fix(detector): detect mutable default identity replay #382
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: blue-pr-sync | |
| on: | |
| pull_request_target: | |
| types: | |
| - opened | |
| - synchronize | |
| - reopened | |
| - edited | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| concurrency: | |
| group: blue-pr-sync-${{ github.event.pull_request.number }} | |
| cancel-in-progress: true | |
| jobs: | |
| gate: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| outputs: | |
| is_blue_submission: ${{ steps.gate.outputs.is_blue_submission }} | |
| eligible_for_trusted_eval: ${{ steps.gate.outputs.eligible_for_trusted_eval }} | |
| red_submission_id: ${{ steps.gate.outputs.red_submission_id }} | |
| risk: ${{ steps.gate.outputs.risk }} | |
| static_security_passed: ${{ steps.static.outputs.static_security_passed }} | |
| steps: | |
| - name: Checkout trusted default-branch automation code | |
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd | |
| with: | |
| ref: refs/heads/${{ github.event.repository.default_branch }} | |
| persist-credentials: false | |
| fetch-depth: 1 | |
| - name: Set up Python | |
| uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 | |
| with: | |
| python-version: "3.12" | |
| - name: Check blue PR eligibility | |
| id: gate | |
| env: | |
| GITHUB_TOKEN: ${{ github.token }} | |
| run: | | |
| python scripts/github/blue_pr_gate.py \ | |
| --event-path "$GITHUB_EVENT_PATH" \ | |
| --github-token "$GITHUB_TOKEN" \ | |
| --output-json "$RUNNER_TEMP/blue-pr-gate.json" | |
| - name: Upload blue PR gate result | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a | |
| with: | |
| name: blue-pr-sync-gate-${{ github.event.pull_request.number }} | |
| path: ${{ runner.temp }}/blue-pr-gate.json | |
| if-no-files-found: error | |
| retention-days: 7 | |
| - name: Checkout candidate PR for static security scan | |
| if: steps.gate.outputs.eligible_for_trusted_eval == 'true' | |
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd | |
| with: | |
| repository: ${{ github.event.pull_request.head.repo.full_name }} | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| path: candidate | |
| persist-credentials: false | |
| fetch-depth: 1 | |
| - name: Static RCE security check | |
| if: steps.gate.outputs.eligible_for_trusted_eval == 'true' | |
| id: static | |
| continue-on-error: true | |
| run: | | |
| python scripts/github/blue_pr_static_security.py \ | |
| --base-file kernelguard.py \ | |
| --candidate-file candidate/kernelguard.py \ | |
| --output-json "$RUNNER_TEMP/blue-pr-static-security.json" | |
| - name: Upload static security result | |
| if: steps.gate.outputs.eligible_for_trusted_eval == 'true' | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a | |
| with: | |
| name: blue-pr-sync-static-security-${{ github.event.pull_request.number }} | |
| path: ${{ runner.temp }}/blue-pr-static-security.json | |
| if-no-files-found: error | |
| retention-days: 7 | |
| - name: Reject blue PR with possible RCE risk | |
| if: steps.gate.outputs.eligible_for_trusted_eval == 'true' && steps.static.outcome != 'success' | |
| run: | | |
| echo "Static security checks found possible RCE-capable changes." | |
| echo "See the KernelGuard Blue PR Static Security summary for details." | |
| exit 1 | |
| sync: | |
| needs: gate | |
| if: needs.gate.outputs.eligible_for_trusted_eval == 'true' && needs.gate.outputs.static_security_passed == 'true' | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| environment: kernelguard-api-control-plane | |
| steps: | |
| - name: Checkout trusted default-branch automation code | |
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd | |
| with: | |
| ref: refs/heads/${{ github.event.repository.default_branch }} | |
| persist-credentials: false | |
| fetch-depth: 1 | |
| - name: Set up Python | |
| uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 | |
| with: | |
| python-version: "3.12" | |
| - name: Register or update blue PR submission in KernelGuard API | |
| env: | |
| KERNELGUARD_API_BASE_URL: ${{ secrets.KERNELGUARD_API_BASE_URL }} | |
| KERNELGUARD_API_INTERNAL_TOKEN: ${{ secrets.KERNELGUARD_API_INTERNAL_TOKEN }} | |
| run: | | |
| test -n "$KERNELGUARD_API_BASE_URL" | |
| test -n "$KERNELGUARD_API_INTERNAL_TOKEN" | |
| python scripts/github/sync_blue_pr_submission.py \ | |
| --api-base-url "$KERNELGUARD_API_BASE_URL" \ | |
| --internal-token "$KERNELGUARD_API_INTERNAL_TOKEN" \ | |
| --event-path "$GITHUB_EVENT_PATH" \ | |
| --output-json "$RUNNER_TEMP/blue-pr-sync.json" |