Skip to content

fix(detector): add SYS_GETFRAME detection for RED #42 #32

fix(detector): add SYS_GETFRAME detection for RED #42

fix(detector): add SYS_GETFRAME detection for RED #42 #32

Workflow file for this run

name: blue-pr-sync
on:
pull_request_target:
types:
- opened
- synchronize
- reopened
- edited
permissions:
contents: read
pull-requests: read
concurrency:
group: blue-pr-sync-${{ github.event.pull_request.number }}
cancel-in-progress: true
jobs:
gate:
runs-on: ubuntu-latest
timeout-minutes: 10
outputs:
is_blue_submission: ${{ steps.gate.outputs.is_blue_submission }}
eligible_for_trusted_eval: ${{ steps.gate.outputs.eligible_for_trusted_eval }}
red_submission_id: ${{ steps.gate.outputs.red_submission_id }}
risk: ${{ steps.gate.outputs.risk }}
static_security_passed: ${{ steps.static.outputs.static_security_passed }}
steps:
- name: Checkout trusted default-branch automation code
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd
with:
ref: refs/heads/${{ github.event.repository.default_branch }}
persist-credentials: false
fetch-depth: 1
- name: Set up Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
with:
python-version: "3.12"
- name: Check blue PR eligibility
id: gate
env:
GITHUB_TOKEN: ${{ github.token }}
run: |
python scripts/github/blue_pr_gate.py \
--event-path "$GITHUB_EVENT_PATH" \
--github-token "$GITHUB_TOKEN" \
--output-json "$RUNNER_TEMP/blue-pr-gate.json"
- name: Upload blue PR gate result
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
with:
name: blue-pr-sync-gate-${{ github.event.pull_request.number }}
path: ${{ runner.temp }}/blue-pr-gate.json
if-no-files-found: error
retention-days: 7
- name: Checkout candidate PR for static security scan
if: steps.gate.outputs.eligible_for_trusted_eval == 'true'
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd
with:
repository: ${{ github.event.pull_request.head.repo.full_name }}
ref: ${{ github.event.pull_request.head.sha }}
path: candidate
persist-credentials: false
fetch-depth: 1
- name: Static RCE security check
if: steps.gate.outputs.eligible_for_trusted_eval == 'true'
id: static
continue-on-error: true
run: |
python scripts/github/blue_pr_static_security.py \
--base-file kernelguard.py \
--candidate-file candidate/kernelguard.py \
--output-json "$RUNNER_TEMP/blue-pr-static-security.json"
- name: Upload static security result
if: steps.gate.outputs.eligible_for_trusted_eval == 'true'
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
with:
name: blue-pr-sync-static-security-${{ github.event.pull_request.number }}
path: ${{ runner.temp }}/blue-pr-static-security.json
if-no-files-found: error
retention-days: 7
- name: Reject blue PR with possible RCE risk
if: steps.gate.outputs.eligible_for_trusted_eval == 'true' && steps.static.outcome != 'success'
run: |
echo "Static security checks found possible RCE-capable changes."
echo "See the KernelGuard Blue PR Static Security summary for details."
exit 1
sync:
needs: gate
if: needs.gate.outputs.eligible_for_trusted_eval == 'true' && needs.gate.outputs.static_security_passed == 'true'
runs-on: ubuntu-latest
timeout-minutes: 10
environment: kernelguard-api-control-plane
steps:
- name: Checkout trusted default-branch automation code
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd
with:
ref: refs/heads/${{ github.event.repository.default_branch }}
persist-credentials: false
fetch-depth: 1
- name: Set up Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
with:
python-version: "3.12"
- name: Register or update blue PR submission in KernelGuard API
env:
KERNELGUARD_API_BASE_URL: ${{ secrets.KERNELGUARD_API_BASE_URL }}
KERNELGUARD_API_INTERNAL_TOKEN: ${{ secrets.KERNELGUARD_API_INTERNAL_TOKEN }}
run: |
test -n "$KERNELGUARD_API_BASE_URL"
test -n "$KERNELGUARD_API_INTERNAL_TOKEN"
python scripts/github/sync_blue_pr_submission.py \
--api-base-url "$KERNELGUARD_API_BASE_URL" \
--internal-token "$KERNELGUARD_API_INTERNAL_TOKEN" \
--event-path "$GITHUB_EVENT_PATH" \
--output-json "$RUNNER_TEMP/blue-pr-sync.json"