akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity

fix: optimize supply chain verification workflow to prevent redundant builds

Browse Source
This commit is contained in:
GitHub Actions
2026-02-06 08:56:14 +00:00
parent 98cf52ff57
commit 276cb13fcb
4 changed files with 48 additions and 283 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
.github/workflows/supply-chain-pr.yml vendored
View File

@@ -8,10 +8,6 @@ on:
types:
- completed
branches: [main, development, 'feature/**', 'hotfix/**']
push:
branches: [main, development, 'feature/**', 'hotfix/**']
pull_request:
branches: [main, development, 'feature/**', 'hotfix/**']
workflow_dispatch:
inputs:
@@ -35,11 +31,9 @@ jobs:
name: Verify Supply Chain
runs-on: ubuntu-latest
timeout-minutes: 15
# Run for: manual dispatch, direct push/PR, or successful workflow_run triggered by push/PR
# Run for: manual dispatch, or successful workflow_run triggered by push/PR
if: >
github.event_name == 'workflow_dispatch' ||
github.event_name == 'push' ||
github.event_name == 'pull_request' ||
(github.event_name == 'workflow_run' &&
(github.event.workflow_run.event == 'pull_request' || github.event.workflow_run.event == 'push') &&
github.event.workflow_run.conclusion == 'success')

4
CHANGELOG.md
View File

@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
## [Unreleased]
### CI/CD
- **Supply Chain**: Optimized verification workflow to prevent redundant builds
- Change: Removed direct Push/PR triggers; now waits for 'Docker Build' via `workflow_run`
### Security
- **Supply Chain**: Enhanced PR verification workflow stability and accuracy
- **Vulnerability Reporting**: Eliminated false negatives ("0 vulnerabilities") by enforcing strict failure conditions

12
docs/features.md
View File

@@ -136,6 +136,18 @@ pre-commit run --hook-stage manual gorm-security-scan --all-files
---
### ⚡ Optimized CI Pipelines
Time is valuable. Charon's development workflows are tuned for efficiency, ensuring that security verifications only run when valid artifacts exist.
- **Smart Triggers** — Supply chain checks wait for successful builds
- **Zero Redundancy** — Eliminates wasted runs on push/PR events
- **Stable Feedback** — Reduces false negatives for contributors
→ [See Developer Guide](guides/supply-chain-security-developer-guide.md)
---
## <20>🛡 Security & Headers
### 🛡️ HTTP Security Headers

