Skip to content

Add CI/CD workflows matching GNAT #12

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
wrhalpin merged 1 commit into from
Apr 22, 2026
Merged

Add CI/CD workflows matching GNAT #12

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions .github/workflows/dco_check.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# SPDX-License-Identifier: Apache-2.0
# Copyright 2026 Bill Halpin
---
name: DCO Check

on:
pull_request:

jobs:
dco:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: tim-actions/dco@master
Copy link

Copilot AI Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tim-actions/dco is referenced via @master, which is an unpinned floating ref. Pin this action to a specific release tag or (preferably) a commit SHA to avoid supply-chain risk and unexpected behavior changes.

Suggested change
- uses: tim-actions/dco@master
- uses: tim-actions/dco@v1

Copilot uses AI. Check for mistakes.
21 changes: 21 additions & 0 deletions .github/workflows/dependency-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# SPDX-License-Identifier: Apache-2.0
# Copyright 2026 Bill Halpin
---
name: Dependency Review

on:
pull_request:

permissions:
contents: read

jobs:
pip-audit:
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v4
- name: Run pip-audit
uses: pypa/gh-action-pip-audit@v1.1.0
with:
inputs: "."
Comment on lines +18 to +21
Copy link

Copilot AI Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This pip-audit job doesn’t set up Python or install the project’s dependencies, and the repo doesn’t include a requirements/lock file. As written, inputs: "." is unlikely to audit the actual runtime dependency set. Consider setting up Python, installing the package (e.g. pip install -e .), and running pip-audit against the environment, or generate/provide a pinned requirements/lock file and audit that instead.

Suggested change
- name: Run pip-audit
uses: pypa/gh-action-pip-audit@v1.1.0
with:
inputs: "."
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.x"
- name: Install pip-audit and project dependencies
run: |
python -m pip install --upgrade pip
python -m pip install pip-audit
python -m pip install -e .
- name: Run pip-audit
run: python -m pip_audit

Copilot uses AI. Check for mistakes.
26 changes: 26 additions & 0 deletions .github/workflows/pylint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
# SPDX-License-Identifier: Apache-2.0
# Copyright 2026 Bill Halpin
---
name: Pylint

on: [push]

jobs:
build:
runs-on: ubuntu-latest
strategy:
matrix:
python-version: ["3.11", "3.12"]
steps:
- uses: actions/checkout@v4
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v6
with:
python-version: ${{ matrix.python-version }}
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install pylint
pip install -e ".[dev]"
- name: Analysing the code with pylint
run: pylint redgnat/
28 changes: 28 additions & 0 deletions .github/workflows/python-lint-fast.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
# SPDX-License-Identifier: Apache-2.0
# Copyright 2026 Bill Halpin
---
name: Python Fast Lint

on:
pull_request:
push:
branches: [main]

concurrency:
group: python-fast-lint-${{ github.ref }}
cancel-in-progress: true

jobs:
ruff:
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v4
- name: Run Ruff
uses: astral-sh/ruff-action@v3
with:
args: check .
- name: Check formatting
uses: astral-sh/ruff-action@v3
with:
args: format --check .
44 changes: 44 additions & 0 deletions .github/workflows/python-security.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
# SPDX-License-Identifier: Apache-2.0
# Copyright 2026 Bill Halpin
---
name: Python Security

on:
pull_request:
push:
branches: [main]
schedule:
- cron: "23 4 * * 1" # Mondays at 04:23 UTC

concurrency:
group: python-security-${{ github.ref }}
cancel-in-progress: true

jobs:
bandit:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Check out code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.11"
- name: Install Bandit
run: pip install bandit
- name: Run Bandit
run: bandit -r redgnat/ -ll -x tests/

pip-audit:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Check out code
uses: actions/checkout@v4
- name: Run pip-audit
uses: pypa/gh-action-pip-audit@v1.1.0
with:
inputs: "."
Comment on lines +34 to +44
Copy link

Copilot AI Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pip-audit is already configured to run on pull requests via .github/workflows/dependency-review.yml. Keeping a second PR-triggered pip-audit job here will run duplicate audits for every PR, increasing CI time and noise. Consider removing the PR trigger for one of them, or deleting one of the duplicate jobs and keeping a single source of truth.

Copilot uses AI. Check for mistakes.
Comment on lines +41 to +44
Copy link

Copilot AI Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This pip-audit job doesn’t set up Python or install the project’s dependencies, and the repo doesn’t include a requirements/lock file. As written, inputs: "." is unlikely to audit the actual runtime dependency set. Consider setting up Python, installing the package (e.g. pip install -e .), and running pip-audit against the environment, or generate/provide a pinned requirements/lock file and audit that instead.

Suggested change
- name: Run pip-audit
uses: pypa/gh-action-pip-audit@v1.1.0
with:
inputs: "."
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.11"
- name: Install pip-audit
run: pip install pip-audit
- name: Install project dependencies
run: pip install -e .
- name: Run pip-audit
run: pip-audit

Copilot uses AI. Check for mistakes.
35 changes: 35 additions & 0 deletions .github/workflows/python-tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
# SPDX-License-Identifier: Apache-2.0
# Copyright 2026 Bill Halpin
---
name: Python Tests

on:
pull_request:
push:
branches: [main]

concurrency:
group: python-tests-${{ github.ref }}
cancel-in-progress: true

jobs:
test:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
python-version: ["3.11", "3.12"]
steps:
- name: Check out code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: ${{ matrix.python-version }}
cache: pip
- name: Upgrade pip
run: python -m pip install --upgrade pip
- name: Install package and test deps
run: pip install -e ".[dev]"
- name: Run tests
run: pytest -q
31 changes: 31 additions & 0 deletions .github/workflows/python-typecheck.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
# SPDX-License-Identifier: Apache-2.0
# Copyright 2026 Bill Halpin
---
name: Python Type Check

on:
pull_request:
push:
branches: [main]

concurrency:
group: python-typecheck-${{ github.ref }}
cancel-in-progress: true

jobs:
mypy:
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: "3.11"
cache: pip
- name: Upgrade pip
run: python -m pip install --upgrade pip
- name: Install package and type deps
run: pip install -e ".[dev]"
- name: Run mypy
run: mypy redgnat/
29 changes: 29 additions & 0 deletions .github/workflows/security-hygiene.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
# SPDX-License-Identifier: Apache-2.0
# Copyright 2026 Bill Halpin
---
name: Security Hygiene

on:
pull_request:
paths:
- "redgnat/techniques/**"
- "redgnat/engagement/**"
- "tests/unit/techniques/**"
- "tests/unit/engagement/**"
- ".github/workflows/security-hygiene.yml"
workflow_dispatch:

jobs:
hygiene:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.11"
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -e ".[dev]"
- name: Run technique and engagement tests
run: pytest tests/unit/techniques/ tests/unit/engagement/ -q
29 changes: 29 additions & 0 deletions .github/workflows/semgrep.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
# SPDX-License-Identifier: Apache-2.0
# Copyright 2026 Bill Halpin
---
name: Semgrep

on:
pull_request:
push:
branches: [main]
schedule:
- cron: "11 5 * * 3" # Wednesdays at 05:11 UTC

jobs:
semgrep:
name: Semgrep SAST
runs-on: ubuntu-latest
permissions:
contents: read

steps:
- name: Check out code
uses: actions/checkout@v4
- name: Run Semgrep
uses: returntocorp/semgrep-action@v1
with:
config: >-
p/python
p/security-audit
p/secrets
Loading