:
contents: read
jobs:
changes:
name: Detect Changes
runs-on: blacksmith-2vcpu-ubuntu-2404
outputs:
go: ${{ steps.detect.outputs.go }}
ci: ${{ steps.detect.outputs.ci }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
with:
deploy-on-self-hosted-vm: true
egress-policy: block
disable-telemetry: true
disable-sudo-and-containers: true
allowed-endpoints: >
api.github.com:443
github.com:443
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
sparse-checkout: .github/detect-ci-changes.bash
sparse-checkout-cone-mode: false
persist-credentials: false
- name: Check for changes
id: detect
env:
GH_TOKEN: ${{ github.token }}
EVENT_NAME: ${{ github.event_name }}
PR_NUMBER: ${{ github.event.pull_request.number }}
BEFORE_SHA: ${{ github.event.before }}
HEAD_SHA: ${{ github.sha }}
run: |
bash .github/detect-ci-changes.bash \
"$EVENT_NAME" "$PR_NUMBER" "$BEFORE_SHA" "$HEAD_SHA" >> "$GITHUB_OUTPUT"
govulncheck:
name: Vulnerability Check
needs: changes
if: needs.changes.outputs.go == 'true'
runs-on: blacksmith-4vcpu-ubuntu-2404
concurrency:
group: security-govulncheck-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
with:
deploy-on-self-hosted-vm: true
egress-policy: block
disable-telemetry: true
allowed-endpoints: >
api.github.com:443
cache.nixos.org:443
github.com:443
proxy.golang.org:443
releases.nixos.org:443
storage.googleapis.com:443
vuln.go.dev:443
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- uses: cachix/install-nix-action@616559265b40713947b9c190a8ff4b507b5df49b # v31.10.4
- name: Run govulncheck
run: nix run '.#govulncheck'
osv-scanner:
name: OSV Scan
needs: changes
if: needs.changes.outputs.go == 'true'
runs-on: blacksmith-4vcpu-ubuntu-2404
concurrency:
group: security-osv-scanner-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
env:
CGO_ENABLED: "0"
steps:
- name: Harden Runner
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
with:
deploy-on-self-hosted-vm: true
egress-policy: block
disable-telemetry: true
disable-sudo-and-containers: true
allowed-endpoints: >
api.github.com:443
api.osv.dev:443
github.com:443
proxy.golang.org:443
release-assets.githubusercontent.com:443
storage.googleapis.com:443
sum.golang.org:443
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version: "1.26"
- name: Install osv-scanner
run: go install github.com/google/osv-scanner/v2/cmd/osv-scanner@v2.3.5
- name: Run osv-scanner
run: osv-scanner scan --config osv-scanner.toml --no-ignore --no-call-analysis=go --recursive .
secrets:
name: Secret Scan
needs: changes
if: needs.changes.outputs.ci == 'true'
runs-on: blacksmith-4vcpu-ubuntu-2404
concurrency:
group: security-secrets-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
with:
deploy-on-self-hosted-vm: true
egress-policy: block
disable-telemetry: true
allowed-endpoints: >
ghcr.io:443
github.com:443
pkg-containers.githubusercontent.com:443
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
fetch-depth: 0
persist-credentials: false
- uses: trufflesecurity/trufflehog@47e7b7cd74f578e1e3145d48f669f22fd1330ca6 # v3.94.3
with:
extra_args: --only-verified
codeql:
name: CodeQL (Go)
needs: changes
if: needs.changes.outputs.go == 'true'
runs-on: blacksmith-4vcpu-ubuntu-2404
concurrency:
group: security-codeql-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
permissions:
contents: read
security-events: write
env:
CGO_ENABLED: "0"
steps:
- name: Harden Runner
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
with:
deploy-on-self-hosted-vm: true
egress-policy: block
disable-telemetry: true
disable-sudo-and-containers: true
allowed-endpoints: >
api.github.com:443
github.com:443
proxy.golang.org:443
release-assets.githubusercontent.com:443
storage.googleapis.com:443
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version: "1.26"
- name: Initialize CodeQL
uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
with:
languages: go
build-mode: manual
- name: Build
run: go build ./...
- name: Perform CodeQL analysis
uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
result:
name: Security Result
if: always()
needs: [changes, govulncheck, osv-scanner, secrets, codeql]
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
with:
egress-policy: block
disable-telemetry: true
disable-sudo-and-containers: true
allowed-endpoints: >
api.github.com:443
github.com:443
- run: exit 1
if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')