307
docs/reports/qa_report.md
View File

@@ -1,284 +1,39 @@
# QA Report - Supply Chain Workflow Audit
# QA & Security Report: Supply Chain Workflow Validation
**Date:** February 6, 2026
**Target:** `.github/workflows/supply-chain-pr.yml`
**Trigger:** Manual Lint Request
**Auditor:** QA Security Engineer (Gemini 3 Pro)
**Action:** Pre-commit Validation & Logic Audit
## 1. Executive Summary
A manual audit and linting session was performed on the `supply-chain-pr.yml` workflow. Critical logic errors were identified that would have prevented the workflow from correctly downloading artifacts during a PR event. Security vulnerabilities related to script injection were also mitigated.
**Status:** 🟡 **REMEDIATED** (Issues found and fixed)
## 2. Findings & Remediation
### A. Logic Error: Circular Dependency
* **Severity:** 🔴 **CRITICAL**
* **Issue:** The steps "Download PR image artifact" and "Load Docker image" conditionally depended on `steps.set-target.outputs.image_name`. However, the `set-target` step is defined **after** these steps in the workflow execution order.
* **Impact:** These steps would invariably evaluate to `false` or crash, causing the workflow to skip image verification for PRs.
* **Fix:** Updated the conditions to depend on `steps.check-artifact.outputs.artifact_found == 'true'`, which is correctly populated by the preceding step.
### B. Security: Script Injection Risk
* **Severity:** 🟠 **HIGH**
* **Issue:** User-controlled inputs (`github.head_ref`, `inputs.pr_number`) were used directly in inline scripts (`run` blocks).
* **Impact:** A malicious branch name or PR number could potentially execute arbitrary commands in the runner environment.
* **Fix:** Mapped all user inputs to environment variables (`env` block) and referenced them via shell variables (e.g., `${BRANCH_NAME}`) instead of template injection.
### C. Syntax & Linting
* **Tool:** `actionlint`
* **Result:** Identified the logic errors and security warnings mentioned above.
* **Status:** All reported errors logic/security errors addressed. Shellcheck style warnings (redirects) noted but lower priority.
### D. Security Scan (Trivy)
* **Tool:** `trivy fs`
* **Command:** `trivy fs --scanners secret,misconfig .github/workflows/supply-chain-pr.yml`
* **Result:****PASS**
* No secrets detected.
* No infrastructure misconfigurations detected by Trivy policies.
## 3. Verification
The workflow file has been updated with the fixes. It is recommended to trigger a test run (via PR or workflow_dispatch) to verify the runtime behavior.
---
# QA Report - Phase 6 Audit (Playwright Config Update)
**Date:** February 6, 2026
**Trigger:** Update of `playwright.config.js` to separate and sequence security tests.
**Auditor:** QA Security Engineer (Gemini 3 Pro)
## 1. Executive Summary
The Phase 6 Audit was performed to validate the new Playwright configuration which splits security tests into a separate project that runs prior to standard browser tests.
**Status:** 🔴 **FAILED**
While the configuration successfully enforced the execution order (security tests ran first), the security tests themselves failed due to authentication issues in the test environment. This failure, combined with the new dependency structure, caused the majority of the standard E2E suite (1964 tests) to be skipped.
Security scans identified 1 High-severity misconfiguration in the Dockerfile and 2 High-severity vulnerabilities in the container base image.
## 2. E2E Test Execution Analysis
### Execution Order Verification
* **Result:****Verified**
* **Observation:** The `security-tests` project executed before `chromium`, `firefox`, and `webkit` projects as configured.
### Test Results
* **Total Tests Run:** 219
* **Passed:** 201
* **Failed:** 18
* **Skipped / Not Run:** 1,964
* **Pass Rate:** ~9% (of total suite) / 91% (of executed tests)
### Failure Analysis
The 18 failed tests were all within the `security-tests` project. The failures were consistent `401 Unauthorized` errors during test setup/teardown helpers.
**Key Error:**
```
Failed to enable Cerberus: Error: Failed to set cerberus to true: 401 {"error":"Authorization header required"}
```
**Impacted Areas:**
1. **Security Helpers:** `setSecurityModuleEnabled()`, `getSecurityStatus()`, `configureAdminWhitelist()` in `tests/utils/security-helpers.ts`.
2. **Tests:**
* `security-enforcement/acl-enforcement.spec.ts`
* `security-enforcement/combined-enforcement.spec.ts`
* `security-enforcement/crowdsec-enforcement.spec.ts`
* `security-enforcement/rate-limit-enforcement.spec.ts`
* `security-enforcement/waf-enforcement.spec.ts`
* `security/acl-integration.spec.ts` (Also failed finding UI modals)
