fix(detector): detect protocol class sentinel replay #413
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: blue-pr-prechecks | |
| on: | |
| pull_request: | |
| types: | |
| - opened | |
| - synchronize | |
| - reopened | |
| - ready_for_review | |
| - edited | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| concurrency: | |
| group: blue-pr-prechecks-${{ github.event.pull_request.number }} | |
| cancel-in-progress: true | |
| jobs: | |
| prechecks: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 20 | |
| env: | |
| PIP_DISABLE_PIP_VERSION_CHECK: "1" | |
| PYTHONDONTWRITEBYTECODE: "1" | |
| steps: | |
| - name: Checkout trusted gate code | |
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd | |
| with: | |
| ref: ${{ github.event.pull_request.base.sha }} | |
| path: trusted | |
| persist-credentials: false | |
| fetch-depth: 1 | |
| - name: Set up Python | |
| uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 | |
| with: | |
| python-version: "3.12" | |
| - name: Check blue PR eligibility | |
| id: gate | |
| env: | |
| GITHUB_TOKEN: ${{ github.token }} | |
| run: | | |
| python trusted/scripts/github/blue_pr_gate.py \ | |
| --event-path "$GITHUB_EVENT_PATH" \ | |
| --github-token "$GITHUB_TOKEN" \ | |
| --output-json "$RUNNER_TEMP/blue-pr-gate.json" | |
| - name: Upload blue PR gate result | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a | |
| with: | |
| name: blue-pr-gate-${{ github.event.pull_request.number }} | |
| path: ${{ runner.temp }}/blue-pr-gate.json | |
| if-no-files-found: error | |
| retention-days: 7 | |
| - name: Reject ineligible blue PR | |
| if: steps.gate.outputs.is_blue_submission == 'true' && steps.gate.outputs.eligible_for_trusted_eval != 'true' | |
| run: | | |
| echo "This PR declares a KernelGuard blue submission but is not eligible for automatic trusted evaluation." | |
| echo "See the KernelGuard Blue PR Gate summary for the blocking reason." | |
| exit 1 | |
| - name: Checkout candidate PR | |
| if: steps.gate.outputs.eligible_for_trusted_eval == 'true' | |
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd | |
| with: | |
| path: candidate | |
| persist-credentials: false | |
| fetch-depth: 1 | |
| - name: Static RCE security check | |
| if: steps.gate.outputs.eligible_for_trusted_eval == 'true' | |
| id: static | |
| continue-on-error: true | |
| run: | | |
| python trusted/scripts/github/blue_pr_static_security.py \ | |
| --base-file trusted/kernelguard.py \ | |
| --candidate-file candidate/kernelguard.py \ | |
| --output-json "$RUNNER_TEMP/blue-pr-static-security.json" | |
| - name: Upload static security result | |
| if: steps.gate.outputs.eligible_for_trusted_eval == 'true' | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a | |
| with: | |
| name: blue-pr-static-security-${{ github.event.pull_request.number }} | |
| path: ${{ runner.temp }}/blue-pr-static-security.json | |
| if-no-files-found: error | |
| retention-days: 7 | |
| - name: Reject blue PR with possible RCE risk | |
| if: steps.gate.outputs.eligible_for_trusted_eval == 'true' && steps.static.outcome != 'success' | |
| run: | | |
| echo "Static security checks found possible RCE-capable changes." | |
| echo "See the KernelGuard Blue PR Static Security summary for details." | |
| exit 1 | |
| - name: Install package | |
| if: steps.gate.outputs.eligible_for_trusted_eval == 'true' | |
| working-directory: candidate | |
| run: | | |
| python -m pip install --upgrade pip | |
| python -m pip install -e ".[api]" | |
| - name: Compile core Python entrypoints | |
| if: steps.gate.outputs.eligible_for_trusted_eval == 'true' | |
| working-directory: candidate | |
| run: | | |
| python -m py_compile kernelguard.py kernelguard_api.py | |
| - name: Smoke test lightweight API startup | |
| if: steps.gate.outputs.eligible_for_trusted_eval == 'true' | |
| working-directory: candidate | |
| run: | | |
| python - <<'PY' | |
| import kernelguard_api | |
| app = kernelguard_api.build_app() | |
| print(sorted(route.path for route in app.routes)) | |
| PY |