Skip to content

ci: add strict security and quality pipeline#6

Merged
LearningCircuit merged 7 commits intomainfrom
security-ci
Apr 6, 2026
Merged

ci: add strict security and quality pipeline#6
LearningCircuit merged 7 commits intomainfrom
security-ci

Conversation

@LearningCircuit
Copy link
Copy Markdown
Owner

@LearningCircuit LearningCircuit commented Apr 6, 2026

Summary

Adds a strict security and quality CI pipeline. Mirrors the relevant subset of LDR's CI, scoped down to what makes sense for a small data+scripts repo.

New workflows

Workflow Purpose
mypy.yml Strict type-checking (`strict = true`) of `scripts/` and `tests/`
codeql.yml GitHub-native static analysis (`security-extended` + `security-and-quality` queries)
gitleaks.yml Secret scanning on PR + daily — replaces the hand-rolled regex in `validate_yamls.py` long-term
zizmor.yml GitHub Actions workflow security linter (template injection, ArtiPACKED, unpinned actions, ...)
osv-scanner.yml Dependency vulnerability scanning
semgrep.yml Pattern-based static analysis (default + python + security-audit + secrets + owasp-top-ten rulesets)
ossf-scorecard.yml Supply-chain hygiene + badge

Strict configs

  • `pyproject.toml`: ruff with `E, W, F, I, B, UP, SIM, S, C4, RUF, PTH, PL, TRY` rulesets; mypy with `strict = true`
  • `.yamllint.yaml`: line-length 120 as error, truthy as error

Notes

  • All workflows use pinned commit SHAs for third-party actions and `step-security/harden-runner` (egress-policy: audit), matching LDR's convention.
  • mypy and ruff strict configs may surface issues in the existing scripts on first run — will iterate in this PR until everything is green.

Test plan

  • All new workflows pass
  • Existing `validate.yml` still passes (pre-commit picks up the stricter yamllint and ruff configs)

@LearningCircuit
ci: add strict security and quality CI
7552c01 
Adds:
- pyproject.toml with strict ruff (E,W,F,I,B,UP,SIM,S,C4,RUF,PTH,PL,TRY)
  and strict mypy
- Tighter .yamllint.yaml (line-length=120 error, truthy=error)
- mypy.yml — type-checks scripts/ and tests/
- codeql.yml — security-extended + security-and-quality queries
- gitleaks.yml — secret scanning on PR + daily
- zizmor.yml — GitHub Actions workflow security linter
- osv-scanner.yml — dependency vulnerability scan
- semgrep.yml — pattern-based static analysis
  (default + python + security-audit + secrets + owasp-top-ten)
- ossf-scorecard.yml — supply-chain hygiene
@github-advanced-security
Copy link
Copy Markdown

github-advanced-security AI commented Apr 6, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

github-advanced-security[bot]
github-advanced-security AI found potential problems Apr 6, 2026
View reviewed changes
@LearningCircuit LearningCircuit merged commit fe48286 into main Apr 6, 2026
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@LearningCircuit @github-advanced-security