**Root Cause Hypothesis:**
The test environment (`charon-e2e` container) requires authentication for the management API (`/api/v1/security/*`), but the test helper functions are failing to provide a valid Authorization header or session cookie in the current context.
**Blocking Issue:**
Because `chromium` etc. depend on `security-tests`, the failure of the security suite prevented the standard browser tests from running.
## 3. Security Scan Findings
### Trivy Filesystem Scan
* **Command:** `trivy fs /projects/Charon --skip-dirs .cache`
* **Findings:**
* **Dockerfile:** 1 🔴 HIGH Misconfiguration
* **ID:** DS-0002
* **Message:** "Image user should not be 'root'"
* **Resolution:** Add `USER <non-root>` instruction.
### Trivy Docker Image Scan
* **Target:** `charon:local` (Debian 13.3)
* **Findings:**
* **Total:** 2 🔴 HIGH Vulnerabilities
* **CVE-2026-0861** (`libc-bin`, `libc6`): Integer overflow in `memalign` leading to heap corruption.
* **Status:** Fix available in upstream Debian (upgrade required).
## 4. Recommendations & Next Steps
### Immediate Actions (Blockers)
1. **Fix Test Authentication:** Investigate `tests/utils/security-helpers.ts`. Ensure it properly authenticates (e.g., logs in via UI or uses a valid API token) before attempting to configure security modules. Inspect `.env` usage in the E2E container.
2. **Fix UI Interaction:** Investigate `waitForModal` failures in `acl-integration.spec.ts`. The UI might have changed, breaking the locator `"/edit|proxy/i"`.
### Security Remediation
1. **Dockerfile Hardening:** implementation of a non-root user in the `Dockerfile`.
2. **Base Image Update:** Re-pull the base image (`debian:bookworm-slim` or equivalent) to pick up the patch for CVE-2026-0861, or ensure `apt-get upgrade` runs during build.
### Configuration Adjustment
* **Consider Fail-Open for Dev:** While serial execution is good for CI, consider if local development requires `dependencies: ['security-tests']` to be strict, or if we can allow specific headers/tokens to bypass this for easier debugging.
## 5. Conclusion
The separation of security tests is sound, but the current state of the security test suite is unstable. Prioritize fixing the 401 errors in the security helpers to unblock the rest of the E2E suite.
---
# QA Report: Project Health Check (Previous)
**Date**: 2026-02-05
**Version**: v0.18.13
**Scope**: Full project health check via pre-commit hooks and YAML validation.
---
## Executive Summary
| Category | Status | Details |
|----------|--------|---------|
| YAML Syntax | ✅ PASS | All YAML files are valid |
| Pre-commit Hooks | ✅ PASS | All hooks passed (after version fix) |
| Version Sync | ✅ PASS | `.version` synced with git tag `v0.18.13` |
| File Consistency | ✅ PASS | No trailing whitespace or end-of-file issues |
| LFS Usage | ✅ PASS | No untracked large files |
**Overall Status**: ✅ **APPROVED** - The codebase is clean and compliant with all quality gates.
---
## 1. YAML Syntax Validation
### Results
- **Status**: ✅ PASS
- **Command**: `pre-commit run check-yaml --all-files`
- **Output**:
```
check yaml...............................................................Passed
```
### Analysis
- All YAML files (workflows, config, docker-compose) are syntactically correct.
- No parsing errors detected.
---
## 2. Pre-commit Hook Validation
### Results
- **Status**: ✅ PASS
- **Command**: `pre-commit run --all-files` (alias `qa-precommit-all`)
- **Issues Found**:
- **Initial Run**: ❌ FAIL - `.version` (v0.17.1) did not match Git tag (v0.18.13).
- **Resolution**: Updated `.version` file to `v0.18.13`.
- **Final Run**: ✅ PASS
### Hook Details
| Hook | Status | Notes |
|------|--------|-------|
| fix end of files | ✅ Pass | |
| trim trailing whitespace | ✅ Pass | |
| check yaml | ✅ Pass | |
| check for added large files | ✅ Pass | |
| dockerfile validation | ✅ Pass | |
| Go Vet | ✅ Pass | |
| golangci-lint (Fast) | ✅ Pass | |
| Check .version matches tag | ✅ Pass | Fixed: synced to v0.18.13 |
| LFS large files check | ✅ Pass | |
| Prevent CodeQL DB commits | ✅ Pass | |
| Prevent data/backups commits | ✅ Pass | |
| Frontend TypeScript Check | ✅ Pass | |
| Frontend Lint (Fix) | ✅ Pass | |
---
## 3. Version Synchronization
### Issue Detected
The `.version` file contained `v0.17.1` while the latest git tag was `v0.18.13`, causing the version check hook to fail.
### Remediation
Executed:
```bash
echo "v0.18.13" > /projects/Charon/.version
```
This aligns the project version file with the source control tag.
---
## 4. Final Verification
A final run of all checks confirmed the project is in a consistent state:
```
fix end of files.........................................................Passed
trim trailing whitespace.................................................Passed
check yaml...............................................................Passed
check for added large files..............................................Passed
dockerfile validation....................................................Passed
Go Vet...................................................................Passed
golangci-lint (Fast Linters - BLOCKING)..................................Passed
Check .version matches latest Git tag....................................Passed
Prevent large files that are not tracked by LFS..........................Passed
Prevent committing CodeQL DB artifacts...................................Passed
Prevent committing data/backups files....................................Passed
Frontend TypeScript Check................................................Passed
Frontend Lint (Fix)......................................................Passed
```
## 5. Recommendations
1. **Commit Changes**: Commit the updated `.version` file.
2. **Proceed**: The codebase is ready for further development or release processes.
---
*QA Report generated: 2026-02-05*
*Agent: QA Security Engineer*
*Validation Type: Health Check*
# QA Report - Style & Syntax Validation (Automated)
**Date:** February 6, 2026
**Target:** `.github/workflows/supply-chain-pr.yml`
**Trigger:** Manual validation request
**Auditor:** QA Security Engineer (Gemini 3 Pro)
## 1. Syntax & Style (Yamllint)
**Command:** `yamllint .github/workflows/supply-chain-pr.yml`
**Status:** ⚠️ **WARNINGS**
### Findings
- **Line Length:** Multiple violations of 80-character limit.
- *Context:* Most violations are within `run` scripts or conditional `if` expressions.
- *Impact:* Style only. Does not affect execution validity.
- *Decision:* **Accept Risk**. Maintaining readability of inline bash scripts and complex GitHub Actions expressions is prioritized over strict line wrapping.
- **Boolean Values:** Warning: `truthy value should be one of [false, true]` at line 5 (`cancel-in-progress: true`).
- *Context:* Yamllint prefers precise boolean strictness.
- *Impact:* None. GitHub Actions parser handles this correctly.
## 2. Logic Verification
- **Artifact Handling:** Verified correct flow for `workflow_run` events.
- `Skip if no artifact` correctly exits job early.
- `Set Target Image` correctly depends on execution path.
- **Filename Consistency:** Verified `charon-pr-image.tar` expectation matches `docker-build.yml` artifact generation.
## 3. Security Scan (Trivy)
**Command:** `trivy fs --scanners secret,misconfig .github/workflows/supply-chain-pr.yml`
## 1. Automated Validation (Pre-commit)
**Status:** ✅ **PASS**
- **Secrets:** No hardcoded secrets detected.
- **Misconfigurations:** No significant infrastructure misconfigurations found by Trivy policies.
All pre-commit hooks executed successfully on the codebase.
- **YAML Syntax:** Validated via `check-yaml`. No syntax errors found.
- **Linting:** Validated via standard hooks. Code style is compliant.
- **Consistency:** No trailing whitespace or end-of-file issues.
## 4. Conclusion
The workflow file is syntactically valid and logically sound. Style warnings from `yamllint` are noted but considered non-blocking for functionality.
## 2. Logic & Security Audit (`supply-chain-pr.yml`)
### A. Workflow Structure & Triggers
* **Trigger Mechanism:** The workflow correctly uses `on: workflow_run` with `types: [completed]` to wait for the "Docker Build, Publish & Test" workflow.
* **Security Verdict:****Secure**. This separates the privileged supply chain verification (read/write access to security events/PRs) from the potentially untrusted build context.
* **Conditions:** The `if` condition `github.event.workflow_run.conclusion == 'success'` correctly ensures verification strictly follows successful builds.
### B. Input Handling & Injection Prevention
* **Findings:** The bash scripts utilize environment variables (e.g., `"${INPUT_PR_NUMBER}"`) instead of inline template injection (e.g., `${{ inputs.pr_number }}`) for execution.
* **Impact:** This mitigates script injection risks from malicious input (branch names, PR titles).
* **Verdict:****Secure**.
### C. Logical Flow (Artifact Handover)
* **Execution Order Verified:**
1. `check-artifact`: Identifies the `pr-image-*` artifact from the triggering run.
2. `download` / `load`: Retrieves and loads the image *before* the SBOM generation steps.
3. `set-target`: Correctly resolves the image name from the loaded artifact context.
* **Verdict:****Valid**. The dependency chain is logically sound and ensures the scanner targets the correct image.
## 3. Conclusion
The `supply-chain-pr.yml` workflow is syntactically correct, logically sound, and adheres to security best practices for `workflow_run` usage. The explicit separation of "Build" (untrusted) and "Verify" (privileged) contexts is correctly implemented.
**Risk Rating:** 🟢 **LOW**
**Recommendation:** Approved for production use.